Unauthorized (401) on request to include email

dotnet
oauth

#1

I am trying to get the email address for a twitter account, using the verify_credentials request. Without the “include_email” url parameter, the request works and the user information is returned, without the email. When I include the url parameter “?include_email=true” as a url parameter, the response is unauthorized.

// C# code to create the request
HttpWebRequest hwr = (HttpWebRequest)WebRequest.Create(@"https://api.twitter.com/1.1/account/verify_credentials.json?include_email=true");
                        hwr.Headers.Add("Authorization", authorizationHeaderParams.ToString());                        
                        hwr.Method = "GET";
                        hwr.ContentType = "application/x-www-form-urlencoded";

URL
https://api.twitter.com/1.1/account/verify_credentials.json?include_email=true

Header
Authorization:OAuth oauth_nonce=“NjM2MjA5NDQyMzQ1MDM2NjI5”,oauth_signature_method=“HMAC-SHA1”,oauth_timestamp=“1485358235”,oauth_consumer_key=“GVetX4xkkgnn39h86qjh6zpm7”,oauth_token=“788756912976388096-laKj7uM19djIwiSrsI0nlc32Eka5tCN”,oauth_signature=“9gm39aTnrtIwVNzOkFeH8qd8PK8%3D”,oauth_version=“1.0”

Result

{
  "errors": [
    {
      "code": 32,
      "message": "Could not authenticate you."
    }
  ]
}

I used the following checklist to verify all is in place:

• you’ve added a privacy policy and terms of service url in your app settings (done)
• you’ve added the permission to request email address on the Permissions tab in your app settings (done)
• you’ve saved the changes to your app settings (done)
• you have a newly authenticated user token - an existing user token will continue to have the old permissions, so you will not be able to retrieve an email. If you need to do that, either recycle your app keys, or otherwise discard the user token and force the user to login again (done)
• the user is prompted for permission to share email address on authentication, and grants it to the app (not there yet)
• the user account has a verified email address i.e. they have both added an email to the account, and responded to the challenge email sent by Twitter on sign-up to verify the email address (done)
• you’re including ?include_email=true on your call to verify_credentials

What else can we check?


#2

This sounds like it might be an OAuth signature generation issue. Are you including the url parameters when you create the signature, or just the base URL?


#3

I’ve tried these options:

https://api.twitter.com/1.1/account/verify_credentials.json
https://api.twitter.com/1.1/account/verify_credentials.json?include_email=true
https://api.twitter.com/1.1/account/verify_credentials.json?include_email=’true’https://api.twitter.com/1.1/account/verify_credentials.json?include_email=‘true’

None of these work. Should we try something else?


#4

In general my advice would be to try a library that handles the OAuth for you. I can’t comment on how you’re doing the OAuth signature generation as I am not an expert.


#5

It seems the OAuth part is OK because if we leave off the url parameter we get all the information fine. It’s only if we have the url parameter on there that we get the 401.