Using Reverse Auth


#1

My app with id 2999109 was recently authorized to use Reverse Auth by the API Policy team. I’ve tried posting to the https://api.twitter.com/oauth/request_token endpoint

This is my signature base string, with the consumer key removed: POST&https%3A%2F%2Fapi.twitter.com%2Foauth%2Frequest_token&oauth_consumer_key%3DPERCENT_ENCODED_CONSUMER_KEY%26oauth_nonce%3D75AEC3ED-BC6C-40E7-957C-E9C603129A1B%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1346353204%26oauth_version%3D1.0%26x_auth_mode%3Dreverse_auth

Which is converted into the following OAuth authorization header:
OAuth oauth_timestamp=“1346353204”, oauth_version=“1.0”, oauth_consumer_key=“PERCENT_ENCODED_CONSUMER_KEY”, oauth_signature=“8valMeh0ZV1twGC%2Bq8uHrvTqUSE%3D”, x_auth_mode=“reverse_auth”, oauth_nonce=“75AEC3ED-BC6C-40E7-957C-E9C603129A1B”, oauth_signature_method=“HMAC-SHA1”

The response string is “Failed to validate oauth signature and token”, so it doesn’t appear to be a problem related to my app not belong allowed to use Reverse Auth.

My signature base string matches the Using Reverse Auth example string very closely:

From the docs: POST&https%3A%2F%2Fapi.twitter.com%2Foauth%2Frequest_token&oauth_consumer_key%3DJP3PyvG67rXRsnayOJOcQ%26oauth_nonce%3D1B7D865D-9E15-4ADD-8165-EF90D7A7D3D2%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1322697052%26oauth_version%3D1.0%26x_auth_mode%3Dreverse_auth

My own:

POST&https%3A%2F%2Fapi.twitter.com%2Foauth%2Frequest_token&oauth_consumer_key%3DPERCENT_ENCODED_CONSUMER_KEY%26oauth_nonce%3D75AEC3ED-BC6C-40E7-957C-E9C603129A1B%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1346353204%26oauth_version%3D1.0%26x_auth_mode%3Dreverse_auth

One thing I’d like to note is that if I do not include the x_auth_mode=reverse_auth parameter, I can obtain a oauth token & secret, although those I cannot use to authenticate as the user (invalid credentials).

Note: the app in question resides under my employer’s Twitter account.