Why do I get 'method requires authentication' when reusing my access token/secret?


#1

I’ve created a small app which works when I authorize the application using OOB/PIN:

Request token…
Request: req_url: https://api.twitter.com/oauth/request_token, postarg: oauth_callback=oob&oauth_consumer_key=HTHTLJCqieUHA3dV8fpXwg&oauth_nonce=oeKztdxmOC0C8UcPotvSU9L&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1327197792&oauth_version=1.0&oauth_signature=FmF26UIRqaYuVfbuRZ%2BYk8Cfqvo%3D

Authorize…
Authorize: req_url: https://api.twitter.com/oauth/authorize, postarg: oauth_callback=oob&oauth_consumer_key=HTHTLJCqieUHA3dV8fpXwg&oauth_nonce=KJnp_WLnFEveYKI8NYFZdSzj1p&oauth_password=XXXXX&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1327197792&oauth_token=GkSs6nY5jbnd80jDN5yb5L6rbXOKvOVfz3OQA3QqvHA&oauth_username=edgarmat&oauth_version=1.0&oauth_signature=JVSm3Cdqt8YhKPo49NQGbJJQXQ8%3D
Enter PIN: 5248612

https://api.twitter.com/oauth/access_token, postarg: oauth_callback=oob&oauth_consumer_key=HTHTLJCqieUHA3dV8fpXwg&oauth_nonce=qJfT6R19_lBMpYbG&oauth_password=XXXXX&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1327197875&oauth_token=GkSs6nY5jbnd80jDN5yb5L6rbXOKvOVfz3OQA3QqvHA&oauth_username=edgarmat&oauth_verifier=5248612&oauth_version=1.0&oauth_signature=jFU5yPZLQSaX3TC9lxudeLina0o%3D

make some request…
query:‘http://api.twitter.com/1/statuses/user_timeline.xml?count=2&include_entities=true&include_rts=true&oauth_callback=oob&oauth_consumer_key=HTHTLJCqieUHA3dV8fpXwg&oauth_nonce=s_UMStBKPh4EpwXeIgyIObIrPtpT&oauth_password=XXXXX&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1327197876&oauth_token=29686160-Xu0yuY6fqrLruOeU0ipkqqMDepeeT5LgnpoFV17VG&oauth_username=edgarmat&oauth_version=1.0&oauth_signature=AYvO0gta%2FiQYho9QytV7s%2BpD8o0%3D
reply:’<?xml version="1.0" encoding="UTF-8"?>


<created_at>Sat Jan 21 14:50:20 +0
<<>>

Doing the same with reused access token/secret, I get (the request token, authorize and access token request is skipped of course):

make some request…
query:'http://api.twitter.com/1/statuses/user_timeline.xml?count=2&include_entities=true&include_rts=true&oauth_callback=oob&oauth_consumer_key=HTHTLJCqieUHA3dV8fpXwg&oauth_nonce=kYT9t_UaXcuyt3o2_w58EcV&oauth_password=XXXXX&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1327200288&oauth_token=29686160-Xu0yuY6fqrLruOeU0ipkqqMDepeeT5LgnpoFV17VG&oauth_username=edgarmat&oauth_version=1.0&oauth_signature=T3kVynS3vLneiEhuSAgXlgtUWoM%3D
reply:'<?xml version="1.0" encoding="UTF-8"?>

This method requires authentication.

The question is why?


#2

You’re passing a lot of unnecessary parameters around that have nothing to do with the resource – oauth_username and oauth_callback have nothing to do with methods like statuses/user_timeline.

I recommend using HTTP header based OAuth instead as well to help clarify your requests.

For your successful request, ensure that you aren’t receiving an X-Warning header explaining that your auth is invalid – we sometimes satisfy requests as if they were unauthenticated when we can.


#3

Hi Taylor,

yup, I figured this also! According to the docs, both screen_name or user_id are optional. But you have to specify at least one. So, there’re not really optional… And now the bloody things works :-))

Thanks, Edgar.