OAuth 1.0a changes and PIN-based authentication shipped

[Doug Williams]

Today we deployed code that implemented the changes that accompanied the update to the 1.0a OAuth specification. LuckyCal has a great article on the subtle differences that come with the update [1] so please peruse this article if you are getting 401 errors with your implementation.

Callbacks for non-desktop apps are now supported with these rules:

- When making the call to request_token [4] (server-to-server), you can pass &oauth_callback=[url here]

- The response from request_token will contain oauth_callback_confirmed=true to confirm we received it.

- The user will be sent to twitter.com as usual

- When the user is finished they will be redirected to the URL provided in the first step along with a new parameter, oauth_verifier [1]

- The call to access_token [5] to exchange the request token for an access token MUST contain the oauth_verifier parameter as sent in the redirect.

- If you want to use your pre-configured callback, then do not include a oauth_callback parameter.

- If you want to force the PIN-based solution, send oauth_callback=oob with your request to oauth/authenticate

Additionally, as a couple developers have already noticed, we deployed the code that implemented PINs for desktop apps originally mentioned by Matt. Please review the linked documentation [2] and discussion [5] and let us know what questions you have.

If you find that your browser-based OAuth application is returning a PIN as if it were a desktop app, then remove the oauth_callback=oob parameter from your signature, if it exists.

1. http://blog.luckycal.com/?p=121

2. http://apiwiki.twitter.com/Authentication

3. http://apiwiki.twitter.com/Twitter-REST-API-Method%3A-oauth-request_token

4. http://apiwiki.twitter.com/Twitter-REST-API-Method%3A-oauth-access_token

5. http://groups.google.com/group/twitter-development-talk/browse_frm/thread/1c48fedf4ae7ed52/7d772dedcc756cbf#7d772dedcc756cbf

Thanks,

Doug

[Matt Sanford]

Hi all,

    Quick update on this. If you're using the latest OAuth gem (v0.3.5 and above) and you don't specify an oauth_callback to the get_request_token method it will put "oob" in there for you. The "oob" stand for "out of band" and forces the PIN-based flow … probably not what you wanted. I'll talk to the gem developer about a fix for this but if you're using the gem the fix in the mean time is to pass your expected callback into the get_request_token method like so:

consumer.get_request_token(:oauth_callback => "http://yousite/yourpath")

Thanks;

  — Matt Sanford

[Nizar]

Hi Doug,

After reading your post I passed the oauth_callback parameter when
requesting a token but I keep getting 'Failed to validate oauth
signature and token'. It works as soon as I take out the callback
parameter. I am using .NET and here is my GET request please advise if
I am missing something, I am fairly new to this.

http://twitter.com/oauth/request_token?oauth_callback=http://www.g-softsolutions.com/twittvine.aspx/filerid/1&oauth_consumer_key=qBDgyqMk8pnbpW6SdrEw&oauth_nonce=945410&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1244916785&oauth_version=1.0&oauth_signature=pqy70Jq1ayEfDYnIgThUpJM8zwc%3d

thanks,
Nizar

> 3.http://apiwiki.twitter.com/Twitter-REST-API-Method%3A-oauth-request_t...
> 4.http://apiwiki.twitter.com/Twitter-REST-API-Method%3A-oauth-access_token
> 5.http://groups.google.com/group/twitter-development-talk/browse_frm/th...
>
> Thanks,
> Doug

[Abraham Williams]

Try encoding the callback URL first. For example: oauth_callback=http%3A%2F%2Fprinter.example.com%2Frequest_token_ready

This example is from: http://oauth.googlecode.com/svn/spec/core/1.0a/drafts/3/oauth-core-1_0a.html#anchor43

On Sat, Jun 13, 2009 at 13:19, Nizar <Niz...@gmail.com> wrote:

Hi Doug,

After reading your post I passed the oauth_callback parameter when
requesting a token but I keep getting 'Failed to validate oauth
signature and token'. It works as soon as I take out the callback
parameter. I am using .NET and here is my GET request please advise if
I am missing something, I am fairly new to this.

http://twitter.com/oauth/request_token?oauth_callback=http://www.g-softsolutions.com/twittvine.aspx/filerid/1&oauth_consumer_key=qBDgyqMk8pnbpW6SdrEw&oauth_nonce=945410&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1244916785&oauth_version=1.0&oauth_signature=pqy70Jq1ayEfDYnIgThUpJM8zwc%3d

thanks,
Nizar

--
Abraham Williams | Community | http://web608.org
Hacker | http://abrah.am | http://twitter.com/abraham
Project | http://fireeagle.labs.poseurtech.com
This email is: [ ] blogable [x] ask first [ ] private.
Sent from Madison, WI, United States

[Nizar]

I have tried encoding the callback url, I have even tried changing the
oauth_verison to 1.0a and I even tried with signature type of
PLAIN_TEXT but to no avail. Has anybody done this successfully
in .NET. I would really appreciate any help thanks. I am not sure if
this is implemented yet on twitter's end???

On Jun 13, 3:31 pm, Abraham Williams <4bra...@gmail.com> wrote:
> Try encoding the callback URL first. For example: oauth_callback=http%3A%2F%
> 2Fprinter.example.com%2Frequest_token_ready
>

> This example is from:http://oauth.googlecode.com/svn/spec/core/1.0a/drafts/3/oauth-core-1_...

>
> On Sat, Jun 13, 2009 at 13:19, Nizar <Niza...@gmail.com> wrote:
> > Hi Doug,
>
> > After reading your post I passed the oauth_callback parameter when
> > requesting a token but I keep getting 'Failed to validate oauth
> > signature and token'. It works as soon as I take out the callback
> > parameter. I am using .NET and here is my GET request please advise if
> > I am missing something, I am fairly new to this.
>

> >http://twitter.com/oauth/request_token?oauth_callback=http://www.g-so...

[Andrej]

Just wanted to post info on how to change Ruby OAuth example that can
be found on twitter page:

Instead of line in callback action

@access_token = @request_token.get_access_token

use following passing oauth_verifier

@access_token = @request_token.get_access_token(:oauth_verifier =>
params[:oauth_verifier])

That will fix 401 issue.

Hope this would save you few hours of debugging.

Cheers

[app]

I think it's pretty lousy that this change was pushed with no warning
at all. It's discouraging when you see that your app is failing after
it had been working just fine with no code change. I didn't even know
my app was broken until I attempted to use it. Now if I want this
thing to work, I have to spend time to fix an app that was fine and I
hadn't worked on in a while. And then what happens two weeks from now?
You're going to issue another oauth update that breaks my app again?
Well guess what. I'm not fixing it, and I'm not developing on your api
anymore. Bad form. And for the record I wrote the oauth implementation
I'm using myself and I do not send a oauth_callback=oob parameter.

I have got better things to do than deal with this. I should have just
gone with http auth instead of willingly submitted myself to the
continued abuse you subject on conscientious developers who went with
oauth.

[Doug Williams]

Matt mentioned this was coming May 28 [1]. Most of the problems we
have hear of came from the fact that the Ruby OAuth library sent a
oauth_callback parameter without the knowledge of the developer.

Regardless, we are certainly sorry to see you go. Please feel free to
email us [2] if you have any parting suggestions.

1. http://groups.google.com/group/twitter-development-talk/browse_thread/thread/1c48fedf4ae7ed52/5ac22db230c7a95a?lnk=gst&q=oauth+pin#5ac22db230c7a95a
2. http://apiwiki.twitter.com/Support

Thanks,
Doug