"Failed to validate oauth signature and token" with xAuth
10 views
Skip to first unread message
mlowicki
Sep 17, 2010, 4:04:38 AM9/17/10
to Twitter Development Talk
Hello!,
We're implementing widget for Opera browser and we got xAuth access
lately. I'm trying to get access token but without any success so far
- http://dpaste.com/hold/244795/. generated POST seems to be exactly
the same as on http://dev.twitter.com/pages/xauth :
POST&https%3A%2F%2Fapi.twitter.com%2Foauth
%2Faccess_token&oauth_consumer_key%3Dkkkkkkkkkkk%26oauth_nonce
%3D0.5114195354710362%26oauth_signature_method%3DHMAC-
SHA1%26oauth_timestamp%3D1284633641688%26oauth_version
%3D1.0%26x_auth_mode%3Dclient_auth%26x_auth_password%3Dpassword
%26x_auth_username%3Dusername
Any idea where is the problem?
BR,
Michał Łowicki
We're implementing widget for Opera browser and we got xAuth access
lately. I'm trying to get access token but without any success so far
- http://dpaste.com/hold/244795/. generated POST seems to be exactly
the same as on http://dev.twitter.com/pages/xauth :
POST&https%3A%2F%2Fapi.twitter.com%2Foauth
%2Faccess_token&oauth_consumer_key%3Dkkkkkkkkkkk%26oauth_nonce
%3D0.5114195354710362%26oauth_signature_method%3DHMAC-
SHA1%26oauth_timestamp%3D1284633641688%26oauth_version
%3D1.0%26x_auth_mode%3Dclient_auth%26x_auth_password%3Dpassword
%26x_auth_username%3Dusername
Any idea where is the problem?
BR,
Michał Łowicki
Tom van der Woerdt
Sep 17, 2010, 10:05:23 AM9/17/10
to twitter-deve...@googlegroups.com
Base String looks fine. What's the complete request you are making? (the
"POST /oauth/access_token HTTP/1.1" part)
"POST /oauth/access_token HTTP/1.1" part)
Tom
Matt Harris
Sep 17, 2010, 10:49:30 AM9/17/10
to twitter-deve...@googlegroups.com
Hey Michal
Matt Harris
Developer Advocate, Twitter
http://twitter.com/themattharris
On Sep 17, 2010, at 1:04, mlowicki <mlow...@gmail.com> wrote:
> 1284633641688
Matt Harris
Sep 17, 2010, 10:51:43 AM9/17/10
to twitter-deve...@googlegroups.com
Ok no idea what happened with my previous email.
Anyway your timestamp is in milliseconds when it should be in seconds.
Give that a go and let us know what happens.
Matt
On Sep 17, 2010, at 1:04, mlowicki <mlow...@gmail.com> wrote:
> --
> Twitter developer documentation and resources: http://dev.twitter.com/doc
> API updates via Twitter: http://twitter.com/twitterapi
> Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list
> Change your membership to this group: http://groups.google.com/group/twitter-development-talk?hl=en
Michał Łowicki
Sep 17, 2010, 3:57:19 PM9/17/10
to twitter-deve...@googlegroups.com
Hi Matt!
Even with:
var timestamp = Math.round(new Date().getTime() / 1000);
still the same problem.
2010/9/17 Matt Harris <mha...@twitter.com>
--
Pozdrawiam,
Michał Łowicki
mlowicki
Sep 18, 2010, 7:19:35 AM9/18/10
to Twitter Development Talk
I tried with data from http://dev.twitter.com/pages/xauth:
(function() {
var secret = "5kEQypKe7lFHnufLtsocB1vAzO07xLFgp2Pc4sp2vk&";
var access_token = "oauth_consumer_key=sGNxxnqgZRHUt6NunK3uw" +
"&oauth_nonce=WLxsobj4rhS2xmCbaAeT4aAkRfx4vSHX4OnYpTE77hA" +
"&oauth_signature_method=HMAC-SHA1" +
"&oauth_timestamp=1276101652" +
"&oauth_version=1.0" +
"&x_auth_mode=client_auth" +
"&x_auth_password=%&123!aZ+()456242134" +
"&x_auth_username=tpFriendlyGiant";
var base_string = "POST&" +
encodeURIComponent(
"https://api.twitter.com/oauth/access_token") + "&" +
encodeURIComponent(access_token);
console.debug("base_string", base_string);
console.debug("oauth_signature", b64_hmac_sha1(secret, base_string));
})();
This is my base_string:
POST&https%3A%2F%2Fapi.twitter.com%2Foauth
%2Faccess_token&oauth_consumer_key=sGNxxnqgZRHUt6NunK3uw&oauth_nonce=WLxsobj4rhS2xmCbaAeT4aAkRfx4vSHX4OnYpTE77hA&oauth_signature_method=HMAC-
SHA1&oauth_timestamp=1276101652&oauth_version=1.0&x_auth_mode=client_auth&x_auth_password=
%25&123!aZ+()456242134&x_auth_username=tpFriendlyGiant
This on is from dev.twitter.com
POST&https%3A%2F%2Fapi.twitter.com%2Foauth
%2Faccess_token&oauth_consumer_key%3DsGNxxnqgZRHUt6NunK3uw
%26oauth_nonce%3DWLxsobj4rhS2xmCbaAeT4aAkRfx4vSHX4OnYpTE77hA
%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp
%3D1276101652%26oauth_version%3D1.0%26x_auth_mode%3Dclient_auth
%26x_auth_password%3D%2525%2526123%2521aZ%252B
%2528%2529456242134%26x_auth_username%3DtpFriendlyGiant
I found the differences in encoding %&123!aZ+() prefix from password
in base_string:
From dev.twitter.com/pages/xauth:
%2525%2526123%2521aZ%252B%2528%2529
From code above:
%25%26123!aZ%2B()
I use wrong encoding method then and encoding is wrong applied?
BR,
Michał Łowicki
(function() {
var secret = "5kEQypKe7lFHnufLtsocB1vAzO07xLFgp2Pc4sp2vk&";
var access_token = "oauth_consumer_key=sGNxxnqgZRHUt6NunK3uw" +
"&oauth_nonce=WLxsobj4rhS2xmCbaAeT4aAkRfx4vSHX4OnYpTE77hA" +
"&oauth_signature_method=HMAC-SHA1" +
"&oauth_timestamp=1276101652" +
"&oauth_version=1.0" +
"&x_auth_mode=client_auth" +
"&x_auth_password=%&123!aZ+()456242134" +
"&x_auth_username=tpFriendlyGiant";
var base_string = "POST&" +
encodeURIComponent(
"https://api.twitter.com/oauth/access_token") + "&" +
encodeURIComponent(access_token);
console.debug("base_string", base_string);
console.debug("oauth_signature", b64_hmac_sha1(secret, base_string));
})();
This is my base_string:
POST&https%3A%2F%2Fapi.twitter.com%2Foauth
%2Faccess_token&oauth_consumer_key=sGNxxnqgZRHUt6NunK3uw&oauth_nonce=WLxsobj4rhS2xmCbaAeT4aAkRfx4vSHX4OnYpTE77hA&oauth_signature_method=HMAC-
SHA1&oauth_timestamp=1276101652&oauth_version=1.0&x_auth_mode=client_auth&x_auth_password=
%25&123!aZ+()456242134&x_auth_username=tpFriendlyGiant
This on is from dev.twitter.com
POST&https%3A%2F%2Fapi.twitter.com%2Foauth
%2Faccess_token&oauth_consumer_key%3DsGNxxnqgZRHUt6NunK3uw
%26oauth_nonce%3DWLxsobj4rhS2xmCbaAeT4aAkRfx4vSHX4OnYpTE77hA
%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp
%3D1276101652%26oauth_version%3D1.0%26x_auth_mode%3Dclient_auth
%26x_auth_password%3D%2525%2526123%2521aZ%252B
%2528%2529456242134%26x_auth_username%3DtpFriendlyGiant
I found the differences in encoding %&123!aZ+() prefix from password
in base_string:
From dev.twitter.com/pages/xauth:
%2525%2526123%2521aZ%252B%2528%2529
From code above:
%25%26123!aZ%2B()
I use wrong encoding method then and encoding is wrong applied?
BR,
Michał Łowicki
Tom van der Woerdt
Sep 18, 2010, 7:22:07 AM9/18/10
to twitter-deve...@googlegroups.com
Hi,
You can verify your Base String using my OAuth Validator,
<http://quonos.nl/oauthTester/>
To answer your question: it *looks* like your encodeURIComponent
function doesn't do its work properly.
Tom
Nikolay Klimchuk
Sep 18, 2010, 5:41:38 PM9/18/10
to Twitter Development Talk
Second part of the base string:
oauth_consumer_key=sGNxxnqgZRHUt6NunK3uw&oauth_nonce=WLxsob
j4rhS2xmCbaAeT4aAkRfx4vSHX4OnYpTE77hA&oauth_signature_method=HMAC-
SHA1&oauth_timestamp=1276101652&oauth_version=1.0&x_auth_mode=client_auth&x
_auth_password=
%25&123!aZ+()456242134&x_auth_username=tpFriendlyGiant
Should be also URLEncoded
On Sep 18, 7:19 am, mlowicki <mlowi...@gmail.com> wrote:
> I tried with data fromhttp://dev.twitter.com/pages/xauth:
oauth_consumer_key=sGNxxnqgZRHUt6NunK3uw&oauth_nonce=WLxsob
j4rhS2xmCbaAeT4aAkRfx4vSHX4OnYpTE77hA&oauth_signature_method=HMAC-
SHA1&oauth_timestamp=1276101652&oauth_version=1.0&x_auth_mode=client_auth&x
_auth_password=
%25&123!aZ+()456242134&x_auth_username=tpFriendlyGiant
Should be also URLEncoded
On Sep 18, 7:19 am, mlowicki <mlowi...@gmail.com> wrote:
> I tried with data fromhttp://dev.twitter.com/pages/xauth:
Tom van der Woerdt
Sep 18, 2010, 5:55:18 PM9/18/10
to twitter-deve...@googlegroups.com, Twitter Development Talk
Nikolay,
If you look at the code, you'll see that it's already passed through the URL encode function, but it doesn't do a thing. I'd say that the issue is at that function.
Tom
Nikolay Klimchuk
Sep 18, 2010, 8:51:04 PM9/18/10
to Twitter Development Talk
You need to URLEndcode password and user name
And then URLEncode entire base string one more time
On Sep 18, 5:55 pm, Tom van der Woerdt <i...@tvdw.eu> wrote:
> Nikolay,
>
> If you look at the code, you'll see that it's already passed through the URL encode function, but it doesn't do a thing. I'd say that the issue is at that function.
>
> Tom
>
And then URLEncode entire base string one more time
On Sep 18, 5:55 pm, Tom van der Woerdt <i...@tvdw.eu> wrote:
> Nikolay,
>
> If you look at the code, you'll see that it's already passed through the URL encode function, but it doesn't do a thing. I'd say that the issue is at that function.
>
> Tom
>
mlowicki
Sep 20, 2010, 4:59:14 AM9/20/10
to Twitter Development Talk
When i'm using http://quonos.nl/oauthTester/ for oAuth validation with
my code i get:
Base String syntax: OK
Method type: OK
URL: OK
Parameters syntax: O
But when i replace my secret with
"MCD8BKwGdgPHvAuvgvz4EQpqDAtx89grbuNMRd7Eh98" i get different
signature - ZtkBQc2RwY+Jv1Fv8fXoasR4DLo
@Tom, can you show the source of your php script for validation?
my code i get:
Base String syntax: OK
Method type: OK
URL: OK
Parameters syntax: O
But when i replace my secret with
"MCD8BKwGdgPHvAuvgvz4EQpqDAtx89grbuNMRd7Eh98" i get different
signature - ZtkBQc2RwY+Jv1Fv8fXoasR4DLo
@Tom, can you show the source of your php script for validation?
mlowicki
Sep 20, 2010, 5:06:32 AM9/20/10
to Twitter Development Talk
this is how my code looks like now:
var username = encodeURIComponent("user");
var password = encodeURIComponent("password");
var url = "https://api.twitter.com/oauth/access_token";
var key = "key";
var secret = "MCD8BKwGdgPHvAuvgvz4EQpqDAtx89grbuNMRd7Eh98";
var timestamp = Math.round((new Date()).getTime() / 1000);
var nonce = Math.random();
var access_token = "oauth_consumer_key=" + key +
"&oauth_nonce=" + nonce +
"&oauth_signature_method=HMAC-SHA1" +
"&oauth_timestamp=" + timestamp +
"&oauth_version=1.0" +
"&x_auth_mode=client_auth" +
"&x_auth_password=" + password +
"&x_auth_username=" + username;
var base_string = "POST&" + encodeURIComponent(url) + "&" +
encodeURIComponent(access_token);
console.debug("base string", base_string);
var oauth_signature = b64_hmac_sha1(secret, base_string);
console.debug("signature", oauth_signature);
oauth_signature = encodeURIComponent(oauth_signature+"=");
On Sep 20, 10:59 am, mlowicki <mlowi...@gmail.com> wrote:
> When i'm usinghttp://quonos.nl/oauthTester/for oAuth validation with
var username = encodeURIComponent("user");
var password = encodeURIComponent("password");
var url = "https://api.twitter.com/oauth/access_token";
var key = "key";
var secret = "MCD8BKwGdgPHvAuvgvz4EQpqDAtx89grbuNMRd7Eh98";
var timestamp = Math.round((new Date()).getTime() / 1000);
var nonce = Math.random();
var access_token = "oauth_consumer_key=" + key +
"&oauth_nonce=" + nonce +
"&oauth_signature_method=HMAC-SHA1" +
"&oauth_timestamp=" + timestamp +
"&oauth_version=1.0" +
"&x_auth_mode=client_auth" +
"&x_auth_password=" + password +
"&x_auth_username=" + username;
var base_string = "POST&" + encodeURIComponent(url) + "&" +
encodeURIComponent(access_token);
console.debug("base string", base_string);
var oauth_signature = b64_hmac_sha1(secret, base_string);
console.debug("signature", oauth_signature);
oauth_signature = encodeURIComponent(oauth_signature+"=");
On Sep 20, 10:59 am, mlowicki <mlowi...@gmail.com> wrote:
> When i'm usinghttp://quonos.nl/oauthTester/for oAuth validation with
Tom van der Woerdt
Sep 20, 2010, 5:50:34 AM9/20/10
to twitter-deve...@googlegroups.com
The only relevant part of my code :
$sig = base64_encode(hash_hmac('sha1', $baseString, $key, true));
$sig = base64_encode(hash_hmac('sha1', $baseString, $key, true));
Key and Base String are visible on the page itself ;-)
Tom
On Mon, 20 Sep 2010 01:59:14 -0700 (PDT), mlowicki <mlow...@gmail.com>
wrote:
mlowicki
Sep 20, 2010, 7:51:12 AM9/20/10
to Twitter Development Talk
@Matt, can you provide some method for debugging my issue or some
solution because with such error message as "Failed to validate oauth
signature and token" my debugging now is more like guessing....
On Sep 20, 11:50 am, Tom van der Woerdt <i...@tvdw.eu> wrote:
> The only relevant part of my code :
> $sig = base64_encode(hash_hmac('sha1', $baseString, $key, true));
>
> Key and Base String are visible on the page itself ;-)
>
> Tom
>
> On Mon, 20 Sep 2010 01:59:14 -0700 (PDT), mlowicki <mlowi...@gmail.com>
> wrote:
>
>
>
> > When i'm usinghttp://quonos.nl/oauthTester/for oAuth validation with
solution because with such error message as "Failed to validate oauth
signature and token" my debugging now is more like guessing....
On Sep 20, 11:50 am, Tom van der Woerdt <i...@tvdw.eu> wrote:
> The only relevant part of my code :
> $sig = base64_encode(hash_hmac('sha1', $baseString, $key, true));
>
> Key and Base String are visible on the page itself ;-)
>
> Tom
>
> wrote:
>
>
>
> > When i'm usinghttp://quonos.nl/oauthTester/for oAuth validation with
mlowicki
Sep 20, 2010, 10:47:16 AM9/20/10
to Twitter Development Talk
It works for me now! This is the final script:
var username = encodeURIComponent(cfg.username),
password = encodeURIComponent(cfg.password),
url = "https://api.twitter.com/oauth/access_token",
timestamp = Math.round((new Date()).getTime() / 1000),
nonce = Math.random();
var accessToken = ("oauth_consumer_key={key}" +
"&oauth_nonce={nonce}" +
"&oauth_signature_method=HMAC-SHA1" +
"&oauth_timestamp={timestamp}" +
"&oauth_version=1.0" +
"&x_auth_mode=client_auth" +
"&x_auth_password={password}" +
"&x_auth_username={username}").supplant({
key: CONSUMER_KEY,
nonce: nonce,
timestamp: timestamp,
password: password,
username: username
});
var baseString = "POST&" + encodeURIComponent(url) + "&" +
encodeURIComponent(accessToken);
var signature = encodeURIComponent(
b64_hmac_sha1(CONSUMER_SECRET + "&", baseString) + "=");
var authHeader = ("OAuth oauth_nonce=\"{nonce}\", " +
"oauth_signature_method=\"HMAC-SHA1\", " +
"oauth_timestamp=\"{timestamp}\", " +
"oauth_consumer_key=\"{key}\", " +
"oauth_signature=\"{signature}\", " +
"oauth_version=\"1.0\"").supplant({
nonce: nonce,
timestamp: timestamp,
key: CONSUMER_KEY,
signature: signature
});
new O.IO.Req({
url: url,
method: "POST",
data: "x_auth_username=" + username + "&x_auth_password=" +
password + "&" + "x_auth_mode=client_auth",
headers: [{
name: "Authorization",
val: authHeader
}],
onSuccess: {
fn: function(req) {
var data = {};
req.responseText.split("&").forEach(function(item) {
var parts = item.split("=");
switch(parts[0]) {
case "oauth_token":
data.token = parts[1];
break;
case "oauth_token_secret":
data.secret = parts[1];
break;
case "user_id":
data.userID = parts[1];
break;
case "screen_name":
data.screenName = parts[1];
break;
default:
break;
}
});
cfg.onSuccess.fn.call(cfg.onSuccess.scope, data);
}
},
onFailure: {
fn: function(req) {
cfg.onFailure.fn.call(cfg.onFailure.scope, req);
}
}});
On Sep 20, 1:51 pm, mlowicki <mlowi...@gmail.com> wrote:
> @Matt, can you provide some method for debugging my issue or some
> solution because with such error message as "Failed to validate oauth
> signature and token" my debugging now is more like guessing....
>
> On Sep 20, 11:50 am, Tom van der Woerdt <i...@tvdw.eu> wrote:
>
>
>
> > The only relevant part of my code :
> > $sig = base64_encode(hash_hmac('sha1', $baseString, $key, true));
>
> > Key and Base String are visible on the page itself ;-)
>
> > Tom
>
> > On Mon, 20 Sep 2010 01:59:14 -0700 (PDT), mlowicki <mlowi...@gmail.com>
> > wrote:
>
> > > When i'm usinghttp://quonos.nl/oauthTester/foroAuth validation with
var username = encodeURIComponent(cfg.username),
password = encodeURIComponent(cfg.password),
url = "https://api.twitter.com/oauth/access_token",
timestamp = Math.round((new Date()).getTime() / 1000),
nonce = Math.random();
var accessToken = ("oauth_consumer_key={key}" +
"&oauth_nonce={nonce}" +
"&oauth_signature_method=HMAC-SHA1" +
"&oauth_timestamp={timestamp}" +
"&oauth_version=1.0" +
"&x_auth_mode=client_auth" +
"&x_auth_password={password}" +
"&x_auth_username={username}").supplant({
key: CONSUMER_KEY,
nonce: nonce,
timestamp: timestamp,
password: password,
username: username
});
var baseString = "POST&" + encodeURIComponent(url) + "&" +
encodeURIComponent(accessToken);
var signature = encodeURIComponent(
b64_hmac_sha1(CONSUMER_SECRET + "&", baseString) + "=");
var authHeader = ("OAuth oauth_nonce=\"{nonce}\", " +
"oauth_signature_method=\"HMAC-SHA1\", " +
"oauth_timestamp=\"{timestamp}\", " +
"oauth_consumer_key=\"{key}\", " +
"oauth_signature=\"{signature}\", " +
"oauth_version=\"1.0\"").supplant({
nonce: nonce,
timestamp: timestamp,
key: CONSUMER_KEY,
signature: signature
});
new O.IO.Req({
url: url,
method: "POST",
data: "x_auth_username=" + username + "&x_auth_password=" +
password + "&" + "x_auth_mode=client_auth",
headers: [{
name: "Authorization",
val: authHeader
}],
onSuccess: {
fn: function(req) {
var data = {};
req.responseText.split("&").forEach(function(item) {
var parts = item.split("=");
switch(parts[0]) {
case "oauth_token":
data.token = parts[1];
break;
case "oauth_token_secret":
data.secret = parts[1];
break;
case "user_id":
data.userID = parts[1];
break;
case "screen_name":
data.screenName = parts[1];
break;
default:
break;
}
});
cfg.onSuccess.fn.call(cfg.onSuccess.scope, data);
}
},
onFailure: {
fn: function(req) {
cfg.onFailure.fn.call(cfg.onFailure.scope, req);
}
}});
On Sep 20, 1:51 pm, mlowicki <mlowi...@gmail.com> wrote:
> @Matt, can you provide some method for debugging my issue or some
> solution because with such error message as "Failed to validate oauth
> signature and token" my debugging now is more like guessing....
>
> On Sep 20, 11:50 am, Tom van der Woerdt <i...@tvdw.eu> wrote:
>
>
>
> > The only relevant part of my code :
> > $sig = base64_encode(hash_hmac('sha1', $baseString, $key, true));
>
> > Key and Base String are visible on the page itself ;-)
>
> > Tom
>
> > On Mon, 20 Sep 2010 01:59:14 -0700 (PDT), mlowicki <mlowi...@gmail.com>
> > wrote:
>
Reply all
Reply to author
Forward
0 new messages