I'm writing a client in java and trying to use oauth to get an access
token. However, I keep getting an IOException which essentially means
I'm getting an HTTP 401 error back (unauthorized). I've verified that
my signature algorithm is correct by using some provided examples over
at oauth.net, but nothing seems to be working for me. Does the
consumer key need an & after it? I'm using the exact values provided
via the register oauth client page. Here's a snippet of the code:
HttpURLConnection connection = null;
BufferedReader reader = null;
StringBuilder responseBuilder;
Date date = new Date();
long time = date.getTime();
long timestamp = time / 1000;
Random tmp = new Random();
try {
StringBuilder stuff = new StringBuilder();
stuff.append(encode("oauth_consumer_key"));
stuff.append("=");
stuff.append(encode(CONSUMER_KEY));
stuff.append("&");
stuff.append(encode("oauth_nonce"));
stuff.append("=");
stuff.append(encode(Long.toString(timestamp +
tmp.nextInt(1000))));
stuff.append("&");
stuff.append(encode("oauth_signature_method"));
stuff.append("=");
stuff.append(encode("HMAC-SHA1"));
stuff.append("&");
stuff.append(encode("oauth_timestamp"));
stuff.append("=");
stuff.append(encode(Long.toString(timestamp)));
stuff.append("&");
stuff.append(encode("oauth_version"));
stuff.append("=");
stuff.append(encode("1.0"));
StringBuffer base = new
StringBuffer("GET").append("&")
.append(encode("http://twitter.com/oauth/
request_token")).append("&");
base.append(encode(stuff.toString()));
String oauthBaseString = base.toString();
String sig = signature(oauthBaseString,
CONSUMER_SECRET);
StringBuilder params = new StringBuilder();
params.append(encode("oauth_consumer_key"));
params.append("=\"");
params.append(encode(CONSUMER_KEY));
params.append("\", ");
params.append(encode("oauth_signature_method"));
params.append("=\"");
params.append(encode("HMAC-SHA1"));
params.append("\", ");
params.append(encode("oauth_signature"));
params.append("=\"");
params.append(encode(sig));
params.append("\", ");
params.append(encode("oauth_timestamp"));
params.append("=\"");
params.append(encode(Long.toString(timestamp)));
params.append("\", ");
params.append(encode("oauth_nonce"));
params.append("=\"");
params.append(encode(Long.toString(timestamp +
tmp.nextInt(1000))));
params.append("\", ");
params.append(encode("oauth_version"));
params.append("=\"");
params.append(encode("1.0"));
params.append("\"");
// Prepare the connection
URL url = new URL("http://twitter.com/oauth/
request_token");
connection = (HttpURLConnection) url.openConnection();
connection.setRequestMethod("GET");
connection.setRequestProperty("WWW-Authenticate",
"OAuth " + params.toString());
connection.setConnectTimeout(30000);
connection.setReadTimeout(30000);
// Read the response
int code = -1;
try {
code = connection.getResponseCode();
} catch (IOException e) {
e.printStackTrace();
}
reader = new BufferedReader(new
InputStreamReader(connection.getInputStream()));
responseBuilder = new StringBuilder();
String line = null;
while ((line = reader.readLine()) != null) {
responseBuilder.append(line);
}
(Taken from oauth.net)
Authorization: OAuth realm="http://sp.example.com/",
oauth_consumer_key="0685bd9184jfhq22",
oauth_token="ad180jjd733klru7",
oauth_signature_method="HMAC-SHA1",
oauth_signature="wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D",
oauth_timestamp="137131200",
oauth_nonce="4572616e48616d6d65724c61686176",
oauth_version="1.0"
Then, I thought it might need to go into the WWW-Authenticate field as
opposed to the Authorization field so I tried that too with no
success.
I've also just tried formatting them as GET parameters and attaching
them to the request URL, but that isn't working either. It would look
like:
http://twitter.com/oauth/request_token?oauth_consumer_key=<value>&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1266440918&oauth_nonce=1266440928&oauth_version=1.0&oauth_signature=l%2BYDrTyWGpvDu3owDlVQLakzVns%3D
On Feb 17, 3:52 pm, Ryan Alford <ryanalford...@gmail.com> wrote:
> Can you post the URL with querystring parameters when you make the request?
>
> Ryan
>
Your querystring parameters are in the wrong order. You have the oauth_nonce AFTER oauth_timestamp. It needs to be before it. The parameters must be in order.
Ryan
Sent from my DROID
On Feb 17, 2010 6:18 PM, "Berto" <mstb...@gmail.com> wrote:
To answer the first email, I was doing that so I could put it in the
request header's authorization field to get this effect:
(Taken from oauth.net)
Authorization: OAuth realm="http://sp.example.com/",
oauth_consumer_key="0685bd9184jfhq22",
oauth_token="ad180jjd733klru7",
oauth_signature_method="HMAC-SHA1",
oauth_signature="wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D",
oauth_timestamp="137131200",
oauth_nonce="4572616e48616d6d65724c61686176",
oauth_version="1.0"
Then, I thought it might need to go into the WWW-Authenticate field as
opposed to the Authorization field so I tried that too with no
success.
I've also just tried formatting them as GET parameters and attaching
them to the request URL, but that isn't working either. It would look
like:
http://twitter.com/oauth/request_token?oauth_consumer_key=<value>&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1266440918&oauth_nonce=1266440928&oauth_version=1.0&oauth_signature=l%2BYDrTyWGpvDu3owDlVQLakzVns%3D
On Feb 17, 3:52 pm, Ryan Alford <ryanalford...@gmail.com> wrote:
> Can you post the URL with querys...
> On Wed, Feb 17, 2010 at 4:51 PM, Ryan Alford <ryanalford...@gmail.com>wrote:
>
> > Why are you doing this?....
>
> > StringBuilder params = new StringBuilder();
> > ...
> > On Wed, Feb 17, 2010 at 2:37 PM, Berto <mstbe...@gmail.com> wrote:
>
> >> Hey guys,
>
> >> I'm w...
Thanks.
On Feb 17, 5:27 pm, Ryan Alford <ryanalford...@gmail.com> wrote:
> Your querystring parameters are in the wrong order. You have the
> oauth_nonce AFTER oauth_timestamp. It needs to be before it. The
> parameters must be in order.
>
> Ryan
>
> Sent from my DROID
>
http://twitter.com/oauth/request_token?oauth_consumer_key=<value>&oauth_nonce=1266501098&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1266500348&oauth_version=1.0&oauth_signature=eGALeAVpxt4CB%2FuHfkLq51%2FWXRk%3D
It still fails for me. I've gotta be missing something obvious. Does
anything need to go into my header?
On Feb 17, 9:47 pm, Ryan Alford <ryanalford...@gmail.com> wrote:
> You order all parameters EXCEPT the signature, then create the signature,
> then append the signature to the end. All other parameters should be in
> order.
>
> Ryan
>
> On Wed, Feb 17, 2010 at 6:42 PM, Berto <mstbe...@gmail.com> wrote:
> > I thought that was only for the signature which is in the right
> > order?
>
> > Ryan Alford wrote:
> > > Your querystring parameters are in the wrong order. You have the
> > > oauth_nonce AFTER oauth_timestamp. It needs to be before it. The
> > > parameters must be in order.
>
> > > Ryan
>
> > > Sent from my DROID
>
On Feb 18, 8:04 am, Ryan Alford <ryanalford...@gmail.com> wrote:
> Can you post the string that you hash to create the signature?
>
> Ryan
>
Thanks, Ryan!
On Feb 18, 9:01 am, Ryan Alford <ryanalford...@gmail.com> wrote:
> That looks fine.
>
> Are you using the Consumer Secret as the key to the hash?
>
> Ryan
>
On Feb 18, 9:01 am, Ryan Alford <ryanalford...@gmail.com> wrote:
> That looks fine.
>
> Are you using the Consumer Secret as the key to the hash?
>
> Ryan
>
I am under the impression that sorting is only required to generate
the Signature Base String. I haven't seen anything in the OAuth spec
to suggest that Query parameters must be ordered. If I have missed
something, lease let me know where. I also believe that ordering is
*not* required in the Authorization header because the example shown
in the spec is not ordered [1]
[1] OAuth Core 1.0a section 5.4.1 Authorization Header;
http://oauth.net/core/1.0a/#auth_header
Yep, that's my understanding too. Signature base string sorting is
strict. For the Authorization header, neither sender nor receiver
should assume any sorting, it's an unsorted key/value map.
GET&http%3A%2F%2Ftwitter.com%2Foauth%2Faccess_token&oauth_consumer_key
%3DZhJuTh3GCDkGIDm2R4ocNQ%26oauth_nonce
%3D1266961864%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp
%3D1266961390%26oauth_token
%3Di475hmfQqpSp2v7K7hq7QOJF70KmyksvSO9CIOr5kE%26oauth_verifier
%3D4882700%26oauth_version%3D1.0
as my signature base string even though the request made was via
POST. Using "POST" in the signature base string causes an HTTP 401
error. Any reason why this is?