oauth request token failing
Berto
I'm writing a client in java and trying to use oauth to get an access
token. However, I keep getting an IOException which essentially means
I'm getting an HTTP 401 error back (unauthorized). I've verified that
my signature algorithm is correct by using some provided examples over
at oauth.net, but nothing seems to be working for me. Does the
consumer key need an & after it? I'm using the exact values provided
via the register oauth client page. Here's a snippet of the code:
HttpURLConnection connection = null;
BufferedReader reader = null;
StringBuilder responseBuilder;
Date date = new Date();
long time = date.getTime();
long timestamp = time / 1000;
Random tmp = new Random();
try {
StringBuilder stuff = new StringBuilder();
stuff.append(encode("oauth_consumer_key"));
stuff.append("=");
stuff.append(encode(CONSUMER_KEY));
stuff.append("&");
stuff.append(encode("oauth_nonce"));
stuff.append("=");
stuff.append(encode(Long.toString(timestamp +
tmp.nextInt(1000))));
stuff.append("&");
stuff.append(encode("oauth_signature_method"));
stuff.append("=");
stuff.append(encode("HMAC-SHA1"));
stuff.append("&");
stuff.append(encode("oauth_timestamp"));
stuff.append("=");
stuff.append(encode(Long.toString(timestamp)));
stuff.append("&");
stuff.append(encode("oauth_version"));
stuff.append("=");
stuff.append(encode("1.0"));
StringBuffer base = new
StringBuffer("GET").append("&")
.append(encode("http://twitter.com/oauth/
request_token")).append("&");
base.append(encode(stuff.toString()));
String oauthBaseString = base.toString();
String sig = signature(oauthBaseString,
CONSUMER_SECRET);
StringBuilder params = new StringBuilder();
params.append(encode("oauth_consumer_key"));
params.append("=\"");
params.append(encode(CONSUMER_KEY));
params.append("\", ");
params.append(encode("oauth_signature_method"));
params.append("=\"");
params.append(encode("HMAC-SHA1"));
params.append("\", ");
params.append(encode("oauth_signature"));
params.append("=\"");
params.append(encode(sig));
params.append("\", ");
params.append(encode("oauth_timestamp"));
params.append("=\"");
params.append(encode(Long.toString(timestamp)));
params.append("\", ");
params.append(encode("oauth_nonce"));
params.append("=\"");
params.append(encode(Long.toString(timestamp +
tmp.nextInt(1000))));
params.append("\", ");
params.append(encode("oauth_version"));
params.append("=\"");
params.append(encode("1.0"));
params.append("\"");
// Prepare the connection
URL url = new URL("http://twitter.com/oauth/
request_token");
connection = (HttpURLConnection) url.openConnection();
connection.setRequestMethod("GET");
connection.setRequestProperty("WWW-Authenticate",
"OAuth " + params.toString());
connection.setConnectTimeout(30000);
connection.setReadTimeout(30000);
// Read the response
int code = -1;
try {
code = connection.getResponseCode();
} catch (IOException e) {
e.printStackTrace();
}
reader = new BufferedReader(new
InputStreamReader(connection.getInputStream()));
responseBuilder = new StringBuilder();
String line = null;
while ((line = reader.readLine()) != null) {
responseBuilder.append(line);
}
Ryan Alford
Ryan Alford
Berto
request header's authorization field to get this effect:
(Taken from oauth.net)
Authorization: OAuth realm="http://sp.example.com/",
oauth_consumer_key="0685bd9184jfhq22",
oauth_token="ad180jjd733klru7",
oauth_signature_method="HMAC-SHA1",
oauth_signature="wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D",
oauth_timestamp="137131200",
oauth_nonce="4572616e48616d6d65724c61686176",
oauth_version="1.0"
Then, I thought it might need to go into the WWW-Authenticate field as
opposed to the Authorization field so I tried that too with no
success.
I've also just tried formatting them as GET parameters and attaching
them to the request URL, but that isn't working either. It would look
like:
http://twitter.com/oauth/request_token?oauth_consumer_key=<value>&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1266440918&oauth_nonce=1266440928&oauth_version=1.0&oauth_signature=l%2BYDrTyWGpvDu3owDlVQLakzVns%3D
On Feb 17, 3:52 pm, Ryan Alford <ryanalford...@gmail.com> wrote:
> Can you post the URL with querystring parameters when you make the request?
>
> Ryan
>
Ryan Alford
Your querystring parameters are in the wrong order. You have the oauth_nonce AFTER oauth_timestamp. It needs to be before it. The parameters must be in order.
Ryan
Sent from my DROID
On Feb 17, 2010 6:18 PM, "Berto" <mstb...@gmail.com> wrote:
To answer the first email, I was doing that so I could put it in the
request header's authorization field to get this effect:
(Taken from oauth.net)
Authorization: OAuth realm="http://sp.example.com/",
oauth_consumer_key="0685bd9184jfhq22",
oauth_token="ad180jjd733klru7",
oauth_signature_method="HMAC-SHA1",
oauth_signature="wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D",
oauth_timestamp="137131200",
oauth_nonce="4572616e48616d6d65724c61686176",
oauth_version="1.0"
Then, I thought it might need to go into the WWW-Authenticate field as
opposed to the Authorization field so I tried that too with no
success.
I've also just tried formatting them as GET parameters and attaching
them to the request URL, but that isn't working either. It would look
like:
http://twitter.com/oauth/request_token?oauth_consumer_key=<value>&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1266440918&oauth_nonce=1266440928&oauth_version=1.0&oauth_signature=l%2BYDrTyWGpvDu3owDlVQLakzVns%3D
On Feb 17, 3:52 pm, Ryan Alford <ryanalford...@gmail.com> wrote:
> Can you post the URL with querys...
> On Wed, Feb 17, 2010 at 4:51 PM, Ryan Alford <ryanalford...@gmail.com>wrote:
>
> > Why are you doing this?....
>
> > StringBuilder params = new StringBuilder();
> > ...
> > On Wed, Feb 17, 2010 at 2:37 PM, Berto <mstbe...@gmail.com> wrote:
>
> >> Hey guys,
>
> >> I'm w...
Berto
I'll try it out tomorrow.
Thanks.
On Feb 17, 5:27 pm, Ryan Alford <ryanalford...@gmail.com> wrote:
> Your querystring parameters are in the wrong order. You have the
> oauth_nonce AFTER oauth_timestamp. It needs to be before it. The
> parameters must be in order.
>
> Ryan
>
> Sent from my DROID
>
Berto
order?
Ryan Alford
Berto
http://twitter.com/oauth/request_token?oauth_consumer_key=<value>&oauth_nonce=1266501098&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1266500348&oauth_version=1.0&oauth_signature=eGALeAVpxt4CB%2FuHfkLq51%2FWXRk%3D
It still fails for me. I've gotta be missing something obvious. Does
anything need to go into my header?
On Feb 17, 9:47 pm, Ryan Alford <ryanalford...@gmail.com> wrote:
> You order all parameters EXCEPT the signature, then create the signature,
> then append the signature to the end. All other parameters should be in
> order.
>
> Ryan
>
> On Wed, Feb 17, 2010 at 6:42 PM, Berto <mstbe...@gmail.com> wrote:
> > I thought that was only for the signature which is in the right
> > order?
>
> > Ryan Alford wrote:
> > > Your querystring parameters are in the wrong order. You have the
> > > oauth_nonce AFTER oauth_timestamp. It needs to be before it. The
> > > parameters must be in order.
>
> > > Ryan
>
> > > Sent from my DROID
>
Ryan Alford
Berto
%3D8hvUTsGttoOBN2ygbDVJw%26oauth_nonce
%3D1266502068%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp
%3D1266501208%26oauth_version%3D1.0
On Feb 18, 8:04 am, Ryan Alford <ryanalford...@gmail.com> wrote:
> Can you post the string that you hash to create the signature?
>
> Ryan
>
Ryan Alford
Berto
was just that my parameters were out-of-order.
Thanks, Ryan!
On Feb 18, 9:01 am, Ryan Alford <ryanalford...@gmail.com> wrote:
> That looks fine.
>
> Are you using the Consumer Secret as the key to the hash?
>
> Ryan
>
Berto
registration. And I've verified the algorithm works with the example
from the oauth spec.
On Feb 18, 9:01 am, Ryan Alford <ryanalford...@gmail.com> wrote:
> That looks fine.
>
> Are you using the Consumer Secret as the key to the hash?
>
> Ryan
>
Zhami
> You order all parameters EXCEPT the signature, then create the signature,
> then append the signature to the end. All other parameters should be in
> order.
>
I am under the impression that sorting is only required to generate
the Signature Base String. I haven't seen anything in the OAuth spec
to suggest that Query parameters must be ordered. If I have missed
something, lease let me know where. I also believe that ordering is
*not* required in the Authorization header because the example shown
in the spec is not ordered [1]
[1] OAuth Core 1.0a section 5.4.1 Authorization Header;
http://oauth.net/core/1.0a/#auth_header
Jaanus
> > then append the signature to the end. All other parameters should be in
> > order.
> I am under the impression that sorting is only required to generate
> the Signature Base String. I haven't seen anything in the OAuth spec
> to suggest that Query parameters must be ordered. If I have missed
> something, lease let me know where. I also believe that ordering is
> *not* required in the Authorization header because the example shown
> in the spec is not ordered [1]
Yep, that's my understanding too. Signature base string sorting is
strict. For the Authorization header, neither sender nor receiver
should assume any sorting, it's an unsorted key/value map.
Berto
access token. But it I had to play around with the oauth parameters
in order to do so which doesn't seem correct. When I made the POST
request, I used:
GET&http%3A%2F%2Ftwitter.com%2Foauth%2Faccess_token&oauth_consumer_key
%3DZhJuTh3GCDkGIDm2R4ocNQ%26oauth_nonce
%3D1266961864%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp
%3D1266961390%26oauth_token
%3Di475hmfQqpSp2v7K7hq7QOJF70KmyksvSO9CIOr5kE%26oauth_verifier
%3D4882700%26oauth_version%3D1.0
as my signature base string even though the request made was via
POST. Using "POST" in the signature base string causes an HTTP 401
error. Any reason why this is?