Pin-based authorization via .NET

25 views
Skip to first unread message

Ricky

unread,
Mar 7, 2010, 3:57:12 PM3/7/10
to Twitter Development Talk
I'm working on version 2 of Twitterizer, a .NET library for using the
Twitter API, but I've run into a weird issue with pin-based OAuth. I
have a sample web application and a sample desktop application. From
the web application I am able to perform pin-based authentication
without any issues, but through the desktop application every call for
access tokens are refused with "Invalid oauth_verifier parameter."
I've stepped through the code (non-stop for an hour) and I'm sure that
the exact code is executing for each call. I've tried changing the
calls to GET, instead of POST, and the results are the same. From the
web app it works great, from the desktop app, not so much.

Using fiddler, I've captured the HTTP request/response from each, and
they look exactly the same (to me).

Here is the call from the web application (works):
POST http://twitter.com/oauth/access_token?oauth_verifier=2068385 HTTP/
1.1
Content-Type: application/x-www-form-urlencoded
Authorization: OAuth realm="Twitter
API",oauth_consumer_key="Ds8w95QVNTITV16pqMwtHA",oauth_nonce="6E723378",oauth_signature_method="HMAC-
SHA1",oauth_timestamp="1267995036",oauth_token="Vy5cCHkomrAKocY9c8J18hAEf1PJ2ONwBtQxmdGGaI",oauth_version="1.0",oauth_signature="OU3Qfi2tq
%2Fwyaij0NezCARqLVCA%3D"
User-Agent: Twitterizer/2.0.0.0
Host: twitter.com

And here is the call from the desktop application (does not work):
POST http://twitter.com/oauth/access_token?oauth_verifier=541907 HTTP/
1.1
Content-Type: application/x-www-form-urlencoded
Authorization: OAuth realm="Twitter
API",oauth_consumer_key="Ds8w95QVNTITV16pqMwtHA",oauth_nonce="7F8D82E3",oauth_signature_method="HMAC-
SHA1",oauth_timestamp="1267995086",oauth_token="uTcERUybyJF0WKi77w5dPCTZbwO7DZJX1hQuJK0fg",oauth_version="1.0",oauth_signature="iUUcdVtM
%2B4nxfDKrqPqElE9IPgY%3D"
User-Agent: Twitterizer/2.0.0.0
Host: twitter.com

The response body is:
<?xml version="1.0" encoding="UTF-8"?>
<hash>
<request>/oauth/access_token?oauth_verifier=541907</request>
<error>Invalid oauth_verifier parameter</error>
</hash>

This may be more of a .NET question, as there may be some kind of
nuance when making requests through a windows application, but I
thought it might be worth my time to ask everyone, in case I'm doing
something dumb (it happens).

Thanks for your time,
Ricky
www.twitterizer.net

Ryan Alford

unread,
Mar 7, 2010, 5:03:57 PM3/7/10
to twitter-deve...@googlegroups.com

Why are you using PIN based authorization for web applications?  Web applications don't use PINs.

Ryan

Sent from my DROID

Abraham Williams

unread,
Mar 7, 2010, 5:07:15 PM3/7/10
to twitter-development-talk
You are missing a digit from the desktop PIN. It should always be 7 digits.

Abraham
--
Abraham Williams | Community Advocate | http://abrah.am
TwitterOAuth | http://github.com/abraham/twitteroauth
This email is: [ ] shareable [x] ask first [ ] private.

Ricky

unread,
Mar 7, 2010, 6:19:17 PM3/7/10
to Twitter Development Talk
I'm developing a library that can be used with either web or desktop.
Since I had code already going in a web application, I use it to do my
initial development.

Ricky

On Mar 7, 5:03 pm, Ryan Alford <ryanalford...@gmail.com> wrote:
> Why are you using PIN based authorization for web applications?  Web
> applications don't use PINs.
>
> Ryan
>
> Sent from my DROID
>
> On Mar 7, 2010 4:59 PM, "Ricky" <ri...@digitally-born.com> wrote:
>
> I'm working on version 2 of Twitterizer, a .NET library for using the
> Twitter API, but I've run into a weird issue with pin-based OAuth. I
> have a sample web application and a sample desktop application. From
> the web application I am able to perform pin-based authentication
> without any issues, but through the desktop application every call for
> access tokens are refused with "Invalid oauth_verifier parameter."
> I've stepped through the code (non-stop for an hour) and I'm sure that
> the exact code is executing for each call. I've tried changing the
> calls to GET, instead of POST, and the results are the same. From the
> web app it works great, from the desktop app, not so much.
>
> Using fiddler, I've captured the HTTP request/response from each, and
> they look exactly the same (to me).
>
> Here is the call from the web application (works):
> POSThttp://twitter.com/oauth/access_token?oauth_verifier=2068385HTTP/
> 1.1
> Content-Type: application/x-www-form-urlencoded
> Authorization: OAuth realm="Twitter

> API",oauth_consumer_key="Ds8w95QVNTITV16pqMwtHA",oauth_nonce="6E723378",oau th_signature_method="HMAC-
> SHA1",oauth_timestamp="1267995036",oauth_token="Vy5cCHkomrAKocY9c8J18hAEf1P J2ONwBtQxmdGGaI",oauth_version="1.0",oauth_signature="OU3Qfi2tq


> %2Fwyaij0NezCARqLVCA%3D"
> User-Agent: Twitterizer/2.0.0.0
> Host: twitter.com
>
> And here is the call from the desktop application (does not work):
> POSThttp://twitter.com/oauth/access_token?oauth_verifier=541907HTTP/
> 1.1
> Content-Type: application/x-www-form-urlencoded
> Authorization: OAuth realm="Twitter

> API",oauth_consumer_key="Ds8w95QVNTITV16pqMwtHA",oauth_nonce="7F8D82E3",oau th_signature_method="HMAC-
> SHA1",oauth_timestamp="1267995086",oauth_token="uTcERUybyJF0WKi77w5dPCTZbwO 7DZJX1hQuJK0fg",oauth_version="1.0",oauth_signature="iUUcdVtM

Ricky

unread,
Mar 7, 2010, 6:19:44 PM3/7/10
to Twitter Development Talk
I thought the same thing, but Twitter has absolutely given me 6 digit
pins.

Ricky

On Mar 7, 5:07 pm, Abraham Williams <4bra...@gmail.com> wrote:
> You are missing a digit from the desktop PIN. It should always be 7 digits.
>
> Abraham
>
>
>
>
>
> On Sun, Mar 7, 2010 at 12:57, Ricky <ri...@digitally-born.com> wrote:
> > I'm working on version 2 of Twitterizer, a .NET library for using the
> > Twitter API, but I've run into a weird issue with pin-based OAuth. I
> > have a sample web application and a sample desktop application. From
> > the web application I am able to perform pin-based authentication
> > without any issues, but through the desktop application every call for
> > access tokens are refused with "Invalid oauth_verifier parameter."
> > I've stepped through the code (non-stop for an hour) and I'm sure that
> > the exact code is executing for each call. I've tried changing the
> > calls to GET, instead of POST, and the results are the same. From the
> > web app it works great, from the desktop app, not so much.
>
> > Using fiddler, I've captured the HTTP request/response from each, and
> > they look exactly the same (to me).
>
> > Here is the call from the web application (works):
> > POSThttp://twitter.com/oauth/access_token?oauth_verifier=2068385HTTP/
> > 1.1
> > Content-Type: application/x-www-form-urlencoded
> > Authorization: OAuth realm="Twitter
>

> > API",oauth_consumer_key="Ds8w95QVNTITV16pqMwtHA",oauth_nonce="6E723378",oau th_signature_method="HMAC-
>
> > SHA1",oauth_timestamp="1267995036",oauth_token="Vy5cCHkomrAKocY9c8J18hAEf1P J2ONwBtQxmdGGaI",oauth_version="1.0",oauth_signature="OU3Qfi2tq


> > %2Fwyaij0NezCARqLVCA%3D"
> > User-Agent: Twitterizer/2.0.0.0
> > Host: twitter.com
>
> > And here is the call from the desktop application (does not work):
> > POSThttp://twitter.com/oauth/access_token?oauth_verifier=541907HTTP/
> > 1.1
> > Content-Type: application/x-www-form-urlencoded
> > Authorization: OAuth realm="Twitter
>

> > API",oauth_consumer_key="Ds8w95QVNTITV16pqMwtHA",oauth_nonce="7F8D82E3",oau th_signature_method="HMAC-
>
> > SHA1",oauth_timestamp="1267995086",oauth_token="uTcERUybyJF0WKi77w5dPCTZbwO 7DZJX1hQuJK0fg",oauth_version="1.0",oauth_signature="iUUcdVtM

Ricky

unread,
Mar 7, 2010, 6:21:53 PM3/7/10
to Twitter Development Talk
Actually, ignore me. You were totally right. I accidentally limited
the text box in the desktop app to 6 chars, so it was truncating them.
I need a nap.

Thanks,
Ricky

On Mar 7, 5:07 pm, Abraham Williams <4bra...@gmail.com> wrote:

> You are missing a digit from the desktop PIN. It should always be 7 digits.
>
> Abraham
>
>
>
>
>
> On Sun, Mar 7, 2010 at 12:57, Ricky <ri...@digitally-born.com> wrote:
> > I'm working on version 2 of Twitterizer, a .NET library for using the
> > Twitter API, but I've run into a weird issue with pin-based OAuth. I
> > have a sample web application and a sample desktop application. From
> > the web application I am able to perform pin-based authentication
> > without any issues, but through the desktop application every call for
> > access tokens are refused with "Invalid oauth_verifier parameter."
> > I've stepped through the code (non-stop for an hour) and I'm sure that
> > the exact code is executing for each call. I've tried changing the
> > calls to GET, instead of POST, and the results are the same. From the
> > web app it works great, from the desktop app, not so much.
>
> > Using fiddler, I've captured the HTTP request/response from each, and
> > they look exactly the same (to me).
>
> > Here is the call from the web application (works):
> > POSThttp://twitter.com/oauth/access_token?oauth_verifier=2068385HTTP/
> > 1.1
> > Content-Type: application/x-www-form-urlencoded
> > Authorization: OAuth realm="Twitter
>

> > API",oauth_consumer_key="Ds8w95QVNTITV16pqMwtHA",oauth_nonce="6E723378",oau th_signature_method="HMAC-
>
> > SHA1",oauth_timestamp="1267995036",oauth_token="Vy5cCHkomrAKocY9c8J18hAEf1P J2ONwBtQxmdGGaI",oauth_version="1.0",oauth_signature="OU3Qfi2tq


> > %2Fwyaij0NezCARqLVCA%3D"
> > User-Agent: Twitterizer/2.0.0.0
> > Host: twitter.com
>
> > And here is the call from the desktop application (does not work):
> > POSThttp://twitter.com/oauth/access_token?oauth_verifier=541907HTTP/
> > 1.1
> > Content-Type: application/x-www-form-urlencoded
> > Authorization: OAuth realm="Twitter
>

> > API",oauth_consumer_key="Ds8w95QVNTITV16pqMwtHA",oauth_nonce="7F8D82E3",oau th_signature_method="HMAC-
>
> > SHA1",oauth_timestamp="1267995086",oauth_token="uTcERUybyJF0WKi77w5dPCTZbwO 7DZJX1hQuJK0fg",oauth_version="1.0",oauth_signature="iUUcdVtM

John Meyer

unread,
Mar 7, 2010, 6:34:54 PM3/7/10
to twitter-deve...@googlegroups.com
Take a look at http://twittervb.codeplex.com/ for some examples.

John Meyer
Freelance Consultant
http://www.pueblonative.com/blog

If something goes wrong at the plant, blame the guy who can�t speak
English.
*/Homer Simpson/*

--- @ WiseStamp Signature
<http://my.wisestamp.com/link?u=42bgx5rfnpr43zfj&site=www.wisestamp.com/email-install>.
Get it now
<http://my.wisestamp.com/link?u=42bgx5rfnpr43zfj&site=www.wisestamp.com/email-install>

Ricky

unread,
Mar 7, 2010, 10:39:57 PM3/7/10
to Twitter Development Talk
TwitterVB is actually a port of version 1 of Twitterizer. (I'm named
in the source :D)

Ricky

On Mar 7, 6:34 pm, John Meyer <john.l.me...@gmail.com> wrote:
> Take a look athttp://twittervb.codeplex.com/for some examples.
>
> John Meyer
> Freelance Consultanthttp://www.pueblonative.com/blog
>
> If something goes wrong at the plant,  blame the guy who can t speak


> English.
>   */Homer Simpson/*
>
> --- @ WiseStamp Signature

> <http://my.wisestamp.com/link?u=42bgx5rfnpr43zfj&site=www.wisestamp.co...>.
> Get it now
> <http://my.wisestamp.com/link?u=42bgx5rfnpr43zfj&site=www.wisestamp.co...>

Reply all
Reply to author
Forward
0 new messages