Yet another "Failed to validate oauth signature and token" while requesting a token
245 views
Skip to first unread message
craiga
Jun 2, 2010, 12:48:06 AM6/2/10
to Twitter Development Talk
Hi guys,
Sorry for troubling you with yet *another* "Failed to validate oauth
signature and token" error, but I just can't figure out what's wrong
with my request.
I'm constructing my signature from this string:
POST&http%3A%2F%2Fapi.twitter.com%2Foauth
%2Frequest_token&oauth_callback%3Dhttp%3A%2F%2Fcraiga.id.au%2Ftwitter
%2Fconnected%26oauth_consumer_key%3Dtm5...DOg%26oauth_nonce%3D8...22b
%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp
%3D1275453048%26oauth_version%3D1.0
From this I generate a 28 character signature using the following PHP
code:
base64_encode(hash_hmac('sha1', $raw, 'YUo...HIU' . '&', true));
Using this signature, I send the following request:
POST http://api.twitter.com/oauth/request_token HTTP/1.1
Host: api.twitter.com
Pragma: no-cache
Accept: */*
Proxy-Connection: Keep-Alive
Authorization: OAuth oauth_nonce="3D8...22b", oauth_callback="http%3A
%2F%2Fcraiga.id.au%2Ftwitter%2Fconnected",
oauth_signature_method="HMAC-SHA1", oauth_timestamp="1275453048",
oauth_consumer_key="tm5...DOg", oauth_signature="aYd...c6E%3D",
oauth_version="1.0"
Content-Length: 266
Content-Type: application/x-www-form-urlencoded
oauth_callback=http%3A%2F%2Fcraiga.id.au%2Ftwitter
%2Fconnected&oauth_consumer_key=tm5...DOg&oauth_nonce=3D8...22b&oauth_signature_method=HMAC-
SHA1&oauth_timestamp= 1275453048&oauth_version=1.0
I get the following response from Twitter to this request:
HTTP/1.1 401 Unauthorized
Date: Wed, 02 Jun 2010 04:40:14 GMT
Server: hi
Status: 401 Unauthorized
X-Transaction: 1275453614-48409-7443
Last-Modified: Wed, 02 Jun 2010 04:40:14 GMT
X-Runtime: 0.01083
Content-Type: text/html; charset=utf-8
Content-Length: 44
Pragma: no-cache
X-Revision: DEV
Expires: Tue, 31 Mar 1981 05:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-
check=0
Set-Cookie: k=58.161.42.101.1275453614748615; path=/; expires=Wed, 09-
Jun-10 04:40:14 GMT; domain=.twitter.com
Set-Cookie: guest_id=12754536147577949; path=/; expires=Fri, 02 Jul
2010 04:40:14 GMT
Set-Cookie:
_twitter_sess=BAh7CToPY3JlYXRlZF9hdGwrCKaq9fYoAToRdHJhbnNfcHJvbXB0MDoHaWQi
%250AJWU0ZDFhMGQzMWU0NTZjMzJiZWFkNWUzMTA4ZDRjOTg3IgpmbGFzaElDOidB
%250AY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--
f1e5c7649858a1694f24307504354846bbc1d16b; domain=.twitter.com; path=/
Vary: Accept-Encoding
Connection: close
Failed to validate oauth signature and token
If anyone can cast any light on why this might be failing, I'd love to
hear.
Thanks,
Craig
Sorry for troubling you with yet *another* "Failed to validate oauth
signature and token" error, but I just can't figure out what's wrong
with my request.
I'm constructing my signature from this string:
POST&http%3A%2F%2Fapi.twitter.com%2Foauth
%2Frequest_token&oauth_callback%3Dhttp%3A%2F%2Fcraiga.id.au%2Ftwitter
%2Fconnected%26oauth_consumer_key%3Dtm5...DOg%26oauth_nonce%3D8...22b
%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp
%3D1275453048%26oauth_version%3D1.0
From this I generate a 28 character signature using the following PHP
code:
base64_encode(hash_hmac('sha1', $raw, 'YUo...HIU' . '&', true));
Using this signature, I send the following request:
POST http://api.twitter.com/oauth/request_token HTTP/1.1
Host: api.twitter.com
Pragma: no-cache
Accept: */*
Proxy-Connection: Keep-Alive
Authorization: OAuth oauth_nonce="3D8...22b", oauth_callback="http%3A
%2F%2Fcraiga.id.au%2Ftwitter%2Fconnected",
oauth_signature_method="HMAC-SHA1", oauth_timestamp="1275453048",
oauth_consumer_key="tm5...DOg", oauth_signature="aYd...c6E%3D",
oauth_version="1.0"
Content-Length: 266
Content-Type: application/x-www-form-urlencoded
oauth_callback=http%3A%2F%2Fcraiga.id.au%2Ftwitter
%2Fconnected&oauth_consumer_key=tm5...DOg&oauth_nonce=3D8...22b&oauth_signature_method=HMAC-
SHA1&oauth_timestamp= 1275453048&oauth_version=1.0
I get the following response from Twitter to this request:
HTTP/1.1 401 Unauthorized
Date: Wed, 02 Jun 2010 04:40:14 GMT
Server: hi
Status: 401 Unauthorized
X-Transaction: 1275453614-48409-7443
Last-Modified: Wed, 02 Jun 2010 04:40:14 GMT
X-Runtime: 0.01083
Content-Type: text/html; charset=utf-8
Content-Length: 44
Pragma: no-cache
X-Revision: DEV
Expires: Tue, 31 Mar 1981 05:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-
check=0
Set-Cookie: k=58.161.42.101.1275453614748615; path=/; expires=Wed, 09-
Jun-10 04:40:14 GMT; domain=.twitter.com
Set-Cookie: guest_id=12754536147577949; path=/; expires=Fri, 02 Jul
2010 04:40:14 GMT
Set-Cookie:
_twitter_sess=BAh7CToPY3JlYXRlZF9hdGwrCKaq9fYoAToRdHJhbnNfcHJvbXB0MDoHaWQi
%250AJWU0ZDFhMGQzMWU0NTZjMzJiZWFkNWUzMTA4ZDRjOTg3IgpmbGFzaElDOidB
%250AY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--
f1e5c7649858a1694f24307504354846bbc1d16b; domain=.twitter.com; path=/
Vary: Accept-Encoding
Connection: close
Failed to validate oauth signature and token
If anyone can cast any light on why this might be failing, I'd love to
hear.
Thanks,
Craig
Taylor Singletary
Jun 2, 2010, 10:11:12 AM6/2/10
to twitter-deve...@googlegroups.com
Hi Craig,
It looks like you are passing oauth_* parameters in your POST body in addition to the OAuth HTTP headers. It's really a choice between one or the other -- either you send the oauth_* parameters in a HTTP header or you send them in either a POST body or querystring.
When using HTTP header based auth (which I always recommend) the only query parameters in a query string or POST body are ones that are directly related to the resource your are requesting or posting data to.
craiga
Jun 2, 2010, 9:04:52 PM6/2/10
to Twitter Development Talk
Thanks for the reply Taylor.
So to get a request token, should I send a POST request with no body?
I'm basing my code around the documentation at http://dev.twitter.com/pages/auth
which says:
> Go for the gold. Go for header-based OAuth.
Fair enough. Under "Acquiring a request token" it also says:
> Twitter's end point for the request token step is http://api.twitter.com/oauth/request_token. You should use the POST HTTP method when using this end point.
Given this, I've changed my request to the following:
POST http://api.twitter.com/oauth/request_token HTTP/1.1
Host: api.twitter.com
Pragma: no-cache
Accept: */*
Proxy-Connection: Keep-Alive
Authorization: OAuth oauth_nonce="0628cff78ee32e99ab45c614057c67c4",
oauth_callback="http%3A%2F%2Fcraiga.id.au%2Ftwitter%2Fconnected",
oauth_signature_method="HMAC-SHA1", oauth_timestamp="1275525934",
oauth_consumer_key="tm5...DOg", oauth_signature="LrteVeKYd%2F6QYnKM8kl
%2BswW8GcA%3D", oauth_version="1.0"
Still, I'm getting the "Failed to validate oauth signature and token."
I've also tried this as a GET request (changing the signature to
reflect the change in method); still no luck.
What am I doing wrong? Am I URL encoding something where I shouldn't
be? Am I not URL encoding something I should be? I'm running ntpdate
to keep the system clock in sync with pool.ntp.org and I've verified
that my nonce is amongst the requests I'm sending.
Any further help would be greatly appreciated.
Thanks,
Craig
On Jun 3, 12:11 am, Taylor Singletary <taylorsinglet...@twitter.com>
wrote:
So to get a request token, should I send a POST request with no body?
I'm basing my code around the documentation at http://dev.twitter.com/pages/auth
which says:
> Go for the gold. Go for header-based OAuth.
Fair enough. Under "Acquiring a request token" it also says:
> Twitter's end point for the request token step is http://api.twitter.com/oauth/request_token. You should use the POST HTTP method when using this end point.
Given this, I've changed my request to the following:
POST http://api.twitter.com/oauth/request_token HTTP/1.1
Host: api.twitter.com
Pragma: no-cache
Accept: */*
Proxy-Connection: Keep-Alive
oauth_callback="http%3A%2F%2Fcraiga.id.au%2Ftwitter%2Fconnected",
oauth_signature_method="HMAC-SHA1", oauth_timestamp="1275525934",
oauth_consumer_key="tm5...DOg", oauth_signature="LrteVeKYd%2F6QYnKM8kl
%2BswW8GcA%3D", oauth_version="1.0"
Still, I'm getting the "Failed to validate oauth signature and token."
I've also tried this as a GET request (changing the signature to
reflect the change in method); still no luck.
What am I doing wrong? Am I URL encoding something where I shouldn't
be? Am I not URL encoding something I should be? I'm running ntpdate
to keep the system clock in sync with pool.ntp.org and I've verified
that my nonce is amongst the requests I'm sending.
Any further help would be greatly appreciated.
Thanks,
Craig
On Jun 3, 12:11 am, Taylor Singletary <taylorsinglet...@twitter.com>
wrote:
> Hi Craig,
>
> It looks like you are passing oauth_* parameters in your POST body in
> addition to the OAuth HTTP headers. It's really a choice between one or the
> other -- either you send the oauth_* parameters in a HTTP header or you send
> them in either a POST body or querystring.
>
> When using HTTP header based auth (which I always recommend) the only query
> parameters in a query string or POST body are ones that are directly related
> to the resource your are requesting or posting data to.
>
> Taylor Singletary
> Developer Advocate, Twitterhttp://twitter.com/episod
>
> It looks like you are passing oauth_* parameters in your POST body in
> addition to the OAuth HTTP headers. It's really a choice between one or the
> other -- either you send the oauth_* parameters in a HTTP header or you send
> them in either a POST body or querystring.
>
> When using HTTP header based auth (which I always recommend) the only query
> parameters in a query string or POST body are ones that are directly related
> to the resource your are requesting or posting data to.
>
> Taylor Singletary
Reply all
Reply to author
Forward
0 new messages