Incorrect Signature for oAuth
83 views
Skip to first unread message
rhysmeister
Jun 6, 2010, 8:56:39 AM6/6/10
to Twitter Development Talk
Hi All,
I am having problems identifying what is wrong with converting my app
to use oAuth. All my GET requests work fine but my POST requests all
fail with an incorrect signature error. I am adding the oauth
parameters to the authorisation header of my request. My authorisation
header is build like below for GET requests (this works);
OAuth
oauth_timestamp="1234567890",oauth_nonce="xxxxxx",oauth_version="1.0",oauth_signature_method="HMAC-
SHA1",oauth_consumer_key="xxxxxx",oauth_token="xxxxxx",oauth_signature="xxxxxx"
My POST requests (these don't work);
OAuth
oauth_timestamp="1234567890",oauth_nonce="xxxxxx",oauth_version="1.0",oauth_signature_method="HMAC-
SHA1",oauth_consumer_key="xxxxxx",oauth_token="xxxxxx",oauth_signature="xxxxxx"
I get the below error returned...
<pre>
<?xml version="1.0" encoding="UTF-8"?>
<hash>
<request>/1/statuses/update.xml?source=xxxxxxxxxx</request>
<error>Incorrect signature</error>
</hash>
Would anyone be able to provide any pointers here?
Cheers,
Rhys
I am having problems identifying what is wrong with converting my app
to use oAuth. All my GET requests work fine but my POST requests all
fail with an incorrect signature error. I am adding the oauth
parameters to the authorisation header of my request. My authorisation
header is build like below for GET requests (this works);
OAuth
oauth_timestamp="1234567890",oauth_nonce="xxxxxx",oauth_version="1.0",oauth_signature_method="HMAC-
SHA1",oauth_consumer_key="xxxxxx",oauth_token="xxxxxx",oauth_signature="xxxxxx"
My POST requests (these don't work);
OAuth
oauth_timestamp="1234567890",oauth_nonce="xxxxxx",oauth_version="1.0",oauth_signature_method="HMAC-
SHA1",oauth_consumer_key="xxxxxx",oauth_token="xxxxxx",oauth_signature="xxxxxx"
I get the below error returned...
<pre>
<?xml version="1.0" encoding="UTF-8"?>
<hash>
<request>/1/statuses/update.xml?source=xxxxxxxxxx</request>
<error>Incorrect signature</error>
</hash>
Would anyone be able to provide any pointers here?
Cheers,
Rhys
Hwee-Boon Yar
Jun 6, 2010, 1:07:43 PM6/6/10
to Twitter Development Talk
Since it's GET works and POST, no. 1 reason is to make sure the base
URI in the base signature string is constructed correctly. In your
example, you don't need source=xxxx since it's OAuth.
--
Hwee-Boon
On Jun 6, 8:56 pm, rhysmeister <therhysmeis...@hotmail.com> wrote:
> Hi All,
>
> I am having problems identifying what is wrong with converting my app
> to use oAuth. All my GET requests work fine but my POST requests all
> fail with an incorrect signature error. I am adding the oauth
> parameters to the authorisation header of my request. My authorisation
> header is build like below for GET requests (this works);
>
> OAuth
> oauth_timestamp="1234567890",oauth_nonce="xxxxxx",oauth_version="1.0",oauth _signature_method="HMAC-
URI in the base signature string is constructed correctly. In your
example, you don't need source=xxxx since it's OAuth.
--
Hwee-Boon
On Jun 6, 8:56 pm, rhysmeister <therhysmeis...@hotmail.com> wrote:
> Hi All,
>
> I am having problems identifying what is wrong with converting my app
> to use oAuth. All my GET requests work fine but my POST requests all
> fail with an incorrect signature error. I am adding the oauth
> parameters to the authorisation header of my request. My authorisation
> header is build like below for GET requests (this works);
>
> OAuth
> SHA1",oauth_consumer_key="xxxxxx",oauth_token="xxxxxx",oauth_signature="xxx xxx"
>
> My POST requests (these don't work);
>
> OAuth
> oauth_timestamp="1234567890",oauth_nonce="xxxxxx",oauth_version="1.0",oauth _signature_method="HMAC-
>
> My POST requests (these don't work);
>
> OAuth
> SHA1",oauth_consumer_key="xxxxxx",oauth_token="xxxxxx",oauth_signature="xxx xxx"
>
>
Taylor Singletary
Jun 7, 2010, 10:09:57 AM6/7/10
to twitter-deve...@googlegroups.com
To help you debug, it would be useful to see the signature base string that was generated for the request. Possible things going wrong: the signature base string isn't mentioning that this is a POST, or your OAuth-based parameters are leaking into your POST body..
As Hwee-Boon said, you also needn't include the source parameter, as it will be ignored.
rhysmeister
Jun 7, 2010, 5:36:08 PM6/7/10
to Twitter Development Talk
Hi, thanks to you both. I've removed the source parameter.
There is something wrong with my signature base indeed. Here's what I
am sending for a status update...
POST&http%3A%2F%2Fapi.twitter.com%2F1%2Fstatuses%2Fupdate.xml&%3Fstatus
%3Dtest%26oauth_consumer_key%3Dxxxxxxxxxxxxxxxxxxxxxx%26oauth_nonce
%3DE9X6lVKiDkQ1n%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp
%3D1275946125%26oauth_token%3Dxxxxxxxxxxxxxxxxxxxxxxxxxx
%26oauth_version%3D1.0
As far as I can gather from this link http://dev.twitter.com/pages/auth#auth-request,
I need to remove query parameter from the url and order them in the
string. So in this case status would appear at the end. I can't find
it now, but some poster in a group said to put the status paramter in
the url rather than the post body. I think I must have been ordering
the signature base incorrectly previous to this.
Rhys
On Jun 7, 3:09 pm, Taylor Singletary <taylorsinglet...@twitter.com>
wrote:
There is something wrong with my signature base indeed. Here's what I
am sending for a status update...
POST&http%3A%2F%2Fapi.twitter.com%2F1%2Fstatuses%2Fupdate.xml&%3Fstatus
%3Dtest%26oauth_consumer_key%3Dxxxxxxxxxxxxxxxxxxxxxx%26oauth_nonce
%3DE9X6lVKiDkQ1n%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp
%3D1275946125%26oauth_token%3Dxxxxxxxxxxxxxxxxxxxxxxxxxx
%26oauth_version%3D1.0
As far as I can gather from this link http://dev.twitter.com/pages/auth#auth-request,
I need to remove query parameter from the url and order them in the
string. So in this case status would appear at the end. I can't find
it now, but some poster in a group said to put the status paramter in
the url rather than the post body. I think I must have been ordering
the signature base incorrectly previous to this.
Rhys
On Jun 7, 3:09 pm, Taylor Singletary <taylorsinglet...@twitter.com>
wrote:
> To help you debug, it would be useful to see the signature base string that
> was generated for the request. Possible things going wrong: the signature
> base string isn't mentioning that this is a POST, or your OAuth-based
> parameters are leaking into your POST body..
>
> As Hwee-Boon said, you also needn't include the source parameter, as it will
> be ignored.
>
> Taylor Singletary
> Developer Advocate, Twitterhttp://twitter.com/episod
> was generated for the request. Possible things going wrong: the signature
> base string isn't mentioning that this is a POST, or your OAuth-based
> parameters are leaking into your POST body..
>
> As Hwee-Boon said, you also needn't include the source parameter, as it will
> be ignored.
>
> Taylor Singletary
StephenBnz
Jun 7, 2010, 8:57:54 PM6/7/10
to Twitter Development Talk
Hi Rhys,
- you're right status should be at the end of the base string. Even
though it's sent as a POST, it still has to go in alpha order in the
base string.
- Also be careful of the leading %3F you've got after the update.xml -
should just be (method)&(baseURL+service)&(list of params separated by
%26)
- Once you've signed with this string, your message will look like:
(pseudo code not actual message)
POST HTTP 1.1 /statuses/update.xml
Host: api.twitter.com:443
Authorization: (list of params as normal, including oauth_signature
but NOT including status)
Content-type: application/x-www-form-urlencoded
Body:
status=test
Also note that if you have non-alpha characters in the status string
(eg. space, etc) you must URL encode them BEFORE compiling the base
signature string, and also ensure they remain URL encoded in the POST
body.
Hope this helps
Stephen
On Jun 8, 7:36 am, rhysmeister <therhysmeis...@hotmail.com> wrote:
> Hi, thanks to you both. I've removed the source parameter.
>
> There is something wrong with my signature base indeed. Here's what I
> am sending for a status update...
>
> POST&http%3A%2F%2Fapi.twitter.com%2F1%2Fstatuses%2Fupdate.xml&%3Fstatus
> %3Dtest%26oauth_consumer_key%3Dxxxxxxxxxxxxxxxxxxxxxx%26oauth_nonce
> %3DE9X6lVKiDkQ1n%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp
> %3D1275946125%26oauth_token%3Dxxxxxxxxxxxxxxxxxxxxxxxxxx
> %26oauth_version%3D1.0
>
> As far as I can gather from this linkhttp://dev.twitter.com/pages/auth#auth-request,
- you're right status should be at the end of the base string. Even
though it's sent as a POST, it still has to go in alpha order in the
base string.
- Also be careful of the leading %3F you've got after the update.xml -
should just be (method)&(baseURL+service)&(list of params separated by
%26)
- Once you've signed with this string, your message will look like:
(pseudo code not actual message)
POST HTTP 1.1 /statuses/update.xml
Host: api.twitter.com:443
Authorization: (list of params as normal, including oauth_signature
but NOT including status)
Content-type: application/x-www-form-urlencoded
Body:
status=test
Also note that if you have non-alpha characters in the status string
(eg. space, etc) you must URL encode them BEFORE compiling the base
signature string, and also ensure they remain URL encoded in the POST
body.
Hope this helps
Stephen
On Jun 8, 7:36 am, rhysmeister <therhysmeis...@hotmail.com> wrote:
> Hi, thanks to you both. I've removed the source parameter.
>
> There is something wrong with my signature base indeed. Here's what I
> am sending for a status update...
>
> POST&http%3A%2F%2Fapi.twitter.com%2F1%2Fstatuses%2Fupdate.xml&%3Fstatus
> %3Dtest%26oauth_consumer_key%3Dxxxxxxxxxxxxxxxxxxxxxx%26oauth_nonce
> %3DE9X6lVKiDkQ1n%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp
> %3D1275946125%26oauth_token%3Dxxxxxxxxxxxxxxxxxxxxxxxxxx
> %26oauth_version%3D1.0
>
rhysmeister
Jun 8, 2010, 5:33:00 PM6/8/10
to Twitter Development Talk
Thanks to all your replies helped I can now perform status updates via
oAuth.
I'm rather irritated that Uri.EscapeDataString doesn't escape all
illegal characters. It just fails now if a status update contains
exclamation marks, asterisk, dollar signs, single quotes and probably
a few more. I'll solve that in the morning. Thanks again.
Rhys
On Jun 8, 1:57 am, StephenBnz <stephenbro...@gmail.com> wrote:
> Hi Rhys,
> - you're right status should be at the end of the base string. Even
> though it's sent as a POST, it still has to go in alpha order in the
> base string.
> - Also be careful of the leading %3F you've got after the update.xml -
> should just be (method)&(baseURL+service)&(list of params separated by
> %26)
> - Once you've signed with this string, your message will look like:
> (pseudo code not actual message)
>
> POST HTTP 1.1 /statuses/update.xml
> Host: api.twitter.com:443
> Authorization: (list of params as normal, including oauth_signature
> but NOT including status)
> Content-type: application/x-www-form-urlencoded
> Body:
> status=test
>
> Also note that if you have non-alpha characters in the status string
> (eg. space, etc) you must URL encode them BEFORE compiling the base
> signature string, and also ensure they remain URL encoded in the POST
> body.
>
> Hope this helps
> Stephen
>
oAuth.
I'm rather irritated that Uri.EscapeDataString doesn't escape all
illegal characters. It just fails now if a status update contains
exclamation marks, asterisk, dollar signs, single quotes and probably
a few more. I'll solve that in the morning. Thanks again.
Rhys
On Jun 8, 1:57 am, StephenBnz <stephenbro...@gmail.com> wrote:
> Hi Rhys,
> - you're right status should be at the end of the base string. Even
> though it's sent as a POST, it still has to go in alpha order in the
> base string.
> - Also be careful of the leading %3F you've got after the update.xml -
> should just be (method)&(baseURL+service)&(list of params separated by
> %26)
> - Once you've signed with this string, your message will look like:
> (pseudo code not actual message)
>
> POST HTTP 1.1 /statuses/update.xml
> Host: api.twitter.com:443
> Authorization: (list of params as normal, including oauth_signature
> but NOT including status)
> Content-type: application/x-www-form-urlencoded
> Body:
> status=test
>
> Also note that if you have non-alpha characters in the status string
> (eg. space, etc) you must URL encode them BEFORE compiling the base
> signature string, and also ensure they remain URL encoded in the POST
> body.
>
> Hope this helps
> Stephen
>
Reply all
Reply to author
Forward
0 new messages