oauth status update returning error 401 invalid / used nonce

[Craig]

Hello,

I have an iphone app that is using xauth. I am able to obtain the
access token with no problem at all. When I go to post a status
update, I receive an invalid / used nonce error. It can't actually be
a used nonce since I have checked this multiple times. Here are the
details of the post:

url:
http://api.twitter.com/1/statuses/update.xml

signature base string:
POST&http%3A%2F%2Fapi.twitter.com%2F1%2Fstatuses
%2Fupdate.xml&oauth_consumer_key%3Dmyconsumerkey%26oauth_nonce
%3D397vi5Ug1YHC3UAVUAoB%26oauth_signature_method%3DHMAC-
SHA1%26oauth_timestamp%3D1276292596%26oauth_token%3Dmytoken
%26oauth_version%3D1.0%26status%3Dmy%2520tweet

Authorization header:
OAuth oauth_nonce="397vi5Ug1YHC3UAVUAoB", oauth_signature_method="HMAC-
SHA1", oauth_timestamp="1276292596",
oauth_consumer_key="myconsumerkey", oauth_token="mytoken",
oauth_signature="yOh2zQPGDBlVEP5cDWhjddQWTLc%3D", oauth_version="1.0"

Content-Type:
[request setValue:@"application/x-www-form-urlencoded"
forHTTPHeaderField:@"Content-Type"];

I can see no reason why this shouldn't work. Any help would be
greatly appreciated!

Thanks,
Craig

[Taylor Singletary]

We have a few (difficult to pin down) edge cases where we throw a "bad nonce" error in an otherwise legit scenario -- often while we are under heavy amounts of load.  Is this error consistent for you no matter what nonce you use?

Do you know if your timestamp is aligned with the time indicated in an HTTP header of our response to your requests? 

While others have found complicated nonce values cause issues, your nonce seems relatively tame in comparison to those who ran into those issues. Just the same, I'd recommend you try a different nonce generation scheme, perhaps one with an eye for simplicity. 

Otherwise, your request seems structurally correct. What does your POST body for this request look like? Do you receive the same error when you replace your "%20" space character in your POST body with plus?

Taylor Singletary
Developer Advocate, Twitter
http://twitter.com/episod

[Craig]

Thanks for your quick reply! This error occurs consistently no matter
what nonce I'm using. My timestamp appears to be aligned with the
time from your response. I also tried a different nonce scheme and
that didn't seem to work either.

Here is my post body:
status=My%20Tweet

I just attempted to use a + instead of the %20 but that did not work.
I'm at a loss as to what it could be. Maybe I'll try yet one more
nonce scheme? Is the any scheme in particular that you have found to
work?

Thanks!
Craig


On Jun 11, 5:56 pm, Taylor Singletary <taylorsinglet...@twitter.com>
wrote:

> We have a few (difficult to pin down) edge cases where we throw a "bad
> nonce" error in an otherwise legit scenario -- often while we are under
> heavy amounts of load.  Is this error consistent for you no matter what
> nonce you use?
>
> Do you know if your timestamp is aligned with the time indicated in an HTTP
> header of our response to your requests?
>
> While others have found complicated nonce values cause issues, your nonce
> seems relatively tame in comparison to those who ran into those issues. Just
> the same, I'd recommend you try a different nonce generation scheme, perhaps
> one with an eye for simplicity.
>
> Otherwise, your request seems structurally correct. What does your POST body
> for this request look like? Do you receive the same error when you replace
> your "%20" space character in your POST body with plus?
>
> Taylor Singletary

> Developer Advocate, Twitterhttp://twitter.com/episod

[Taylor Singletary]

Based on another bug I've seen come up but have been unable to track
consistently, can you try creating a new application and doing the
oauth dance and then trying to make the status update again using the
new keys and the new access tokens?

Thanks!

--

[Craig]

Sure I can do that, althought I'll have to get approved for xAuth on
that application as well. Will I have to request xAuth again?

Thanks,
Craig

On Jun 11, 8:10 pm, Taylor Singletary <taylorsinglet...@twitter.com>
wrote:

[Taylor Singletary]

xAuth in this case, I think, is unrelated to the issue. If you can use
a different key and use the "my token" feature to get your access
token, then try to tweet using that token, it will sufficiently
express the problem I think.

Taylor

[Craig]

No dice. I just tried creating a new app and using the new keys/token
to tweet. I'll go over my steps once more and see if I can track down
an issue somewhere...



On Jun 11, 8:53 pm, Taylor Singletary <taylorsinglet...@twitter.com>
wrote:

> xAuth in this case, I think, is unrelated to the issue. If you can use
> a different key and use the "my token" feature to get your access
> token, then try to tweet using that token, it will sufficiently
> express the problem I think.
>
> Taylor
>

[Craig]

Ok, so I believe my signature is correct because if I take out the
oauth_token parameter from the signature base I get an incorrect
signature error instead of the invalid/used nonce error. I am
definitely posting to the correct url: "https://api.twitter.com/1/
statuses/update.xml" because if I change it I get an invalid url
response. The nonce I'm generating is unique for every request I'm
sending. The timestamp is accurate to the number of seconds that have
passed since unix epoch. Obviously the invalid/used nonce error is
garbage.

Here's the formatting of my URL request in obj c:

// Create the request
NSString* requestString= [NSString
stringWithFormat:@"%@",TWITTER_STATUS_UPDATE_URL];
NSMutableURLRequest* request = [[NSMutableURLRequest alloc]
initWithURL:[NSURL URLWithString:requestString]
cachePolicy:NSURLRequestReloadIgnoringCacheData
timeoutInterval:30.0];
[request setHTTPMethod:@"POST"];
[request addValue:authHeader forHTTPHeaderField:@"Authorization"];

[request setValue:@"application/x-www-form-urlencoded"
forHTTPHeaderField:@"Content-Type"];

[request setValue:postBodyLength forHTTPHeaderField:@"Content-
Length"];
[request setHTTPBody:[postBody
dataUsingEncoding:NSUTF8StringEncoding]];

Any other ideas? I'm at a total loss as to why this might be
happening.

Thanks,
Craig

[themattharris]

Hey Craig,

Could you let us see what the authorization header you are sending
looks like (obfuscating your oauth keys and secrets)?

What you're aiming for is a header similar to this:

POST /1/statuses/update.xml HTTP/1.1
Accept: */*
Connection: close
User-Agent: OAuth gem v0.4.0
Content-Type: application/x-www-form-urlencoded
Authorization: OAuth
oauth_consumer_key=\"xxxxxxxxxxxxxxxxxxxxxxxx\",
oauth_nonce=\"xxxxxxxxxxxxxxxxxxxxxxxxxxxx\",
oauth_signature=\"xxxxxxxxxxxxxxxxxxxxxxxx\",
oauth_signature_method=\"HMAC-SHA1\",
oauth_timestamp=\"1276634179\",
oauth_token=\"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\",
oauth_version=\"1.0\"
Content-Length: 27
Host: api.twitter.com

With your post body being the status you are sending. Similar to:

status=something%20to%20say

Matt

[Craig]

Hi Matt,

Thanks for responding. My authorization header is still the same as
it was in my first message above. Here it is for another request I
just tried:

OAuth oauth_nonce="TEeSMm8q3m5abhmppain", oauth_signature_method="HMAC-
SHA1", oauth_timestamp="1276701304",
oauth_consumer_key="xxxxxxxxxxxxxxxxx", oauth_token="xxxxxxxx-
xxxxxxxxxxxxxxxxxxxxxxxxx", oauth_signature="xxxxxxxxxxxxxxxxxxxxxxx
%3D", oauth_version="1.0"

The post body is simply:
status=my%20tweet

When I create the request in objective c, it looks like this: (where
authHeader is the authorization header noted above and postBody is the
post body noted above):

NSString* requestString= [NSString
stringWithFormat:@"%@",TWITTER_STATUS_UPDATE_URL];
NSMutableURLRequest* request = [[NSMutableURLRequest alloc]
initWithURL:[NSURL
URLWithString:requestString]

cachePolicy:NSURLRequestReloadIgnoringCacheData
timeoutInterval:30.0];
[request setHTTPMethod:@"POST"];
[request addValue:authHeader forHTTPHeaderField:@"Authorization"];
[request setValue:@"application/x-www-form-urlencoded"
forHTTPHeaderField:@"Content-Type"];
[request setValue:postBodyLength forHTTPHeaderField:@"Content-
Length"];
[request setHTTPBody:[postBody
dataUsingEncoding:NSUTF8StringEncoding]];

This type of formatting works just fine for my xAuth authentication.

[Taylor Singletary]

Hi Craig,

Do you know if the status update, status=my%20tweet is being encoded correctly in your signature base string (which is the string used to create your signature).

For the signature base string, the key/value pair would look like:

status%3Dmy%2520tweet

Have you tried your xAuth authentication with spaces and other possible odd characters yet in fields like the password?

Taylor

[Craig]

My signature base string status pair looks like:
status%3Dmy%2520tweet

When I tried xAuth authentication with a * character in the password,
it didn't work at first. But once I double url encoded it, I was able
to authenticate no problem. So that definitely helps. I am now
double url encoding the username and password values.

However, the tweet still didn't work. I am double url encoding the
status message in the signature base string and single url encoding it
in the post body.

Thanks,
Craig

On Jun 16, 11:30 am, Taylor Singletary <taylorsinglet...@twitter.com>
wrote:

[Craig]

By the way, even when I try to tweet with just one word like: "tweet",
it doesn't work. Just simple ascii characters. Is there any way you
can just intercept one of my test tweets and look at what, if anything
might be going wrong on the server side?

-Craig

[Taylor Singletary]

Our setup is such that I can't easily trace a single request.

Connecting some dots: if you have time, can you try to use a different access token with your keys and see if it has the ability to tweet?

Can you go to your application settings and verify that your application is in "read/write mode" on dev.twitter.com?

Finally, this might be a case of something funky with your client application -- which might be resolved by creating a new one. But let's rule out some other possibilities first.

Taylor Singletary
Developer Advocate, Twitter
http://twitter.com/episod

[Craig]

I am in "read/write" mode.

I tried posting to two different twitter accounts without luck...my
dev account, where I know what the access secret and token is supposed
to be and another one I just created. I know my access token and
secret are being stored correctly and I believe they are being used
correctly in the auth header and the signature base string.

Other thoughts? It would be nice to get an error returned that was a
little more indicative of what the problem might be. Invalid/used
nonce isn't really cutting it right now.

Thanks,
Craig

On Jun 16, 3:52 pm, Taylor Singletary <taylorsinglet...@twitter.com>
wrote:

> Our setup is such that I can't easily trace a single request.
>
> Connecting some dots: if you have time, can you try to use a different
> access token with your keys and see if it has the ability to tweet?
>
> Can you go to your application settings and verify that your application is
> in "read/write mode" on dev.twitter.com?
>
> Finally, this might be a case of something funky with your client
> application -- which might be resolved by creating a new one. But let's rule
> out some other possibilities first.
>
> Taylor Singletary

> Developer Advocate, Twitterhttp://twitter.com/episod

[Taylor Singletary]

I agree that it's the wrong error. We have a new, better implementation of OAuth waiting in the wings that's going to be much more helpful in this regard.

I'm still trying to rule out some possibilities. Can you try and create a new application, then grab the access token from the my access token feature, and try to post? It'll just help rule something out.

Taylor Singletary
Developer Advocate, Twitter

http://twitter.com/episod

[Craig]

Just tried it. Same error. So at least that rules something out...

-Craig

On Jun 16, 5:19 pm, Taylor Singletary <taylorsinglet...@twitter.com>
wrote:

> I agree that it's the wrong error. We have a new, better implementation of
> OAuth waiting in the wings that's going to be much more helpful in this
> regard.
>
> I'm still trying to rule out some possibilities. Can you try and create a
> new application, then grab the access token from the my access token
> feature, and try to post? It'll just help rule something out.
>
> Taylor Singletary

> ...
>
> read more »

[Taylor Singletary]

Can you follow up with me off the list and I'll help you out tomorrow? We'll need to compare signatures and work with me knowing your application secrets. There's something subtle going on. 

Taylor

[James Ford]

Hi Craig, Taylor,

did you guys ever figure out what the problem was? I am having a very
similar issue to Craig.

I am trying to post a status update to Twitter from a server-side PHP
app. More specifically, it is to automatically tweet updates from a
news site I help develop.

I'm using all the same types of HTTP authorization headers, and base
strings, and tokens and such as Craig, but I can't get any variation
to work.

I've used OAuth programmatically with Vimeo quite successfully. With
Twitter, however, I've no luck.

One thing I'm perhaps not clear on, do I need xAuth for this to work?

Regards,
James.


On Jun 17, 12:28 am, Taylor Singletary <taylorsinglet...@twitter.com>
wrote:

> ...
>
> read more »

[Andrew W. Donoho]

On Jun 30, 2010, at 14:32 , James Ford wrote:

> One thing I'm perhaps not clear on, do I need xAuth for this to work?

You do need to get the access token somehow. That is what xAuth provides you. That said, you sound like you are a server app. Twitter doesn't support xAuth for server apps. You probably need to use the standard OAuth token request protocol.

Anon,
Andrew
____________________________________
Andrew W. Donoho
Donoho Design Group, L.L.C.
a...@DDG.com, +1 (512) 750-7596

"To take no detours from the high road of reason and social responsibility."
-- Marcus Aurelius

[James Ford]

Thanks for the response.

I am using the consumer key and secret found here: http://dev.twitter.com/apps/<my
app id number>

And the access token and secret found here: http://dev.twitter.com/apps/<my
app id number>/my_token

No joy.

On Jun 30, 9:47 pm, "Andrew W. Donoho" <andrew.don...@gmail.com>
wrote:

> On Jun 30, 2010, at 14:32 , James Ford wrote:
>
> > One thing I'm perhaps not clear on, do I need xAuth for this to work?
>

> You do need to get the access token somehow. That is what xAuth provides you. That said, you sound like you are a server app. Twitter doesn't support xAuth for server apps. You probably need to use the standardOAuthtoken request protocol.

[Matt Harris]

Hi James,

It sounds like you have the correct information for your application. As you are using your own personal access token and secret you don't need to be doing any of the OAuth authorization steps, but you do need to sign any request you make.

Are you using any PHP libraries to help you with this? There are a couple listed on http://dev.twitter.com/pages/oauth_libraries#php.

Whether you are or not, can you share your signature base string and authorization headers (with the secrets and tokens removed) and we'll take a look.

Thanks,

Matt

--


Matt Harris
Developer Advocate, Twitter
http://twitter.com/themattharris

[Fabien Penso]

On Wed, Jun 16, 2010 at 9:39 PM, Craig <chans...@gmail.com> wrote:
> By the way, even when I try to tweet with just one word like: "tweet",
> it doesn't work.  Just simple ascii characters.  Is there any way you
> can just intercept one of my test tweets and look at what, if anything
> might be going wrong on the server side?

I have the exact same issue than Craig.

My iPhone application uses 3 accounts, 2 are working (@fabienpenso and
@fabientest) and the third one (@appnotification) returns 401 no
matter what I'm doing. Some of my users are also telling me getting
401s.

Is there anything I can do to trace this?

[Fabien Penso]

If it helps the answer I have right now is : =>
{"request"=>"/statuses/update.json", "error"=>"Read-only application
cannot POST"}

Where my application http://twitter.com/apps/edit/14088 has read&write
access permission.

[Fabien Penso]

On Fri, Jul 9, 2010 at 3:38 AM, Fabien Penso <fabie...@gmail.com> wrote:

> Where my application http://twitter.com/apps/edit/14088 has read&write
> access permission.

This is fixed, what happened :

- My application had read-only access for the user (myself in fact), I
revoked access and asked for a new oauth token => working.

- My application always had read-write access, there is no reason this
token was read-only.