XAuth 401 error

[bjcoredev]

Hi,

My mobile app was working like a charm using xAuth authentication
until this morning (in France).
Even after the Basic Auth removal my app was working (using xAuth)
yesterday evening
but this morning in france, my app always returns 401 error.I 'have'nt
changed anything.
Have you changed something in xAuth process yesterday ?
Any idea ???

[Taylor Singletary]

We have fixed a bug in our OAuth implementation that allowed timestamps in the future to be accepted. We've now corrected this such that timetsamps must be within a reasonable amount of time in cosideration to Twitter's server clocks.

We return our current time in the "Date" HTTP header of every 

response. One easy way to fixate an application's clock with our servers is 

to issue a HTTP HEAD request to http://api.twitter.com/1/help/test.xml -- 

it's a non-rate-limited request and will allow you to adjust your clock in 

relation to ours.

Make sure that you're keeping to the OAuth spec and using UTC-based epoch time in seconds.

Taylor

On Wed, Sep 1, 2010 at 9:15 AM, Steve Loft <kettlet...@googlemail.com> wrote:

Users of my xAuth application are also getting 401, since about 12
hours ago.

Steve

--
Twitter developer documentation and resources: http://dev.twitter.com/doc
API updates via Twitter: http://twitter.com/twitterapi
Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list
Change your membership to this group: http://groups.google.com/group/twitter-development-talk?hl=en

[Steve Loft]

[J.D.]

For desktop apps using oAuth, the timestamp issue causing 401 errors
is a big problem. People's desktops have all sorts of crazy times set
on them. This means now every application that uses Twitter oAuth
needs to have code written to sync/modify its time with Twitter's.
It's a pain.

[Taylor Singletary]

This is true of all applications running to spec. We've always denied requests that were behind our system clock by an unreasonable amont -- you would be presented with this conundrum in that scenario as well, regardless of our recent change to also apply this restriction to timestamps in the future.

Many developers have implemented this pattern to keep their clocks in sync. It's unwise to trust your system clock.

Taylor

[J.D.]

Sure. I implemented it and it was not hard, just one more thing to
deal with, that's all. :)

[Steve Loft]

Thanks - the problem was that the library routine I used for the Unix
timestamp didn't take Daylight Savings into account!

Steve

On Sep 1, 5:35 pm, Taylor Singletary <taylorsinglet...@twitter.com>
wrote:

> We have fixed a bug in our OAuth implementation that allowed timestamps in
> the future to be accepted. We've now corrected this such that timetsamps
> must be within a reasonable amount of time in cosideration to Twitter's
> server clocks.
>
> We return our current time in the "Date" HTTP header of every
> response. One easy way to fixate an application's clock with our servers is
> to issue a HTTP HEAD request tohttp://api.twitter.com/1/help/test.xml--
> it's a non-rate-limited request and will allow you to adjust your clock in
> relation to ours.
>
> Make sure that you're keeping to the OAuth spec and using UTC-based epoch
> time in seconds.
>
> Taylor
>

[mostafa farghaly]

i'm on my way to fix this, but i wonder why you didn't let us know
about this change ???

[bjcoredev]

I m agree with you

> > > >http://groups.google.com/group/twitter-development-talk?hl=en- Masquer le texte des messages précédents -
>
> - Afficher le texte des messages précédents -

[Taylor Singletary]

Sorry for the trouble our alignment has caused.

Honestly, we should have announced we were going to harden this, but -- and really we should have learned our lesson on this -- we were operating under the assumption that OAuth clients develop to spec, which includes presenting the current epoch time in UTC seconds with every issued request. 

We already were enforcing that timestamps could not be more than 15 minutes old -- and in the interests of limiting potential security exploits or continued erroneous utilization of the API, we decided to enforce that timestamps must also be no more than 15 minutes ahead of our clock. So now we have balance where previously there was lopsidedness.

In other news, as we've reminded developers a few times, now's a great time to make sure that all of your applications are using api.twitter.com with versioning in the path for all REST resource requests. It would be terrible to wake up some morning to find that none of your API calls work any more because you're using unsupported API end points.

Taylor

[MigrantP]

I am also getting this problem, despite it working perfectly
yesterday. I've added a timestamp offset adjustment as you recommended
just in case, and am sending an accurate GMT timestamp, but still
getting 401 errors. There is no additional information included in the
error, so I'm at a loss.

Was anything else changed?

[M. Edward (Ed) Borasky]

Peoples' desktops are almost all Windows (90%) or MacOS X (9%). I
don't know about Macs but I know for a fact that Windows XP and later
desktops can be *easily* syncronized to "world time" via NTP - in
fact, Microsoft has servers!

And for the 1% outliers like me (openSUSE 11.3) there are usually
desktop tools (YaST2) that make it point-and-click. As long as your
users are following their desktop maker's religion about viruses,
software updates, firewalls, etc., and aren't running something
ancient like Windows Millenium Edition or a PowerPC Mac with a dial-up
Internet connection, they should have clocks that are right as long as
they're on line.

--
M. Edward (Ed) Borasky
http://borasky-research.net http://twitter.com/znmeb

"A mathematician is a device for turning coffee into theorems." - Paul Erdos

Quoting "J.D." <jeremy....@gmail.com>:

[MigrantP]

I should mention that I am having no problem posting updates to
twitter itself, but I cannot post pictures through twitpic or yfrog
due to this error.. and it was working earlier with no code change
since.

[MigrantP]

Scratch that, it was simply a bonehead error on my part.. carry on =)

[Farrukh Javeid]

I have been trying to get the time synchronized with the twitter
server but could not attain it so far. Can anyone help me with code.
It'll be real help as I have already wasted 3 days for this task.

Warm Regards,

[M. Edward (Ed) Borasky]

You shouldn't synchronize to Twitter. You (and Twitter) should
synchronize to the "World Time Standard" using NTP. It's a simple
process on Linux - you just install a package or two and read your
distro's system administration manual on how to configure it. It's
point and click on openSUSE with YaST. On a Windows desktop, it's
usually done for you by default. On Windows Servers, there's some
configuration required which is documented to painful excess in the
Microsoft Knowledge Base.

This is a *solved* and *documented* problem. ;-)

--
M. Edward (Ed) Borasky
http://borasky-research.net http://twitter.com/znmeb

"A mathematician is a device for turning coffee into theorems." - Paul Erdos

Quoting Farrukh Javeid <farr...@gmail.com>:

[Tom van der Woerdt]

Yeah, well, that doesn't work very well for desktop apps ;-) Users would
go mad if you suddenly change their clocks.

Tom