Signature generation issue
14 views
Skip to first unread message
lappynet
Mar 14, 2011, 10:02:23 AM3/14/11
to Twitter Development Talk
Hi
I'm using C#.NET to produce an oob client. I've fallen at the first
hurdle though as I'm failing to make the token request.
I've gone through many iterations, and am no longer receiving a 417,
404, or 401. This is very positive! Now my application hangs whilst
waiting for a response from twitter. (I left it running for an hour
over lunch and still nothing happened, and the code didn't appear to
want to step through.)
I've tried with the values detailed in the documentation to have a
look at the variables that have been produced from them in my
algorithm. I think that I've traced it down to being the way I
generate the signature string:
string signingKey = Uri.EscapeDataString(ConsumerSecret) + "&";
HMACSHA1 hasher = new HMACSHA1(new
ASCIIEncoding().GetBytes(signingKey));
string signatureString = Convert.ToBase64String(hasher.ComputeHash(new
ASCIIEncoding().GetBytes(baseString)));
My base string is:
POST&https%3A%2F%2Fapi.twitter.com%2Foauth
%2Frequest_token&oauth_callback%3Doob%26oauth_consumer_key%XXX
%26oauth_nonce%3DNjM0MzU3MDgxMDEyMDcwODkw%26oauth_signature_method
%3DHMAC-SHA1%26oauth_timestamp%3D1300111301%26oauth_version%3D1.0
Any pointers as to where I may be going wrong?
Thanks in advance
Georgina
I'm using C#.NET to produce an oob client. I've fallen at the first
hurdle though as I'm failing to make the token request.
I've gone through many iterations, and am no longer receiving a 417,
404, or 401. This is very positive! Now my application hangs whilst
waiting for a response from twitter. (I left it running for an hour
over lunch and still nothing happened, and the code didn't appear to
want to step through.)
I've tried with the values detailed in the documentation to have a
look at the variables that have been produced from them in my
algorithm. I think that I've traced it down to being the way I
generate the signature string:
string signingKey = Uri.EscapeDataString(ConsumerSecret) + "&";
HMACSHA1 hasher = new HMACSHA1(new
ASCIIEncoding().GetBytes(signingKey));
string signatureString = Convert.ToBase64String(hasher.ComputeHash(new
ASCIIEncoding().GetBytes(baseString)));
My base string is:
POST&https%3A%2F%2Fapi.twitter.com%2Foauth
%2Frequest_token&oauth_callback%3Doob%26oauth_consumer_key%XXX
%26oauth_nonce%3DNjM0MzU3MDgxMDEyMDcwODkw%26oauth_signature_method
%3DHMAC-SHA1%26oauth_timestamp%3D1300111301%26oauth_version%3D1.0
Any pointers as to where I may be going wrong?
Thanks in advance
Georgina
Tom van der Woerdt
Mar 14, 2011, 10:15:56 AM3/14/11
to twitter-deve...@googlegroups.com
After fixing the basic parts of your signature (please don't ever
replace %26 with only a %, it screws up the encoding) and checking
at http://quonos.nl/oauthTester/, I got :
Bad sorting!
All Base String parameters (query and POST parameters) must be
sorted alphabetically.
Tom
Taylor Singletary
Mar 14, 2011, 10:18:20 AM3/14/11
to twitter-deve...@googlegroups.com, lappynet
Hi Georgina,
Everything appears correct with your base string for this step.
Are you performing this operation through a HTTP proxy of any kind? Have you tried producing a valid OAuth header and executed it in curl (without having "executed it" in C# first)? I'm not familiar with C#'s HTTP request libraries and the configuration options available to you in it.
We were having an issue with occasionally hanging connections recently and it's possible that it may be related -- but if that's the case, you shouldn't have it occur to you every time -- it would be one out of X times.
I'm curious where the connection is hanging -- while you are sending HTTP request headers or when your HTTP client is awaiting a response?
Thanks,
Taylor
--
Twitter developer documentation and resources: http://dev.twitter.com/doc
API updates via Twitter: http://twitter.com/twitterapi
Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list
Change your membership to this group: http://groups.google.com/group/twitter-development-talk
lappynet
Mar 14, 2011, 10:21:19 AM3/14/11
to Twitter Development Talk
Thanks, I'll take a look at the sorting.
I hadn't removed the 26 part, I think I deleted that along with by
consumer key for privacy by accident! I can assure you it is there
really. :)
On Mar 14, 2:15 pm, Tom van der Woerdt <i...@tvdw.eu> wrote:
> After fixing the basic parts of your signature (please don't ever
> replace %26 with only a %, it screws up the encoding) and checking athttp://quonos.nl/oauthTester/, I got :
>
> *Bad sorting!*
I hadn't removed the 26 part, I think I deleted that along with by
consumer key for privacy by accident! I can assure you it is there
really. :)
On Mar 14, 2:15 pm, Tom van der Woerdt <i...@tvdw.eu> wrote:
> After fixing the basic parts of your signature (please don't ever
> replace %26 with only a %, it screws up the encoding) and checking athttp://quonos.nl/oauthTester/, I got :
>
Taylor Singletary
Mar 14, 2011, 10:21:59 AM3/14/11
to twitter-deve...@googlegroups.com, Tom van der Woerdt
Wow, my blindness to signature base string foo this morning is humbling. Thanks Tom.
Tom van der Woerdt
Mar 14, 2011, 10:25:59 AM3/14/11
to twitter-deve...@googlegroups.com
No, actually, it was my fault: it wasn't a %26, but a %3D.
Oops! Base string is fine.
Tom
Oops! Base string is fine.
Tom
Umashankar Das
Mar 14, 2011, 10:28:16 AM3/14/11
to twitter-deve...@googlegroups.com
I guess we're seeing that the effects of the announcement of last weekend is not limited to the 3rd party developers but also to the people working in twitter :).
Just a joke Taylor, Have a Good day :).
Cheers
Umashankar Das
Just a joke Taylor, Have a Good day :).
Cheers
Umashankar Das
lappynet
Mar 14, 2011, 10:32:19 AM3/14/11
to Twitter Development Talk
Yeah, I've used that tool with my real full base string and everything
appears OK. Thanks for the pointer though, I'm sure that tool will
come in handy again. :)
I have seen some blog posts issuing warnings over .NET's various ways
of RFC3986 encoding, but this doesn't appear to be the issue here...
I'll look into the hashing and base 64 encoding some more...
(I've been working through this for almost two days now. Although this
is the stuff I love doing in programming, it would be really nice if
twitter could improve/make some documentation for oob.)
On Mar 14, 2:25 pm, Tom van der Woerdt <i...@tvdw.eu> wrote:
> No, actually, it was my fault: it wasn't a %26, but a %3D.
>
> Oops! Base string is fine.
>
> Tom
>
> On 3/14/11 3:21 PM, Taylor Singletary wrote:
>
>
>
>
>
>
>
> > Wow, my blindness to signature base string foo this morning is
> > humbling. Thanks Tom.
>
appears OK. Thanks for the pointer though, I'm sure that tool will
come in handy again. :)
I have seen some blog posts issuing warnings over .NET's various ways
of RFC3986 encoding, but this doesn't appear to be the issue here...
I'll look into the hashing and base 64 encoding some more...
(I've been working through this for almost two days now. Although this
is the stuff I love doing in programming, it would be really nice if
twitter could improve/make some documentation for oob.)
On Mar 14, 2:25 pm, Tom van der Woerdt <i...@tvdw.eu> wrote:
> No, actually, it was my fault: it wasn't a %26, but a %3D.
>
> Oops! Base string is fine.
>
> Tom
>
> On 3/14/11 3:21 PM, Taylor Singletary wrote:
>
>
>
>
>
>
>
> > Wow, my blindness to signature base string foo this morning is
> > humbling. Thanks Tom.
>
> > On Mon, Mar 14, 2011 at 7:15 AM, Tom van der Woerdt <i...@tvdw.eu
> > <mailto:i...@tvdw.eu>> wrote:
>
> > After fixing the basic parts of your signature (please don't ever
> > replace %26 with only a %, it screws up the encoding) and checking
> > <mailto:i...@tvdw.eu>> wrote:
>
> > After fixing the basic parts of your signature (please don't ever
> > replace %26 with only a %, it screws up the encoding) and checking
> > All Base String parameters (query and POST parameters) must be
> > sorted alphabetically.
>
> > Tom
>
> > On 3/14/11 3:02 PM, lappynet wrote:
> >> Hi
>
> >> I'm using C#.NET to produce an oob client. I've fallen at the first
> >> hurdle though as I'm failing to make the token request.
>
> >> I've gone through many iterations, and am no longer receiving a 417,
> >> 404, or 401. This is very positive! Now my application hangs whilst
> >> waiting for a response from twitter. (I left it running for an hour
> >> over lunch and still nothing happened, and the code didn't appear to
> >> want to step through.)
>
> >> I've tried with the values detailed in the documentation to have a
> >> look at the variables that have been produced from them in my
> >> algorithm. I think that I've traced it down to being the way I
> >> generate the signature string:
>
> >> string signingKey = Uri.EscapeDataString(ConsumerSecret) + "&";
> >> HMACSHA1 hasher = new HMACSHA1(new
> >> ASCIIEncoding().GetBytes(signingKey));
> >> string signatureString = Convert.ToBase64String(hasher.ComputeHash(new
> >> ASCIIEncoding().GetBytes(baseString)));
>
> >> My base string is:
>
> >> POST&https%3A%2F%2Fapi.twitter.com <http://2Fapi.twitter.com>%2Foauth
> > sorted alphabetically.
>
> > Tom
>
> > On 3/14/11 3:02 PM, lappynet wrote:
> >> Hi
>
> >> I'm using C#.NET to produce an oob client. I've fallen at the first
> >> hurdle though as I'm failing to make the token request.
>
> >> I've gone through many iterations, and am no longer receiving a 417,
> >> 404, or 401. This is very positive! Now my application hangs whilst
> >> waiting for a response from twitter. (I left it running for an hour
> >> over lunch and still nothing happened, and the code didn't appear to
> >> want to step through.)
>
> >> I've tried with the values detailed in the documentation to have a
> >> look at the variables that have been produced from them in my
> >> algorithm. I think that I've traced it down to being the way I
> >> generate the signature string:
>
> >> string signingKey = Uri.EscapeDataString(ConsumerSecret) + "&";
> >> HMACSHA1 hasher = new HMACSHA1(new
> >> ASCIIEncoding().GetBytes(signingKey));
> >> string signatureString = Convert.ToBase64String(hasher.ComputeHash(new
> >> ASCIIEncoding().GetBytes(baseString)));
>
> >> My base string is:
>
lappynet
Mar 14, 2011, 10:46:56 AM3/14/11
to Twitter Development Talk
cURL... I've heard about this, but I don't really know about it. Is
there a windows version as I don't have access to other OSs at work
(*sigh*)?
On Mar 14, 2:18 pm, Taylor Singletary <taylorsinglet...@twitter.com>
wrote:
there a windows version as I don't have access to other OSs at work
(*sigh*)?
On Mar 14, 2:18 pm, Taylor Singletary <taylorsinglet...@twitter.com>
wrote:
kamesh SmartDude
Mar 15, 2011, 2:03:54 AM3/15/11
to twitter-deve...@googlegroups.com, lappynet
Hai lappynet,
I Used GET method to retrive the Request Token And I Avoided the OAuth Callback, because it was registered when i registered my app.
Below is the method how i am doing.
****** SignatureBase String is *****
GET&https%3A%2F%2Fapi.twitter.com%2Foauth%2Frequest_token&oauth_consumer_key%3Dpppppppp%26oauth_nonce%3DydBxFJKdzK%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1300167727%26oauth_version%3D1.0
Signature Key U are appending "&" and it is correct.
i am adding the oauth header like below
OAuth realm="Twitter API", oauth_consumer_key=pppppppp, oauth_nonce=ydBxFJKdzK, oauth_signature=89%2BSoLKBdE%2FeHN5PFRxNl3G7tNo%3D, oauth_signature_method=HMAC-SHA1, oauth_timestamp=1300167727, oauth_version=1.0
I think u might have some problem with generating the signature.
Try this,
//kamesh
I Used GET method to retrive the Request Token And I Avoided the OAuth Callback, because it was registered when i registered my app.
Below is the method how i am doing.
****** SignatureBase String is *****
GET&https%3A%2F%2Fapi.twitter.com%2Foauth%2Frequest_token&oauth_consumer_key%3Dpppppppp%26oauth_nonce%3DydBxFJKdzK%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1300167727%26oauth_version%3D1.0
Signature Key U are appending "&" and it is correct.
i am adding the oauth header like below
OAuth realm="Twitter API", oauth_consumer_key=pppppppp, oauth_nonce=ydBxFJKdzK, oauth_signature=89%2BSoLKBdE%2FeHN5PFRxNl3G7tNo%3D, oauth_signature_method=HMAC-SHA1, oauth_timestamp=1300167727, oauth_version=1.0
I think u might have some problem with generating the signature.
Try this,
//kamesh
lappynet
Mar 15, 2011, 10:22:42 AM3/15/11
to Twitter Development Talk
Thanks for everyone's help on this. I think that I now have this
working (twitter documentation values match up).
My problem now is that although I'm confident of my algorithm, twitter
is always responding 401. I've debugged my network service and the
message being returned is Incorrect Signature. I do not understand how
this can be... :S
On Mar 15, 6:03 am, kamesh SmartDude <kamesh.smartd...@gmail.com>
wrote:
working (twitter documentation values match up).
My problem now is that although I'm confident of my algorithm, twitter
is always responding 401. I've debugged my network service and the
message being returned is Incorrect Signature. I do not understand how
this can be... :S
On Mar 15, 6:03 am, kamesh SmartDude <kamesh.smartd...@gmail.com>
wrote:
Taylor Singletary
Mar 15, 2011, 6:47:55 PM3/15/11
to twitter-deve...@googlegroups.com, lappynet
Hi Georgina,
I'm sure you're pretty close to figuring this out. A few tips when you've gotten to this point:
- Make sure that you're transporting the request correctly
- If you're using header-based OAuth, make sure that your HTTP Authorization header is being properly setup and formatted. This will be language-specific. Also make sure that you aren't repeating any of the oauth_* parameters in the POST body or URL of your actual executed request. Only parameters that don't begin with oauth_* should appear in the POST body or query string. (In other words, don't present double authentication)
- Make sure that your HTTP verbs are in agreement
- If you're sending a POST, make sure your HTTP client is actually sending a POST and that your OAuth signature base string's method component matched
Here's a quick walkthrough of all the steps involved in obtaining an access token (though with my keys instead of yours).. note the signature base string, authorization header, URL, and POST body for each step (keeping in mind that the authorize step is kind of special in that it happens in a browser).
Request Token Step
------
Request URL: https://api.twitter.com/oauth/request_token
HTTP Method: POST
POST body: (empty)
Signature Basestring:
POST&https%3A%2F%2Fapi.twitter.com%2Foauth%2Frequest_token&oauth_callback%3Dhttp%253A%252F%252Flocalhost%253A3005%252Fthe_dance%252Fprocess_callback%253Fservice_provider_id%253D1%26oauth_consumer_key%3DOqEqJeafRSF10jBMStrZg%26oauth_nonce%3DK7ny27JTpKVsTgdyLdDfmQQWVLERj2zAK5BslRsqyw%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1300228849%26oauth_version%3D1.0
Authorization Header: OAuth oauth_nonce="K7ny27JTpKVsTgdyLdDfmQQWVLERj2zAK5BslRsqyw", oauth_callback="http%3A%2F%2Flocalhost%3A3005%2Fthe_dance%2Fprocess_callback%3Fservice_provider_id%3D1", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1300228849", oauth_consumer_key="OqEqJeafRSF10jBMStrZg", oauth_signature="Pk%2BMLdv028fxCErFyi8KXFM%2BddU%3D", oauth_version="1.0"
Response Body:
oauth_token=IPPjb9gdAB15Gnw7to8idfCfePqJgem9MVyhcEkPsU&oauth_token_secret=xxxx&oauth_callback_confirmed=true
Authorization Step
-----
Request URL: https://api.twitter.com/oauth/authorize?oauth_token=IPPjb9gdAB15Gnw7to8idfCfePqJgem9MVyhcEkPsU
HTTP Method: GET
POST Body: N/A
Signature Basestring: N/A
Authorization Header: N/A
Access Token Step
-----
Request URL: https://api.twitter.com/oauth/access_token
HTTP Method: POST
POST Body: (empty)
Signature Basestring:
POST&https%3A%2F%2Fapi.twitter.com%2Foauth%2Faccess_token&oauth_consumer_key%3DOqEqJeafRSF10jBMStrZg%26oauth_nonce%3DFCKJcpPIhJpOLV1VQtP560IH0rKI9jMPrlkzqQWoA%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1300228855%26oauth_token%3DIPPjb9gdAB15Gnw7to8idfCfePqJgem9MVyhcEkPsU%26oauth_verifier%3DPmThbFiYNd3TOoFRBbFwwRRPHB3PlkFbxmX4lCqmnc%26oauth_version%3D1.0
Authorization Header: OAuth oauth_nonce="FCKJcpPIhJpOLV1VQtP560IH0rKI9jMPrlkzqQWoA", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1300228855", oauth_consumer_key="OqEqJeafRSF10jBMStrZg", oauth_token="IPPjb9gdAB15Gnw7to8idfCfePqJgem9MVyhcEkPsU", oauth_verifier="PmThbFiYNd3TOoFRBbFwwRRPHB3PlkFbxmX4lCqmnc", oauth_signature="AFJr%2BdS%2FmWgPbMtJR3vdwMA4cTk%3D", oauth_version="1.0"
Response Body:
oauth_token=819797-bAOfajtcYw8xHm1UQ3v5V5WfUb90zN7OWlWmvl8ZU0&oauth_token_secret=xxxxx&user_id=819797&screen_name=episod
lappynet
Mar 16, 2011, 5:41:44 AM3/16/11
to Twitter Development Talk
Yep, that's exactly what my token request looks like, but I get 401
every time... :(
On Mar 15, 10:47 pm, Taylor Singletary <taylorsinglet...@twitter.com>
wrote:
> Hi Georgina,
>
> oauth_callback="http%3A%2F%2Flocalhost%3A3005%2Fthe_dance%2Fprocess_callbac k%3Fservice_provider_id%3D1",
every time... :(
On Mar 15, 10:47 pm, Taylor Singletary <taylorsinglet...@twitter.com>
wrote:
> Hi Georgina,
>
> oauth_signature_method="HMAC-SHA1", oauth_timestamp="1300228849",
> oauth_consumer_key="OqEqJeafRSF10jBMStrZg",
> oauth_signature="Pk%2BMLdv028fxCErFyi8KXFM%2BddU%3D", oauth_version="1.0"
>
> Response Body:
> oauth_token=IPPjb9gdAB15Gnw7to8idfCfePqJgem9MVyhcEkPsU&oauth_token_secret=x xxx&oauth_callback_confirmed=true
>
> Authorization Step
> -----
> Request URL:https://api.twitter.com/oauth/authorize?oauth_token=IPPjb9gdAB15Gnw7t...
> oauth_consumer_key="OqEqJeafRSF10jBMStrZg",
> oauth_signature="Pk%2BMLdv028fxCErFyi8KXFM%2BddU%3D", oauth_version="1.0"
>
> Response Body:
> oauth_token=IPPjb9gdAB15Gnw7to8idfCfePqJgem9MVyhcEkPsU&oauth_token_secret=x xxx&oauth_callback_confirmed=true
>
> Authorization Step
> -----
Reply all
Reply to author
Forward
0 new messages