[OAuth + LIST API ] 401 Unauthorized problem

22 views
Skip to first unread message

Wilfred yau

unread,
Nov 24, 2009, 10:09:14 PM11/24/09
to Twitter Development Talk
I am using OAuth to access List API, but I find that if the request
URL contain some char like "_", "(", then twitter will return 401
Unauthorized.

Does anyone know what is the problem??

and this is my request:

*Request URL:

http://api.twitter.com/1/wilfred_yau/yedsrc/members.xml

*Request header:

Host: api.twitter.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:
1.9.2b3) Gecko/20091115 Firefox/3.6b3 GTB6
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/
*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Cookie: __utma=43838368.448377351.1258538849.1259115844.1259117264.22;
__utmz=43838368.1258703218.9.4.utmcsr=google|utmccn=(organic)|
utmcmd=organic|utmctr=gmasbaby; __utmv=43838368.lang%3A%20en;
__qca=P0-1731751766-1258598366235; __utmb=43838368.8.10.1259117264;
_twitter_sess=BAh7DDoTcGFzc3dvcmRfdG9rZW4iLWYxZDlkMzA5OWExZTMxMDIzZTlmMGJj
%250AOWM1YzllYzAyYTVjOWU2NGM6DGNzcmZfaWQiJTU4MTVlMjgzNWUyNGNhYThh
%250ANjE1YzdjOWU4MTE5MGJjOhF0cmFuc19wcm9tcHQwOgl1c2VyaQQ5oOgDOg5y
%250AZXR1cm5fdG8iJGh0dHA6Ly90d2l0dGVyLmNvbS9zb2Z0cGVkaWFtYWM6B2lk
%250AIiU0Y2JmMWJmNjc0YzJmOTlhZGZjMTA1MzE3NzI3ZGUwNiIKZmxhc2hJQzon
%250AQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7%250AAA
%253D%253D--3573176707558a7f9cd9653e6a60c073c94e91f5; __utmc=43838368

*Post Data:
Content-type: application/x-www-form-urlencoded
Content-length: 300

oauth%5Fconsumer%5Fkey=WiW3RrjmAhPvWvTn6oPLA&id=66626470&oauth
%5Ftoken=65577017%2DK65DjHAcUbYOEJW5XMVnVuAkRy8fDnNnVGRZDOSAQ&oauth
%5Ftimestamp=1259118273&oauth%5Fsignature=zaA0CbWpls3lowiWG0yHCZig%2B2M
%3D&oauth%5Fversion=1%2E0&oauth%5Fsignature%5Fmethod=HMAC%2DSHA1&
%5Fmethod=DELETE&oauth%5Fnonce=2875


Also, I got same problem in set status using OAuth :

*Request URL:

http://twitter.com/statuses/update.xml

*Request header:

Host: twitter.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:
1.9.2b3) Gecko/20091115 Firefox/3.6b3 GTB6
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/
*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Cookie: __utma=43838368.448377351.1258538849.1259115844.1259117264.22;
__utmz=43838368.1258703218.9.4.utmcsr=google|utmccn=(organic)|
utmcmd=organic|utmctr=gmasbaby; __utmv=43838368.lang%3A%20en;
__qca=P0-1731751766-1258598366235; __utmb=43838368.8.10.1259117264;
_twitter_sess=BAh7DDoTcGFzc3dvcmRfdG9rZW4iLWYxZDlkMzA5OWExZTMxMDIzZTlmMGJj
%250AOWM1YzllYzAyYTVjOWU2NGM6DGNzcmZfaWQiJTU4MTVlMjgzNWUyNGNhYThh
%250ANjE1YzdjOWU4MTE5MGJjOgl1c2VyaQQ5oOgDOhF0cmFuc19wcm9tcHQwIgpm
%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG
%250AOgpAdXNlZHsAOgdpZCIlNGNiZjFiZjY3NGMyZjk5YWRmYzEwNTMxNzcyN2Rl
%250AMDY6DnJldHVybl90byIkaHR0cDovL3R3aXR0ZXIuY29tL3NvZnRwZWRpYW1h
%250AYw%253D%253D--dfa30d93e80be97e1404abbb466f2c6191816d69;
__utmc=43838368
Authorization: Basic Z21hc2JhYnk6eW95b2JhYnk=

*Post Data:

Content-type: application/x-www-form-urlencoded
Content-length: 303

oauth%5Fnonce=4280&oauth%5Fsignature%5Fmethod=HMAC%2DSHA1&oauth
%5Ftimestamp=1259117789&status=%40vincenthpchan%20%28O%3A&oauth
%5Fversion=1%2E0&oauth%5Fconsumer%5Fkey=WiW3RrjmAhPvWvTn6oPLA&oauth
%5Fsignature=dZ0OBySJzAZsdhwUKvK9zaIamE4%3D&oauth
%5Ftoken=65577017%2DK65DjHAcUbYOEJW5XMVnVuAkRy8fDnNnVGRZDOSAQ


I wonder it is the problem about oauth_signature, but I don't what
wrong with it.
Thanks you very much ;-)

Wilfred yau

unread,
Nov 26, 2009, 9:47:15 PM11/26/09
to Twitter Development Talk
I have already solve the special char problem because encoding in
Flex.
but I still find that when I call _method= DELETE in List API, I still
get 401 Unauthorized from api.twitter.com.

On Nov 25, 11:09 am, Wilfred yau <wld991...@gmail.com> wrote:
> I am using OAuth to accessListAPI, but I find that if the request

Mark McBride

unread,
Nov 27, 2009, 12:24:07 AM11/27/09
to twitter-deve...@googlegroups.com
It looks like you're trying to actually include the OAuth
Authorization header in your POST body, which isn't the way you want
to do it. Instead, you should be using the Authorization HTTP header
to transmit this info (see http://oauth.net/core/1.0a#anchor46). To
make things extra weird, in one case you do have an Authorization
header set, but it's basic auth.

---Mark

Wilfred yau

unread,
Nov 30, 2009, 10:40:04 PM11/30/09
to Twitter Development Talk
I have try to follow to OAuth document to set up Authorization header,
but still get
401 Unauthorized when I am using _method as parameter, and here is the
result:

========================================================================

*Response Headers
Date Tue, 01 Dec 2009 03:21:03 GMT
Server hi
WWW-Authenticate Basic realm="Twitter API"
Status 401 Unauthorized
Content-Type application/xml; charset=utf-8
Cache-Control no-cache, max-age=1800
Set-Cookie
_twitter_sess=BAh7CjoTcGFzc3dvcmRfdG9rZW4iLWYxZDlkMzA5OWExZTMxMDIzZTlmMGJj
%250AOWM1YzllYzAyYTVjOWU2NGM6CXVzZXJpBDmg6AM6EXRyYW5zX3Byb21wdDAi
%250ACmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhhc2h7%250AAAY6CkB1c2VkewA6B2lkIiU5ZWI2NmY2MTU5ZmYyODM4NGE3YTAxNGUxMmMy
%250AMTAyNg%253D%253D--4353873c14c39b48b0d30c48abba5858bff5a3a0;
domain=.twitter.com; path=/
Expires Tue, 01 Dec 2009 03:51:03 GMT
Vary Accept-Encoding
Content-Encoding gzip
Content-Length 140
Connection close

*Request Headers
Host api.twitter.com
User-Agent Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.5)
Gecko/20091102 Firefox/3.5.5 GTB6
Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language en-us,en;q=0.5
Accept-Encoding gzip,deflate
Accept-Charset ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive 300
Connection keep-alive
Cookie __qca=P0-1306444636-1259550182670;
__utma=43838368.345398731.1259564074.1259574616.1259577218.3;
__utmz=43838368.1259577218.3.2.utmcsr=forum7.hkgolden.com|utmccn=
(referral)|utmcmd=referral|utmcct=/view.aspx; __utmv=43838368.lang%3A
%20en;
_twitter_sess=BAh7CjoTcGFzc3dvcmRfdG9rZW4iLWYxZDlkMzA5OWExZTMxMDIzZTlmMGJj
%250AOWM1YzllYzAyYTVjOWU2NGM6EXRyYW5zX3Byb21wdDA6CXVzZXJpBDmg6AM6%250AB2lkIiU5ZWI2NmY2MTU5ZmYyODM4NGE3YTAxNGUxMmMyMTAyNiIKZmxhc2hJ
%250AQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoKQHVz
%250AZWR7AA%253D%253D--00951782ee94404e73d0edcbd7d02f1800f10915

*Post Data:
Content-type: application/x-www-form-urlencoded
Authorization: OAuth realm="Test",oauth_signature_method="HMAC-
SHA1",oauth_token="65577017-
K65DjHAcUbYOEJW5XMVnVuAkRy8fDnNnVGRZDOSAQ",oauth_nonce="9399",oauth_timestamp="1259637691",oauth_version="1.0",oauth_consumer_key="WiW3RrjmAhPvWvTn6oPLA",oauth_signature="BhLQP0o0OKLXjiQWn1l9ca7Fsek
%3D"
Content-length: 28

id=77938855&%5Fmethod=DELETE

========================================================================

I wonder this the the problem of _method since when I use other
parameter, there are no problem at all. So, do anyone know what is the
problem of my request and could twitter provide a correct Request
example which using _method as a OAuth parameter? Thanks.

Wilfred

On Nov 27, 1:24 pm, Mark McBride <mmcbr...@twitter.com> wrote:
> It looks like you're trying to actually include the OAuth
> Authorization header in your POST body, which isn't the way you want
> to do it.  Instead, you should be using the Authorization HTTP header
> to transmit this info (seehttp://oauth.net/core/1.0a#anchor46).  To
> make things extra weird, in one case you do have an Authorization
> header set, but it's basic auth.
>
>    ---Mark
>
> On Thu, Nov 26, 2009 at 6:47 PM, Wilfred yau <wld991...@gmail.com> wrote:
> > I have already solve the special char problem because encoding in
> > Flex.
> > but I still find that when I call _method= DELETE inListAPI, I still

Shannon Whitley

unread,
Dec 1, 2009, 3:37:40 PM12/1/09
to Twitter Development Talk
I'm having the same problem. I can't delete members from lists using
oAuth. I've tried using the DELETE method and adding the
_method=DELETE parameter. All of the combinations return a "401
Unauthorized" error.

Wilfred yau

unread,
Dec 3, 2009, 5:13:46 AM12/3/09
to Twitter Development Talk
I have try that put the _method=DELETE in Header, but still not
work...
do anyone know if it is Twitter API bug or it is my problem...
this problem stop the development of my new Twitter Client in
Firefox...
Thanks

Wilfred

On Nov 27, 1:24 pm, Mark McBride <mmcbr...@twitter.com> wrote:
> It looks like you're trying to actually include the OAuth
> Authorization header in your POST body, which isn't the way you want
> to do it.  Instead, you should be using the Authorization HTTP header
> to transmit this info (seehttp://oauth.net/core/1.0a#anchor46).  To
> make things extra weird, in one case you do have an Authorization
> header set, but it's basic auth.
>
>    ---Mark
>

Reivax

unread,
Dec 16, 2009, 12:07:38 PM12/16/09
to Twitter Development Talk
I have the same problem.
I've tried to not include the _method param from signature computing,
didn't work any better.


On Dec 3, 11:13 am, Wilfred yau <wld991...@gmail.com> wrote:
> I have try that put the _method=DELETEin Header, but still not

Reivax

unread,
Dec 16, 2009, 12:53:47 PM12/16/09
to Twitter Development Talk
I submitted a bug, vote for it:

http://code.google.com/p/twitter-api/issues/detail?id=1294&colspec=ID%20Stars%20Type%20Status%20Priority%20Owner%20Summary%20Opened%20Modified%20Component

On Dec 3, 11:13 am, Wilfred yau <wld991...@gmail.com> wrote:
> I have try that put the _method=DELETEin Header, but still not
> work...
> do anyone know if it is Twitter API bug or it is my problem...
> this problem stop the development of my new Twitter Client in
> Firefox...
> Thanks
>
> Wilfred
>
> On Nov 27, 1:24 pm, Mark McBride <mmcbr...@twitter.com> wrote:
>
> > It looks like you're trying to actually include the OAuth
> > Authorization header in your POST body, which isn't the way you want
> > to do it.  Instead, you should be using the Authorization HTTP header
> > to transmit this info (seehttp://oauth.net/core/1.0a#anchor46).  To
> > make things extra weird, in one case you do have an Authorization
> > header set, but it's basic auth.
>
> >    ---Mark
>
> > On Thu, Nov 26, 2009 at 6:47 PM, Wilfred yau <wld991...@gmail.com> wrote:
> > > I have already solve the special char problem because encoding in
> > > Flex.
> > > but I still find that when I call _method=DELETEinListAPI, I still
> > > get401Unauthorized from api.twitter.com.
Reply all
Reply to author
Forward
0 new messages