Getting a 401 when trying to get OAuth access token
412 views
Skip to first unread message
Troy Tolle
Apr 1, 2009, 6:08:18 PM4/1/09
to Twitter Development Talk
I am working on writing and OAuth client in Java for Twitter and I am
hitting the wall when trying to get the Access Token. I am able to
successfully get a sign and get a token, forward to the authorize
page, get a response, but after that, when trying to get the Access
Token, it dies. The following is my flow:
I am first sending a message with the following information to get the
token:
OAuthMessage(GET, http://twitter.com/oauth/request_token,
[oauth_consumer_key=RmhOF3YvERsY1uVF68tKg, oauth_signature_method=HMAC-
SHA1, oauth_timestamp=1238616948, oauth_nonce=1238616948972478000,
oauth_version=1.0, oauth_signature=itlw1V%2FSbJzHyU8VHs0wu4uMWew%3D])
This is the URL:
http://twitter.com/oauth/request_token?oauth_consumer_key=RmhOF3YvERsY1uVF68tKg&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1238616948&oauth_nonce=1238616948972478000&oauth_version=1.0&oauth_signature=itlw1V%2FSbJzHyU8VHs0w
That seems to work great and I get back a response and a token:
[Date=Wed%2C%2001%20Apr%202009%2020%3A17%3A51%20GMT, Server=hi, Last-
Modified=Wed%2C%2001%20Apr%202009%2020%3A17%3A51%20GMT,
Status=200%20OK, ETag=%227b36526f344e3ae8dc0efa12532c71a9%22,
Pragma=no-cache, Cache-Control=no-cache%2C%20no-store%2C%20must-
revalidate%2C%20pre-check%3D0%2C%20post-check%3D0, Content-Type=text
%2Fhtml%3B%20charset%3DUTF-8, Content-Length=112, Expires=Tue%2C
%2031%20Mar%201981%2005%3A00%3A00%20GMT, X-
Revision=cac1726f8303dbd4844ed052d9f60f2118d51b8f, X-
Transaction=1238617071-29428-3892, Set-Cookie=_twitter_sess
%3DBAh7BzoHaWQiJTdjZDc4NDI5YzRmOTRmMDM5ODY2ODA4Njc0MmI1NjFlIgpm
%25250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG
%25250AOgpAdXNlZHsA--14ba7530dbc9101ea124fcf397ec1d3acd924c0b%3B
%20domain%3D.twitter.com%3B%20path%3D%2F, Vary=Accept-Encoding,
Connection=close]
Response Parameters:
{oauth_token=eKznWjog00qLi5VIWXKwWql89RyIRPuzKJHVKj0,
oauth_token_secret=<secret is populated here>}
Then, I use that Token to create the link to the Authorization page:
Twitter Authentication
http://twitter.com/oauth/authorize?oauth_token=eKznWjog00qLi5VIWXKwWql89RyIRPuzKJHVKj0&oauth_callback=http%3A%2F%2Flocalhost%3A8080%2Fdc%2Ftwitterauth
After that comes back, I try to get the Access Token with the
following:
http://twitter.com/oauth/access_token?oauth_consumer_key=RmhOF3YvERsY1uVF68tKg&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1238617482&oauth_nonce=1238617482950207000&oauth_version=1.0&oauth_signature=b%2FInX%2BiBuMlREF99oFUeZYymuAg%3D
This is where I am hitting the wall, because it is coming back as
unauthorized:
Access Token Response Headers:
[Date=Wed%2C%2001%20Apr%202009%2020%3A25%3A57%20GMT, Server=hi, Last-
Modified=Wed%2C%2001%20Apr%202009%2020%3A25%3A57%20GMT,
Status=401%20Unauthorized, Pragma=no-cache, Cache-Control=no-cache%2C
%20no-store%2C%20must-revalidate%2C%20pre-check%3D0%2C%20post-check
%3D0, Content-Type=text%2Fhtml%3B%20charset%3DUTF-8, Content-Length=1,
Expires=Tue%2C%2031%20Mar%201981%2005%3A00%3A00%20GMT, X-
Revision=cac1726f8303dbd4844ed052d9f60f2118d51b8f, X-
Transaction=1238617557-17087-17303, Set-Cookie=_twitter_sess
%3DBAh7BzoHaWQiJTZmMTA0N2RlNzUwZjhmY2ViY2U0Yzk5MjBhNDcwYjY4Igpm
%25250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG
%25250AOgpAdXNlZHsA--036987088c0603e72c0639000d32ea9cf1265fbe%3B
%20domain%3D.twitter.com%3B%20path%3D%2F, Vary=Accept-Encoding,
Connection=close]
{HTTP request=GET /oauth/access_token?
oauth_consumer_key=RmhOF3YvERsY1uVF68tKg&oauth_signature_method=HMAC-
SHA1&oauth_timestamp=1238617482&oauth_nonce=1238617482950207000&oauth_version=1.0&oauth_signature=b
%2FInX%2BiBuMlREF99oFUeZYymuAg%3D
User-Agent: Jakarta Commons-HttpClient/3.1
Host: twitter.com
, HTTP status=401, HTTP response=HTTP/1.1 401 Unauthorized
Date: Wed, 01 Apr 2009 20:25:57 GMT
Server: hi
Last-Modified: Wed, 01 Apr 2009 20:25:57 GMT
Status: 401 Unauthorized
Pragma: no-cache
Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-
check=0
Content-Type: text/html; charset=UTF-8
Content-Length: 1
Expires: Tue, 31 Mar 1981 05:00:00 GMT
X-Revision: cac1726f8303dbd4844ed052d9f60f2118d51b8f
X-Transaction: 1238617557-17087-17303
Set-Cookie:
_twitter_sess=BAh7BzoHaWQiJTZmMTA0N2RlNzUwZjhmY2ViY2U0Yzk5MjBhNDcwYjY4Igpm
%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG
%250AOgpAdXNlZHsA--036987088c0603e72c0639000d32ea9cf1265fbe;
domain=.twitter.com; path=/
Vary: Accept-Encoding
Connection: close
, URL=http://twitter.com/oauth/access_token?
oauth_consumer_key=RmhOF3YvERsY1uVF68tKg&oauth_signature_method=HMAC-
SHA1&oauth_timestamp=1238617482&oauth_nonce=1238617482950207000&oauth_version=1.0&oauth_signature=b
%2FInX%2BiBuMlREF99oFUeZYymuAg%3D}
I am not sure if you can tell much from that, but any pointers are
welcome and appreciated.
hitting the wall when trying to get the Access Token. I am able to
successfully get a sign and get a token, forward to the authorize
page, get a response, but after that, when trying to get the Access
Token, it dies. The following is my flow:
I am first sending a message with the following information to get the
token:
OAuthMessage(GET, http://twitter.com/oauth/request_token,
[oauth_consumer_key=RmhOF3YvERsY1uVF68tKg, oauth_signature_method=HMAC-
SHA1, oauth_timestamp=1238616948, oauth_nonce=1238616948972478000,
oauth_version=1.0, oauth_signature=itlw1V%2FSbJzHyU8VHs0wu4uMWew%3D])
This is the URL:
http://twitter.com/oauth/request_token?oauth_consumer_key=RmhOF3YvERsY1uVF68tKg&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1238616948&oauth_nonce=1238616948972478000&oauth_version=1.0&oauth_signature=itlw1V%2FSbJzHyU8VHs0w
That seems to work great and I get back a response and a token:
[Date=Wed%2C%2001%20Apr%202009%2020%3A17%3A51%20GMT, Server=hi, Last-
Modified=Wed%2C%2001%20Apr%202009%2020%3A17%3A51%20GMT,
Status=200%20OK, ETag=%227b36526f344e3ae8dc0efa12532c71a9%22,
Pragma=no-cache, Cache-Control=no-cache%2C%20no-store%2C%20must-
revalidate%2C%20pre-check%3D0%2C%20post-check%3D0, Content-Type=text
%2Fhtml%3B%20charset%3DUTF-8, Content-Length=112, Expires=Tue%2C
%2031%20Mar%201981%2005%3A00%3A00%20GMT, X-
Revision=cac1726f8303dbd4844ed052d9f60f2118d51b8f, X-
Transaction=1238617071-29428-3892, Set-Cookie=_twitter_sess
%3DBAh7BzoHaWQiJTdjZDc4NDI5YzRmOTRmMDM5ODY2ODA4Njc0MmI1NjFlIgpm
%25250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG
%25250AOgpAdXNlZHsA--14ba7530dbc9101ea124fcf397ec1d3acd924c0b%3B
%20domain%3D.twitter.com%3B%20path%3D%2F, Vary=Accept-Encoding,
Connection=close]
Response Parameters:
{oauth_token=eKznWjog00qLi5VIWXKwWql89RyIRPuzKJHVKj0,
oauth_token_secret=<secret is populated here>}
Then, I use that Token to create the link to the Authorization page:
Twitter Authentication
http://twitter.com/oauth/authorize?oauth_token=eKznWjog00qLi5VIWXKwWql89RyIRPuzKJHVKj0&oauth_callback=http%3A%2F%2Flocalhost%3A8080%2Fdc%2Ftwitterauth
After that comes back, I try to get the Access Token with the
following:
http://twitter.com/oauth/access_token?oauth_consumer_key=RmhOF3YvERsY1uVF68tKg&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1238617482&oauth_nonce=1238617482950207000&oauth_version=1.0&oauth_signature=b%2FInX%2BiBuMlREF99oFUeZYymuAg%3D
This is where I am hitting the wall, because it is coming back as
unauthorized:
Access Token Response Headers:
[Date=Wed%2C%2001%20Apr%202009%2020%3A25%3A57%20GMT, Server=hi, Last-
Modified=Wed%2C%2001%20Apr%202009%2020%3A25%3A57%20GMT,
Status=401%20Unauthorized, Pragma=no-cache, Cache-Control=no-cache%2C
%20no-store%2C%20must-revalidate%2C%20pre-check%3D0%2C%20post-check
%3D0, Content-Type=text%2Fhtml%3B%20charset%3DUTF-8, Content-Length=1,
Expires=Tue%2C%2031%20Mar%201981%2005%3A00%3A00%20GMT, X-
Revision=cac1726f8303dbd4844ed052d9f60f2118d51b8f, X-
Transaction=1238617557-17087-17303, Set-Cookie=_twitter_sess
%3DBAh7BzoHaWQiJTZmMTA0N2RlNzUwZjhmY2ViY2U0Yzk5MjBhNDcwYjY4Igpm
%25250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG
%25250AOgpAdXNlZHsA--036987088c0603e72c0639000d32ea9cf1265fbe%3B
%20domain%3D.twitter.com%3B%20path%3D%2F, Vary=Accept-Encoding,
Connection=close]
{HTTP request=GET /oauth/access_token?
oauth_consumer_key=RmhOF3YvERsY1uVF68tKg&oauth_signature_method=HMAC-
SHA1&oauth_timestamp=1238617482&oauth_nonce=1238617482950207000&oauth_version=1.0&oauth_signature=b
%2FInX%2BiBuMlREF99oFUeZYymuAg%3D
User-Agent: Jakarta Commons-HttpClient/3.1
Host: twitter.com
, HTTP status=401, HTTP response=HTTP/1.1 401 Unauthorized
Date: Wed, 01 Apr 2009 20:25:57 GMT
Server: hi
Last-Modified: Wed, 01 Apr 2009 20:25:57 GMT
Status: 401 Unauthorized
Pragma: no-cache
Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-
check=0
Content-Type: text/html; charset=UTF-8
Content-Length: 1
Expires: Tue, 31 Mar 1981 05:00:00 GMT
X-Revision: cac1726f8303dbd4844ed052d9f60f2118d51b8f
X-Transaction: 1238617557-17087-17303
Set-Cookie:
_twitter_sess=BAh7BzoHaWQiJTZmMTA0N2RlNzUwZjhmY2ViY2U0Yzk5MjBhNDcwYjY4Igpm
%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG
%250AOgpAdXNlZHsA--036987088c0603e72c0639000d32ea9cf1265fbe;
domain=.twitter.com; path=/
Vary: Accept-Encoding
Connection: close
, URL=http://twitter.com/oauth/access_token?
oauth_consumer_key=RmhOF3YvERsY1uVF68tKg&oauth_signature_method=HMAC-
SHA1&oauth_timestamp=1238617482&oauth_nonce=1238617482950207000&oauth_version=1.0&oauth_signature=b
%2FInX%2BiBuMlREF99oFUeZYymuAg%3D}
I am not sure if you can tell much from that, but any pointers are
welcome and appreciated.
Dimebrain
Apr 2, 2009, 1:32:52 AM4/2/09
to Twitter Development Talk
I think you might be missing oauth_token from your access_token URL
parameter string in the snippet above, it should travel with the other
parameters and it its secret is hashed with the consumer secret in the
signature base.
It can be painful to solve whatever small deviation is causing your
problem, at least it was for me. My problem turned out to be that I
wasn't correctly parsing the oauth_token and oauth_token_secret out of
the response, so my code ended up taking a truncated version of the
token because it sometimes ended in '...', but it could be all kinds
of things.
Are you sending a source parameter in the mix and forgetting to hash
with it? Are you URL encoding at the right time? Are your parameters
in the right order according to the OAuth spec when you hash by name
=| value ?
On Apr 1, 7:08 pm, Troy Tolle <tdto...@gmail.com> wrote:
> I am working on writing and OAuth client in Java for Twitter and I am
> hitting the wall when trying to get the Access Token. I am able to
> successfully get a sign and get a token, forward to the authorize
> page, get a response, but after that, when trying to get the Access
> Token, it dies. The following is my flow:
>
> I am first sending a message with the following information to get the
> token:
>
> OAuthMessage(GET,http://twitter.com/oauth/request_token,
parameter string in the snippet above, it should travel with the other
parameters and it its secret is hashed with the consumer secret in the
signature base.
It can be painful to solve whatever small deviation is causing your
problem, at least it was for me. My problem turned out to be that I
wasn't correctly parsing the oauth_token and oauth_token_secret out of
the response, so my code ended up taking a truncated version of the
token because it sometimes ended in '...', but it could be all kinds
of things.
Are you sending a source parameter in the mix and forgetting to hash
with it? Are you URL encoding at the right time? Are your parameters
in the right order according to the OAuth spec when you hash by name
=| value ?
On Apr 1, 7:08 pm, Troy Tolle <tdto...@gmail.com> wrote:
> I am working on writing and OAuth client in Java for Twitter and I am
> hitting the wall when trying to get the Access Token. I am able to
> successfully get a sign and get a token, forward to the authorize
> page, get a response, but after that, when trying to get the Access
> Token, it dies. The following is my flow:
>
> I am first sending a message with the following information to get the
> token:
>
> [oauth_consumer_key=RmhOF3YvERsY1uVF68tKg, oauth_signature_method=HMAC-
> SHA1, oauth_timestamp=1238616948, oauth_nonce=1238616948972478000,
> oauth_version=1.0, oauth_signature=itlw1V%2FSbJzHyU8VHs0wu4uMWew%3D])
>
> This is the URL:
>
> http://twitter.com/oauth/request_token?oauth_consumer_key=RmhOF3YvERs...
> SHA1, oauth_timestamp=1238616948, oauth_nonce=1238616948972478000,
> oauth_version=1.0, oauth_signature=itlw1V%2FSbJzHyU8VHs0wu4uMWew%3D])
>
> This is the URL:
>
>
> That seems to work great and I get back a response and a token:
>
> [Date=Wed%2C%2001%20Apr%202009%2020%3A17%3A51%20GMT, Server=hi, Last-
> Modified=Wed%2C%2001%20Apr%202009%2020%3A17%3A51%20GMT,
> Status=200%20OK, ETag=%227b36526f344e3ae8dc0efa12532c71a9%22,
> Pragma=no-cache, Cache-Control=no-cache%2C%20no-store%2C%20must-
> revalidate%2C%20pre-check%3D0%2C%20post-check%3D0, Content-Type=text
> %2Fhtml%3B%20charset%3DUTF-8, Content-Length=112, Expires=Tue%2C
> %2031%20Mar%201981%2005%3A00%3A00%20GMT, X-
> Revision=cac1726f8303dbd4844ed052d9f60f2118d51b8f, X-
> Transaction=1238617071-29428-3892, Set-Cookie=_twitter_sess
> %3DBAh7BzoHaWQiJTdjZDc4NDI5YzRmOTRmMDM5ODY2ODA4Njc0MmI1NjFlIgpm
> %25250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG
> %25250AOgpAdXNlZHsA--14ba7530dbc9101ea124fcf397ec1d3acd924c0b%3B
> %20domain%3D.twitter.com%3B%20path%3D%2F, Vary=Accept-Encoding,
> Connection=close]
>
> Response Parameters:
>
> {oauth_token=eKznWjog00qLi5VIWXKwWql89RyIRPuzKJHVKj0,
> oauth_token_secret=<secret is populated here>}
>
> Then, I use that Token to create the link to the Authorization page:
>
> Twitter Authenticationhttp://twitter.com/oauth/authorize?oauth_token=eKznWjog00qLi5VIWXKwWq...
> That seems to work great and I get back a response and a token:
>
> [Date=Wed%2C%2001%20Apr%202009%2020%3A17%3A51%20GMT, Server=hi, Last-
> Modified=Wed%2C%2001%20Apr%202009%2020%3A17%3A51%20GMT,
> Status=200%20OK, ETag=%227b36526f344e3ae8dc0efa12532c71a9%22,
> Pragma=no-cache, Cache-Control=no-cache%2C%20no-store%2C%20must-
> revalidate%2C%20pre-check%3D0%2C%20post-check%3D0, Content-Type=text
> %2Fhtml%3B%20charset%3DUTF-8, Content-Length=112, Expires=Tue%2C
> %2031%20Mar%201981%2005%3A00%3A00%20GMT, X-
> Revision=cac1726f8303dbd4844ed052d9f60f2118d51b8f, X-
> Transaction=1238617071-29428-3892, Set-Cookie=_twitter_sess
> %3DBAh7BzoHaWQiJTdjZDc4NDI5YzRmOTRmMDM5ODY2ODA4Njc0MmI1NjFlIgpm
> %25250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG
> %25250AOgpAdXNlZHsA--14ba7530dbc9101ea124fcf397ec1d3acd924c0b%3B
> %20domain%3D.twitter.com%3B%20path%3D%2F, Vary=Accept-Encoding,
> Connection=close]
>
> Response Parameters:
>
> {oauth_token=eKznWjog00qLi5VIWXKwWql89RyIRPuzKJHVKj0,
> oauth_token_secret=<secret is populated here>}
>
> Then, I use that Token to create the link to the Authorization page:
>
>
> After that comes back, I try to get the Access Token with the
> following:
>
> http://twitter.com/oauth/access_token?oauth_consumer_key=RmhOF3YvERsY...
> After that comes back, I try to get the Access Token with the
> following:
>
Troy Tolle
Apr 3, 2009, 11:57:15 PM4/3/09
to Twitter Development Talk
Thanks for the response Daniel. I was missing a parameter in the hash
actually. I did not include the token secret when signing the second
time around going after the access key. Thanks for taking the time to
look and respond.
On Apr 2, 1:32 am, Dimebrain <daniel.cre...@gmail.com> wrote:
> I think you might be missing oauth_token from your access_token URL
> parameter string in the snippet above, it should travel with the other
> parameters and it its secret is hashed with the consumer secret in the
> signature base.
>
> It can be painful to solve whatever small deviation is causing your
> problem, at least it was for me. My problem turned out to be that I
> wasn't correctly parsing the oauth_token and oauth_token_secret out of
> the response, so my code ended up taking a truncated version of the
> token because it sometimes ended in '...', but it could be all kinds
> of things.
>
> Are you sending a source parameter in the mix and forgetting to hash
> with it? Are you URL encoding at the right time? Are your parameters
> in the right order according to theOAuthspec when you hash by name
> > I am working on writing andOAuthclient inJavafor Twitter and I am
actually. I did not include the token secret when signing the second
time around going after the access key. Thanks for taking the time to
look and respond.
On Apr 2, 1:32 am, Dimebrain <daniel.cre...@gmail.com> wrote:
> I think you might be missing oauth_token from your access_token URL
> parameter string in the snippet above, it should travel with the other
> parameters and it its secret is hashed with the consumer secret in the
> signature base.
>
> It can be painful to solve whatever small deviation is causing your
> problem, at least it was for me. My problem turned out to be that I
> wasn't correctly parsing the oauth_token and oauth_token_secret out of
> the response, so my code ended up taking a truncated version of the
> token because it sometimes ended in '...', but it could be all kinds
> of things.
>
> Are you sending a source parameter in the mix and forgetting to hash
> with it? Are you URL encoding at the right time? Are your parameters
> > I am working on writing andOAuthclient inJavafor Twitter and I am
Reply all
Reply to author
Forward
0 new messages