oauth Process flow and status Part 1
22 views
Skip to first unread message
abruton
Nov 24, 2009, 3:12:25 PM11/24/09
to Twitter Development Talk
Hi All
I am trying to get my head around the Twitter oauth flow.
The twitter documentation links to oauth.net for parameters, but these
are general and not well documented.
Is the first step to use http://twitter.com/oauth/request_token ?
1. I created the following URL:
http://twitter.com/oauth/request_token?oauth_consumer_key=3Uu...1HA&oauth_signature=Diz...cnI&oauth_timestamp=1259100056&oauth_nonce=120092402256OY2H6DC7VT053U3HI69HA861&oauth_version=1.0
When I put this in a browser to test it, I get the following error:
Failed to validate oauth signature and token
1. What is wrong with the string?
- Is the oauth_signature just your Consumer secret string?
- Do I have to use oauth_signature_method and what method do I use.
If it is sha1, what string do I hash? The whole URL?
Do I POST the data to http://twitter.com/oauth/request_token or GET or
what?
Best regards
Andre F Bruton
I am trying to get my head around the Twitter oauth flow.
The twitter documentation links to oauth.net for parameters, but these
are general and not well documented.
Is the first step to use http://twitter.com/oauth/request_token ?
1. I created the following URL:
http://twitter.com/oauth/request_token?oauth_consumer_key=3Uu...1HA&oauth_signature=Diz...cnI&oauth_timestamp=1259100056&oauth_nonce=120092402256OY2H6DC7VT053U3HI69HA861&oauth_version=1.0
When I put this in a browser to test it, I get the following error:
Failed to validate oauth signature and token
1. What is wrong with the string?
- Is the oauth_signature just your Consumer secret string?
- Do I have to use oauth_signature_method and what method do I use.
If it is sha1, what string do I hash? The whole URL?
Do I POST the data to http://twitter.com/oauth/request_token or GET or
what?
Best regards
Andre F Bruton
ryan alford
Nov 24, 2009, 3:17:17 PM11/24/09
to twitter-deve...@googlegroups.com
The signature has to go last. That's one mistake that most people make. You are suppose to put the parameters in order EXCEPT the signature parameter. The signature parameter is created by using the other parameters, then it's appended to the end of the query string.
The OAuth signature is generated.
I made a blog post where I tried to explain it a little better than the documentation does. It's for .Net for the desktop, but the process is the same for any language, and only slightly different for web applications.
abruton
Nov 26, 2009, 2:11:09 AM11/26/09
to Twitter Development Talk
Thank you for the help. I'm still trying to get the first part to
work...
> 1. The first step in the process, you will make a GET request to
> "http://twitter.com/oauth/request_token". In this request, you will need
> the following parameters in this specific order:
> oauth_consumer_key
> oauth_nonce
> oauth_signature_method
> oauth_timestamp
> oauth_version
> oauth_signature
What string do I sign?
The whole URL?
Eg:
oauth_consumer_key=2FuDFffo1MnWkw9g2JK7621HA&oauth_nonce=1112009260947V57BUQK06I7H1BL88VBR65VT2&oauth_signature_method=HMAC-
SHA1&oauth_timestamp=1259226047&oauth_version=1.0
or
http://twitter.com/oauth/request_token?oauth_consumer_key=2FuDFffo1MnWkw9g2JK7621HA&oauth_nonce=1112009260947V57BUQK06I7H1BL88VBR65VT2&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1259226047&oauth_version=1.0
When do I UTF-8 encode? Before signing or after signing?
Same with the posting? What do i post and when do I UTF-8 encode?
Best regards
Andre
On Nov 24, 10:17 pm, ryan alford <ryanalford...@gmail.com> wrote:
> The signature has to go last. That's one mistake that most people make.
> You are suppose to put the parameters in order EXCEPT the signature
> parameter. The signature parameter is created by using the other
> parameters, then it's appended to the end of the query string.
>
> The OAuth signature is generated.
>
> I made a blog post where I tried to explain it a little better than the
> documentation does. It's for .Net for the desktop, but the process is the
> same for any language, and only slightly different for web applications.
>
> http://eclipsed4utoo.com/blog/net-twitter-desktop-oauth-authentication/
>
>
>
> On Tue, Nov 24, 2009 at 3:12 PM, abruton <andrebru...@gmail.com> wrote:
> > Hi All
>
> > I am trying to get my head around the Twitter oauth flow.
>
> > The twitter documentation links to oauth.net for parameters, but these
> > are general and not well documented.
>
> > Is the first step to usehttp://twitter.com/oauth/request_token?
>
> > 1. I created the following URL:
>
> >http://twitter.com/oauth/request_token?oauth_consumer_key=3Uu...1HA&o...
work...
> 1. The first step in the process, you will make a GET request to
> "http://twitter.com/oauth/request_token". In this request, you will need
> the following parameters in this specific order:
> oauth_consumer_key
> oauth_nonce
> oauth_signature_method
> oauth_timestamp
> oauth_version
> oauth_signature
What string do I sign?
The whole URL?
Eg:
oauth_consumer_key=2FuDFffo1MnWkw9g2JK7621HA&oauth_nonce=1112009260947V57BUQK06I7H1BL88VBR65VT2&oauth_signature_method=HMAC-
SHA1&oauth_timestamp=1259226047&oauth_version=1.0
or
http://twitter.com/oauth/request_token?oauth_consumer_key=2FuDFffo1MnWkw9g2JK7621HA&oauth_nonce=1112009260947V57BUQK06I7H1BL88VBR65VT2&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1259226047&oauth_version=1.0
When do I UTF-8 encode? Before signing or after signing?
Same with the posting? What do i post and when do I UTF-8 encode?
Best regards
Andre
On Nov 24, 10:17 pm, ryan alford <ryanalford...@gmail.com> wrote:
> The signature has to go last. That's one mistake that most people make.
> You are suppose to put the parameters in order EXCEPT the signature
> parameter. The signature parameter is created by using the other
> parameters, then it's appended to the end of the query string.
>
> The OAuth signature is generated.
>
> I made a blog post where I tried to explain it a little better than the
> documentation does. It's for .Net for the desktop, but the process is the
> same for any language, and only slightly different for web applications.
>
> http://eclipsed4utoo.com/blog/net-twitter-desktop-oauth-authentication/
>
>
>
> On Tue, Nov 24, 2009 at 3:12 PM, abruton <andrebru...@gmail.com> wrote:
> > Hi All
>
> > I am trying to get my head around the Twitter oauth flow.
>
> > The twitter documentation links to oauth.net for parameters, but these
> > are general and not well documented.
>
> > Is the first step to usehttp://twitter.com/oauth/request_token?
>
> > 1. I created the following URL:
>
>
> > When I put this in a browser to test it, I get the following error:
>
> > Failed to validate oauth signature and token
>
> > 1. What is wrong with the string?
> > - Is the oauth_signature just your Consumer secret string?
> > - Do I have to use oauth_signature_method and what method do I use.
> > If it is sha1, what string do I hash? The whole URL?
>
> > Do I POST the data tohttp://twitter.com/oauth/request_tokenor GET or
> > When I put this in a browser to test it, I get the following error:
>
> > Failed to validate oauth signature and token
>
> > 1. What is wrong with the string?
> > - Is the oauth_signature just your Consumer secret string?
> > - Do I have to use oauth_signature_method and what method do I use.
> > If it is sha1, what string do I hash? The whole URL?
>
Duane Roelands
Nov 26, 2009, 7:58:03 PM11/26/09
to Twitter Development Talk
Andre,
Are you sure there isn't already an OAuth library out there that will
work for you? What language are you developing in?
--Duane
On Nov 26, 2:11 am, abruton <andrebru...@gmail.com> wrote:
> Thank you for the help. I'm still trying to get the first part to
> work...
>
> > 1. The first step in the process, you will make a GET request to
> > "http://twitter.com/oauth/request_token". In this request, you will need
> > the following parameters in this specific order:
> > oauth_consumer_key
> > oauth_nonce
> > oauth_signature_method
> > oauth_timestamp
> > oauth_version
> > oauth_signature
>
> What string do I sign?
>
> The whole URL?
> Eg:
> oauth_consumer_key=2FuDFffo1MnWkw9g2JK7621HA&oauth_nonce=1112009260947V57BU QK06I7H1BL88VBR65VT2&oauth_signature_method=HMAC-
> SHA1&oauth_timestamp=1259226047&oauth_version=1.0
>
> or
>
> http://twitter.com/oauth/request_token?oauth_consumer_key=2FuDFffo1Mn...
> > > Do I POST the data tohttp://twitter.com/oauth/request_tokenorGET or
Are you sure there isn't already an OAuth library out there that will
work for you? What language are you developing in?
--Duane
On Nov 26, 2:11 am, abruton <andrebru...@gmail.com> wrote:
> Thank you for the help. I'm still trying to get the first part to
> work...
>
> > 1. The first step in the process, you will make a GET request to
> > "http://twitter.com/oauth/request_token". In this request, you will need
> > the following parameters in this specific order:
> > oauth_consumer_key
> > oauth_nonce
> > oauth_signature_method
> > oauth_timestamp
> > oauth_version
> > oauth_signature
>
> What string do I sign?
>
> The whole URL?
> Eg:
> oauth_consumer_key=2FuDFffo1MnWkw9g2JK7621HA&oauth_nonce=1112009260947V57BU QK06I7H1BL88VBR65VT2&oauth_signature_method=HMAC-
> SHA1&oauth_timestamp=1259226047&oauth_version=1.0
>
> or
>
Andre Bruton
Nov 26, 2009, 11:22:06 PM11/26/09
to twitter-deve...@googlegroups.com
Classic ASP
abruton
Nov 27, 2009, 7:56:48 AM11/27/09
to Twitter Development Talk
Hi
I've found a test site that gives feedback to what the error is at
http://term.ie/oauth/example/
My error is that the signature is incorrect. What must the string look
like that needs to be signed? I've tested my script and I know it
encodes correctly if you give it the right information.
Can someone please post a copy of the string that is sent to be
encoded.
Best regards
Andre
I've found a test site that gives feedback to what the error is at
http://term.ie/oauth/example/
My error is that the signature is incorrect. What must the string look
like that needs to be signed? I've tested my script and I know it
encodes correctly if you give it the right information.
Can someone please post a copy of the string that is sent to be
encoded.
Best regards
Andre
Duane Roelands
Nov 27, 2009, 8:45:34 AM11/27/09
to Twitter Development Talk
Classic ASP? You may in for a rough road.
It not just an encoded URL. You have to generate a signature for the
URL using some algorithms that may not be easily implemented in ASP.
I'm not saying it's impossible.
Why classic ASP?
> I've found a test site that gives feedback to what the error is athttp://term.ie/oauth/example/
It not just an encoded URL. You have to generate a signature for the
URL using some algorithms that may not be easily implemented in ASP.
I'm not saying it's impossible.
Why classic ASP?
> I've found a test site that gives feedback to what the error is athttp://term.ie/oauth/example/
Mark McBride
Nov 27, 2009, 11:53:40 AM11/27/09
to twitter-deve...@googlegroups.com
The OAuth spec has an example. However it's included as an appendix,
so it's not really highlighted
http://oauth.net/core/1.0#anchor30
This is an example of a string to encode
GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file%3Dvacation.jpg%26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce%3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk%26oauth_version%3D1.0%26size%3Doriginal
Getting everything ordered, the right things URL encoded and then
concatenated is tedious but it's all pretty straightforward. There
are implementations in JavaScript, so I'd imagine a pure ASP version
wouldn't be impossible.
---Mark
so it's not really highlighted
http://oauth.net/core/1.0#anchor30
This is an example of a string to encode
GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file%3Dvacation.jpg%26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce%3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk%26oauth_version%3D1.0%26size%3Doriginal
Getting everything ordered, the right things URL encoded and then
concatenated is tedious but it's all pretty straightforward. There
are implementations in JavaScript, so I'd imagine a pure ASP version
wouldn't be impossible.
---Mark
Raffi Krikorian
Nov 27, 2009, 11:58:49 AM11/27/09
to twitter-deve...@googlegroups.com
this is my favorite javascript oauth library - http://oauth.googlecode.com/svn/code/javascript/
- its pretty well written, and could be ported relatively easily.
> The OAuth spec has an example. However it's included as an appendix,
> so it's not really highlighted
>
> http://oauth.net/core/1.0#anchor30
>
> This is an example of a string to encode
>
> GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file%3Dvacation.jpg
> %26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce
> %3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC-
> SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk
> %26oauth_version%3D1.0%26size%3Doriginal
>
> Getting everything ordered, the right things URL encoded and then
> concatenated is tedious but it's all pretty straightforward. There
> are implementations in JavaScript, so I'd imagine a pure ASP version
> wouldn't be impossible.
>
> ---Mark
>
Raffi Krikorian
Twitter Platform Team
ra...@twitter.com | @raffi
- its pretty well written, and could be ported relatively easily.
> The OAuth spec has an example. However it's included as an appendix,
> so it's not really highlighted
>
> http://oauth.net/core/1.0#anchor30
>
> This is an example of a string to encode
>
> GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file%3Dvacation.jpg
> %26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce
> %3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC-
> SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk
> %26oauth_version%3D1.0%26size%3Doriginal
>
> Getting everything ordered, the right things URL encoded and then
> concatenated is tedious but it's all pretty straightforward. There
> are implementations in JavaScript, so I'd imagine a pure ASP version
> wouldn't be impossible.
>
> ---Mark
>
>> Classic ASP? You may in for a rough road.
>>
>> It not just an encoded URL. You have to generate a signature for the
>> URL using some algorithms that may not be easily implemented in ASP.
>> I'm not saying it's impossible.
>>
>> Why classic ASP?
>>
>>
>> It not just an encoded URL. You have to generate a signature for the
>> URL using some algorithms that may not be easily implemented in ASP.
>> I'm not saying it's impossible.
>>
>> Why classic ASP?
>>
>>> Hi
>>>
>>> I've found a test site that gives feedback to what the error is athttp://term.ie/oauth/example/
>>>
>>> My error is that the signature is incorrect. What must the string
>>> look
>>> like that needs to be signed? I've tested my script and I know it
>>> encodes correctly if you give it the right information.
>>>
>>> Can someone please post a copy of the string that is sent to be
>>> encoded.
>>>
>>> Best regards
>>>
>>> Andre
>>>
>>>> Classic ASP
>>>
>>> I've found a test site that gives feedback to what the error is athttp://term.ie/oauth/example/
>>>
>>> My error is that the signature is incorrect. What must the string
>>> look
>>> like that needs to be signed? I've tested my script and I know it
>>> encodes correctly if you give it the right information.
>>>
>>> Can someone please post a copy of the string that is sent to be
>>> encoded.
>>>
>>> Best regards
>>>
>>> Andre
>>>
>>>
>>>>> Andre,
>>>
>>>>> Are you sure there isn't already an OAuth library out there that
>>>>> will
>>>>> work for you? What language are you developing in?
>>>
>>>>> --Duane
>>>
>>>>> Andre,
>>>
>>>>> Are you sure there isn't already an OAuth library out there that
>>>>> will
>>>>> work for you? What language are you developing in?
>>>
>>>>> --Duane
>>>
>>>>>>> The signature has to go last. That's one mistake that most
>>>>>>> people make.
>>>>>>> You are suppose to put the parameters in order EXCEPT the
>>>>>>> signature
>>>>>>> parameter. The signature parameter is created by using the
>>>>>>> other
>>>>>>> parameters, then it's appended to the end of the query string.
>>>
>>>>>>> The OAuth signature is generated.
>>>
>>>>>>> I made a blog post where I tried to explain it a little better
>>>>>>> than the
>>>>>>> documentation does. It's for .Net for the desktop, but the
>>>>>>> process is the
>>>>>>> same for any language, and only slightly different for web
>>>>>>> applications.
>>>
>>>>>>> http://eclipsed4utoo.com/blog/net-twitter-desktop-oauth-authentication/
>>>
>>>>>>> people make.
>>>>>>> You are suppose to put the parameters in order EXCEPT the
>>>>>>> signature
>>>>>>> parameter. The signature parameter is created by using the
>>>>>>> other
>>>>>>> parameters, then it's appended to the end of the query string.
>>>
>>>>>>> The OAuth signature is generated.
>>>
>>>>>>> I made a blog post where I tried to explain it a little better
>>>>>>> than the
>>>>>>> documentation does. It's for .Net for the desktop, but the
>>>>>>> process is the
>>>>>>> same for any language, and only slightly different for web
>>>>>>> applications.
>>>
>>>>>>> http://eclipsed4utoo.com/blog/net-twitter-desktop-oauth-authentication/
>>>
>>>>>>>> Hi All
>>>
>>>>>>>> I am trying to get my head around the Twitter oauth flow.
>>>
>>>>>>>> The twitter documentation links to oauth.net for parameters,
>>>>>>>> but these
>>>>>>>> are general and not well documented.
>>>
>>>>>>>> Is the first step to usehttp://twitter.com/oauth/request_token?
>>>
>>>>>>>> 1. I created the following URL:
>>>
>>>>>>>> http://twitter.com/oauth/request_token?oauth_consumer_key=3Uu...1HA&o
>>>>>>>> ...
>>>
>>>>>>>> When I put this in a browser to test it, I get the following
>>>>>>>> error:
>>>
>>>>>>>> Failed to validate oauth signature and token
>>>
>>>>>>>> 1. What is wrong with the string?
>>>>>>>> - Is the oauth_signature just your Consumer secret string?
>>>>>>>> - Do I have to use oauth_signature_method and what method
>>>>>>>> do I use.
>>>>>>>> If it is sha1, what string do I hash? The whole URL?
>>>
>>>>>>>> Do I POST the data tohttp://twitter.com/oauth/request_tokenorGETor
>>>>>>>> what?
>>>
>>>>>>>> Best regards
>>>
>>>>>>>> Andre F Bruton
--
>>>
>>>>>>>> I am trying to get my head around the Twitter oauth flow.
>>>
>>>>>>>> The twitter documentation links to oauth.net for parameters,
>>>>>>>> but these
>>>>>>>> are general and not well documented.
>>>
>>>>>>>> Is the first step to usehttp://twitter.com/oauth/request_token?
>>>
>>>>>>>> 1. I created the following URL:
>>>
>>>>>>>> http://twitter.com/oauth/request_token?oauth_consumer_key=3Uu...1HA&o
>>>>>>>> ...
>>>
>>>>>>>> When I put this in a browser to test it, I get the following
>>>>>>>> error:
>>>
>>>>>>>> Failed to validate oauth signature and token
>>>
>>>>>>>> 1. What is wrong with the string?
>>>>>>>> - Is the oauth_signature just your Consumer secret string?
>>>>>>>> - Do I have to use oauth_signature_method and what method
>>>>>>>> do I use.
>>>>>>>> If it is sha1, what string do I hash? The whole URL?
>>>
>>>>>>>> Do I POST the data tohttp://twitter.com/oauth/request_tokenorGETor
>>>>>>>> what?
>>>
>>>>>>>> Best regards
>>>
>>>>>>>> Andre F Bruton
Raffi Krikorian
Twitter Platform Team
ra...@twitter.com | @raffi
Andre Bruton
Nov 29, 2009, 1:22:01 PM11/29/09
to twitter-deve...@googlegroups.com
Hi Raffi
I think I have identified something with the SHA-1 hashing that is
giving me the error. So I have to look at something else..
I had a look at the code and it seems to work well. How do I
incorporate it into a website so that I can click a link to send the
person to the Twitter Authentication screen? I would like to use a
standard link if possible but I am sure some people will also want to
use a button.
Would it be something like this?
<form name="request">
<input type="hidden" name="httpMethod" value="GET">
<input type="hidden" name="URL"
value="http://twitter.com/oauth/request_token">
<input type="hidden" name="parameters" value="">
<input type="hidden" name="oauth_version" value="1.0">
<input type="hidden" name="oauth_consumer_key" value="e4fuewo1MnWcfyg3Jd8TR">
<input type="hidden" name="consumerSecret" value="Hpwz23... swU">
<input type="hidden" name="oauth_signature_method" value="HMAC-SHA1">
<input type="hidden" name="" value="">
<tr>
<td><input type="button" value="Sign"
onClick="sign(document.request)"/></td>
</tr>
</form>
Best regards
Andre
I think I have identified something with the SHA-1 hashing that is
giving me the error. So I have to look at something else..
I had a look at the code and it seems to work well. How do I
incorporate it into a website so that I can click a link to send the
person to the Twitter Authentication screen? I would like to use a
standard link if possible but I am sure some people will also want to
use a button.
Would it be something like this?
<form name="request">
<input type="hidden" name="httpMethod" value="GET">
<input type="hidden" name="URL"
value="http://twitter.com/oauth/request_token">
<input type="hidden" name="parameters" value="">
<input type="hidden" name="oauth_version" value="1.0">
<input type="hidden" name="oauth_consumer_key" value="e4fuewo1MnWcfyg3Jd8TR">
<input type="hidden" name="consumerSecret" value="Hpwz23... swU">
<input type="hidden" name="oauth_signature_method" value="HMAC-SHA1">
<input type="hidden" name="" value="">
<tr>
<td><input type="button" value="Sign"
onClick="sign(document.request)"/></td>
</tr>
</form>
Best regards
Andre
>>>>>>> oauth_consumer_key=2FuDFffo1MnWkw9g2JK7621HA&oauth_nonce=1112009260947V57BU
>>>>>>> QK06I7H1BL88VBR65VT2&oauth_signature_method=HMAC-
>>>>>>> SHA1&oauth_timestamp=1259226047&oauth_version=1.0
>>>>
>>>>>>> or
>>>>
>>>>>>>
>>>>>>> http://twitter.com/oauth/request_token?oauth_consumer_key=2FuDFffo1Mn...
>>>>
>>>>>>> QK06I7H1BL88VBR65VT2&oauth_signature_method=HMAC-
>>>>>>> SHA1&oauth_timestamp=1259226047&oauth_version=1.0
>>>>
>>>>>>> or
>>>>
>>>>>>>
>>>>>>> http://twitter.com/oauth/request_token?oauth_consumer_key=2FuDFffo1Mn...
>>>>
Reply all
Reply to author
Forward
0 new messages