Re: [twitter-dev] how do we get the via Client name on Tweets
You have to use OAuth. http://apiwiki.twitter.com/FAQ#HowdoIget“fromMyApp”appendedtoupdatessentfrommyAPIapplication http://apiwiki.twitter.com/FAQ#HowdoIget“fromMyApp”appendedtoupdatessentfrommyAPIapplication Ryan On Wed, Mar 10, 2010 at 4:02 PM, pranzb bhatpra...@gmail.com wrote: Hello all, I wanted to know how do we get our client name at the end of every tweet. Like for eg: At the end of a tweet, the website says via API or via TweetDeck. I wanted to know how do we get that to be our client name like Tweetdeck did? Thanks, Pranz B
Re: [twitter-dev] Pin-based authorization via .NET
Why are you using PIN based authorization for web applications? Web applications don't use PINs. Ryan Sent from my DROID On Mar 7, 2010 4:59 PM, Ricky ri...@digitally-born.com wrote: I'm working on version 2 of Twitterizer, a .NET library for using the Twitter API, but I've run into a weird issue with pin-based OAuth. I have a sample web application and a sample desktop application. From the web application I am able to perform pin-based authentication without any issues, but through the desktop application every call for access tokens are refused with Invalid oauth_verifier parameter. I've stepped through the code (non-stop for an hour) and I'm sure that the exact code is executing for each call. I've tried changing the calls to GET, instead of POST, and the results are the same. From the web app it works great, from the desktop app, not so much. Using fiddler, I've captured the HTTP request/response from each, and they look exactly the same (to me). Here is the call from the web application (works): POST http://twitter.com/oauth/access_token?oauth_verifier=2068385 HTTP/ 1.1 Content-Type: application/x-www-form-urlencoded Authorization: OAuth realm=Twitter API,oauth_consumer_key=Ds8w95QVNTITV16pqMwtHA,oauth_nonce=6E723378,oauth_signature_method=HMAC- SHA1,oauth_timestamp=1267995036,oauth_token=Vy5cCHkomrAKocY9c8J18hAEf1PJ2ONwBtQxmdGGaI,oauth_version=1.0,oauth_signature=OU3Qfi2tq %2Fwyaij0NezCARqLVCA%3D User-Agent: Twitterizer/2.0.0.0 Host: twitter.com And here is the call from the desktop application (does not work): POST http://twitter.com/oauth/access_token?oauth_verifier=541907 HTTP/ 1.1 Content-Type: application/x-www-form-urlencoded Authorization: OAuth realm=Twitter API,oauth_consumer_key=Ds8w95QVNTITV16pqMwtHA,oauth_nonce=7F8D82E3,oauth_signature_method=HMAC- SHA1,oauth_timestamp=1267995086,oauth_token=uTcERUybyJF0WKi77w5dPCTZbwO7DZJX1hQuJK0fg,oauth_version=1.0,oauth_signature=iUUcdVtM %2B4nxfDKrqPqElE9IPgY%3D User-Agent: Twitterizer/2.0.0.0 Host: twitter.com The response body is: ?xml version=1.0 encoding=UTF-8? hash request/oauth/access_token?oauth_verifier=541907/request errorInvalid oauth_verifier parameter/error /hash This may be more of a .NET question, as there may be some kind of nuance when making requests through a windows application, but I thought it might be worth my time to ask everyone, in case I'm doing something dumb (it happens). Thanks for your time, Ricky www.twitterizer.net
Re: [twitter-dev] Re: OAuth newbie question
The token is a posted parameter. The secret is part of the key for the signature. Ryan On Sat, Mar 6, 2010 at 5:55 PM, IDOLpeeps i...@idolpeeps.com wrote: I've overcome the nuances of generating the oauth signature. It shocks me that the API documentation provides no clear indication of how to send the tokens along with an API call. It's not even a PHP- specific question. Simply put: Where do the oauth_token and oauth_token_secret get embedded in API call: As posted parameters? If so, with what parameter names? Can anybody provide guidance? I have seen many people ask this question, yet see no answer. As far as why one would want to use their own library vs. somebody else's, that's a question for the ages. One specific answer is that many of us have created our own application-specific libraries that accommodate traditional http authentication and we'd like to keep our libraries when we add Oauth. To do so, it's best to have an answer to this question. Thank you.
Re: [twitter-dev] Re: OAuth Rate Limit Increase - Not seeing it
Thanks Ryan Sent from my DROID On Mar 4, 2010 5:41 AM, Nik Fletcher nik.fletc...@gmail.com wrote: Hi Guys http://code.google.com/p/twitter-api/issues/detail?id=1501 Cheers -N On Mar 3, 9:42 pm, Milen mi...@thecosmicmachine.com wrote: I couldn't agree more, it's pretty l...
Re: [twitter-dev] Re: OAuth rate limit question
Just to add, I also get the 150 rate limit when using the account/rate_limit_status method. I am using OAuth and api.twitter.com. Ryan On Wed, Mar 3, 2010 at 8:57 AM, Raffi Krikorian ra...@twitter.com wrote: Well - it seems to me that rate limit status may have an issue with it. We will have to take a look. On Mar 3, 2010, at 2:56 AM, Nik Fletcher nik.fletc...@gmail.com wrote: Hey Raffi So, would Twitter prefer that clients use the headers instead of relying on the (now misleading) account/rate_limit_status method to verify the rate limit? http://apiwiki.twitter.com/Twitter-REST-API-Method:-account%C2%A0rate_limit_status As, even with Oauth-signed requests, this method is still returning 150 per hour. Thanks! Nik On Mar 3, 7:26 am, Raffi Krikorian ra...@twitter.com wrote: are you connecting via oauth to api.twitter.com? if so, then please take a look at the rate limit headers and let me know what you see? On Tue, Mar 2, 2010 at 10:48 PM, Ben Novakovic bennovako...@gmail.com wrote: Hi, I have been reading about twitter api limits lately as a lot of my users are exhausting their 150reqs/h on a fairly regular basis. I came across the following post and noticed that if users login with OAuth, they are given 350 reqs/hr. http://groups.google.com/group/twitter-development-talk/msg/b09f2a332. .. This was fair enough as you guys are trying to make twitter more secure (good work!); so we set about implementing OAuth on our client. We completed the implementation today, but fail to see the 350 reqs/ hr. We are still being limited by the 150 reqs/hr. I was just wondering whether there was something special we needed to do to get our req limits up to 350 for those users who login to our client with OAuth. Just to give you some background info, the client is a mobile web based client and all requests to twitter are made on our server on behalf of our users. If they are logged in with OAuth, the appropriate OAuth details are also handed through as part of the request. We know they are using OAuth as our 'updated via xxx' changes with using OAuth. Any help would be greatly appreciated! Thanks! Ben -- Raffi Krikorian Twitter Platform Teamhttp://twitter.com/raffi
Re: [twitter-dev] Re: OAuth Rate Limit Increase - Not seeing it
I was able to get that working. I didn't notice that those headers were only sent for requests that counted against the rate limit. Ryan On Tue, Mar 2, 2010 at 6:33 PM, twittelator and...@stone.com wrote: I reported this bug yesterday. Instead of making that extra call, why not look at the response headers which come back with each API ACCESS - you'll get the info you need: X-Ratelimit-Limit = 150; X-Ratelimit-Remaining = 133; X-Ratelimit-Reset = 1267576025; Andrew Stone Twitter / @twittelator http://www.stone.com got iPhone? http://j.mp/twitpro http://j.mp/tweettv-app On Mar 2, 11:47 am, eclipsed4utoo ryanalford...@gmail.com wrote: I thought that the OAuth Rate Limit went up to 350? I am still getting 150. Here is the returned XML from my request tohttp:// api.twitter.com/1/account/rate_limit_status.xml ?xml version=1.0 encoding=UTF-8? hash reset-time type=datetime2010-03-02T19:42:28+00:00/reset-time hourly-limit type=integer150/hourly-limit reset-time-in-seconds type=integer1267558948/reset-time-in- seconds remaining-hits type=integer150/remaining-hits /hash I am using OAuth and using the new version of the REST API. What else do I need to do?
Re: [twitter-dev] Re: OAuth Rate Limit Increase - Not seeing it
I just want to ask how you guys handle the following situation. And please correct anything that is incorrect. The user starts up your application, and they have exhausted all of their rate limit(using another application). Your application does not know this when it is first starting because you haven't made a rate limited request yet. You now make the rate limited request, and you get the 403: Forbidden error back. I can only assume that Twitter will send the X-Ratelimit-Limit header with the response error. Does your application allow this request and then process the error, set the rate limit information(you would need the date to tell the user when the rate limit will reset), and go about your business? In my app, I do a rate limit check before making the request(using the account/rate_limit_status method). Since I can no longer do this(since that method returns 150 instead of 350), I was wondering how others handle this. Just my personal opinion, but I think it's a horrible decision to have the rate limiting headers ONLY returned for rate limited methods. This now requires me to make a rate limited call just to get the rate limit, which brings the previous scenario into play. Thanks, Ryan On Wed, Mar 3, 2010 at 9:44 AM, Ryan Alford ryanalford...@gmail.com wrote: I was able to get that working. I didn't notice that those headers were only sent for requests that counted against the rate limit. Ryan On Tue, Mar 2, 2010 at 6:33 PM, twittelator and...@stone.com wrote: I reported this bug yesterday. Instead of making that extra call, why not look at the response headers which come back with each API ACCESS - you'll get the info you need: X-Ratelimit-Limit = 150; X-Ratelimit-Remaining = 133; X-Ratelimit-Reset = 1267576025; Andrew Stone Twitter / @twittelator http://www.stone.com got iPhone? http://j.mp/twitpro http://j.mp/tweettv-app On Mar 2, 11:47 am, eclipsed4utoo ryanalford...@gmail.com wrote: I thought that the OAuth Rate Limit went up to 350? I am still getting 150. Here is the returned XML from my request tohttp:// api.twitter.com/1/account/rate_limit_status.xml ?xml version=1.0 encoding=UTF-8? hash reset-time type=datetime2010-03-02T19:42:28+00:00/reset-time hourly-limit type=integer150/hourly-limit reset-time-in-seconds type=integer1267558948/reset-time-in- seconds remaining-hits type=integer150/remaining-hits /hash I am using OAuth and using the new version of the REST API. What else do I need to do?
Re: [twitter-dev] forcing api.twitter.com resources - tomorrow
Does OAuth go to the api.twitter.com? The API documentation still has the 4 OAuth methods going to twitter.com. http://apiwiki.twitter.com/Twitter-REST-API-Method:-oauth-request_token http://apiwiki.twitter.com/Twitter-REST-API-Method:-oauth-request_token http://apiwiki.twitter.com/Twitter-REST-API-Method:-oauth-authorize http://apiwiki.twitter.com/Twitter-REST-API-Method:-oauth-authorize http://apiwiki.twitter.com/Twitter-REST-API-Method:-oauth-authenticate http://apiwiki.twitter.com/Twitter-REST-API-Method:-oauth-authenticate http://apiwiki.twitter.com/Twitter-REST-API-Method:-oauth-access_token http://apiwiki.twitter.com/Twitter-REST-API-Method:-oauth-access_tokenRyan On Tue, Mar 2, 2010 at 3:31 PM, Raffi Krikorian ra...@twitter.com wrote: hi all. tomorrow we're going to put an operational change in place that will force all traffic that is addressed to http://api.twitter.com to go to instances that are specifically serving api.twitter.com code. what does this mean for you? if you're only using documented api.twitter.com methods (and not calling any undocumented methods that have been designed to support twitter.com), then this means absolutely nothing to you :P just giving a heads up - we'll be actively monitoring the list and we'll try to be in IRC when it happens in case there are any hiccups. -- Raffi Krikorian Twitter Platform Team http://twitter.com/raffi
Re: [twitter-dev] Re: forcing api.twitter.com resources - tomorrow
So the OAuth methods have not been moved to api.twitter.com? If not, then what is going to happen when those OAuth requests go to twitter.com? Are they going to be blocked? Ryan On Tue, Mar 2, 2010 at 5:03 PM, Raffi Krikorian ra...@twitter.com wrote: anything going to twitter.com (and not api.twitter.com), will stick with twitter.com. On Tue, Mar 2, 2010 at 1:23 PM, Dewald Pretorius dewaldpub...@gmail.comwrote: Raffi, Can you please clarify how and/or if OAuth will be affected. My OAuth token and authorize requests also go to twitter.com, not api.twitter.com. On Mar 2, 4:35 pm, Ryan Alford ryanalford...@gmail.com wrote: Does OAuth go to the api.twitter.com? The API documentation still has the 4 OAuth methods going to twitter.com. http://apiwiki.twitter.com/Twitter-REST-API-Method:-oauth-request_token http://apiwiki.twitter.com/Twitter-REST-API-Method:-oauth-request_token http://apiwiki.twitter.com/Twitter-REST-API-Method:-oauth-authorize http://apiwiki.twitter.com/Twitter-REST-API-Method:-oauth-authorize http://apiwiki.twitter.com/Twitter-REST-API-Method:-oauth-authenticate http://apiwiki.twitter.com/Twitter-REST-API-Method:-oauth-authenticate http://apiwiki.twitter.com/Twitter-REST-API-Method:-oauth-access_token http://apiwiki.twitter.com/Twitter-REST-API-Method:-oauth-access_token Ryan On Tue, Mar 2, 2010 at 3:31 PM, Raffi Krikorian ra...@twitter.com wrote: hi all. tomorrow we're going to put an operational change in place that will force all traffic that is addressed tohttp://api.twitter.comto go to instances that are specifically serving api.twitter.com code. what does this mean for you? if you're only using documented api.twitter.com methods (and not calling any undocumented methods that have been designed to support twitter.com), then this means absolutely nothing to you :P just giving a heads up - we'll be actively monitoring the list and we'll try to be in IRC when it happens in case there are any hiccups. -- Raffi Krikorian Twitter Platform Team http://twitter.com/raffi -- Raffi Krikorian Twitter Platform Team http://twitter.com/raffi
Re: [twitter-dev] 401 - Unauthorized error when diacritics in status
I believe it has been fixed in some libraries in other programming languages, but I can't figure out how to do it in .Net. Ryan On Tue, Feb 23, 2010 at 12:38 PM, Aral Balkan aralbal...@gmail.com wrote: Ooh, if this is the case then it will definitely stop me from using oAuth for Feathers (http://feathersapp.com) since diacritics are an essential part of Unicode art. Very interested in hearing what you find out. All the best, Aral On Tue, Feb 23, 2010 at 1:44 PM, eclipsed4utoo ryanalford...@gmail.comwrote: I am getting an error message when posting accent marks and other diacritics in a status update. I saw that there was an issue [1] posted in April of last year about this problem. It seems to be with the signature generation for OAuth with the encoding of accent marks. I am using .Net(C#), and I can't figure out how to fix this. Do I use a different encoding? Anybody have any ideas on how to fix this in .Net? [1] - http://code.google.com/p/twitter-api/issues/detail?id=433 Ryan
Re: [twitter-dev] 401 - Unauthorized error when diacritics in status
I think it is the way that .Net handles encoding of the diacritics. I don't think it's a Twitter api issue. I was hoping that another .Net developer had run into this issue and had fixed it. Ryan On Tue, Feb 23, 2010 at 2:07 PM, Raffi Krikorian ra...@twitter.com wrote: this would be news to me - if you have a way to replicate this, and you are confident its not your oauth libraries, then please let me know. On Tue, Feb 23, 2010 at 11:04 AM, Ryan Alford ryanalford...@gmail.comwrote: I believe it has been fixed in some libraries in other programming languages, but I can't figure out how to do it in .Net. Ryan On Tue, Feb 23, 2010 at 12:38 PM, Aral Balkan aralbal...@gmail.comwrote: Ooh, if this is the case then it will definitely stop me from using oAuth for Feathers (http://feathersapp.com) since diacritics are an essential part of Unicode art. Very interested in hearing what you find out. All the best, Aral On Tue, Feb 23, 2010 at 1:44 PM, eclipsed4utoo ryanalford...@gmail.comwrote: I am getting an error message when posting accent marks and other diacritics in a status update. I saw that there was an issue [1] posted in April of last year about this problem. It seems to be with the signature generation for OAuth with the encoding of accent marks. I am using .Net(C#), and I can't figure out how to fix this. Do I use a different encoding? Anybody have any ideas on how to fix this in .Net? [1] - http://code.google.com/p/twitter-api/issues/detail?id=433 Ryan -- Raffi Krikorian Twitter Platform Team http://twitter.com/raffi
Re: [twitter-dev] Which api url to use?
I *believe* Twitter is moving to versioning the API(which is what the /1/ means..it's version 1). So I would use the URL with the /1/, since the other way be deprecated in the future. Ryan On Mon, Feb 22, 2010 at 11:19 AM, Dmitri Snytkine d.snytk...@gmail.comwrote: Is there a difference between using http://api.twitter.com/1/statuses/update.format and http://api.twitter.com/statuses/update.format (without the /1/)?
Re: [twitter-dev] Which api url to use?
Raffi, Just so you know, http://twitter.com/statuses/update.format; also works. That's what I have been using in my app until today(moved to the versioning). Ryan On Mon, Feb 22, 2010 at 12:23 PM, Raffi Krikorian ra...@twitter.com wrote: yeah - please use the /1 URLs. if api.twitter.com works without /1, then that's inadvertent, and we'll probably fix that. On Mon, Feb 22, 2010 at 9:18 AM, Ryan Alford ryanalford...@gmail.comwrote: I *believe* Twitter is moving to versioning the API(which is what the /1/ means..it's version 1). So I would use the URL with the /1/, since the other way be deprecated in the future. Ryan On Mon, Feb 22, 2010 at 11:19 AM, Dmitri Snytkine d.snytk...@gmail.comwrote: Is there a difference between using http://api.twitter.com/1/statuses/update.format and http://api.twitter.com/statuses/update.format (without the /1/)? -- Raffi Krikorian Twitter Platform Team http://twitter.com/raffi
Re: [twitter-dev] Which api url to use?
Yes, those are the ones I am talking about. Ryan On Mon, Feb 22, 2010 at 12:41 PM, Raffi Krikorian ra...@twitter.com wrote: hi ryan. yup - those are the original update methods, right? like http://twitter.com/statuses/update.xml http://twitter.com/statuses/update.json we haven't set a deprecation date for those yet - but developers should plan on it. please start to migrate to the api.twitter.com/1/ URLs. On Mon, Feb 22, 2010 at 9:26 AM, Ryan Alford ryanalford...@gmail.comwrote: Raffi, Just so you know, http://twitter.com/statuses/update.format; also works. That's what I have been using in my app until today(moved to the versioning). Ryan On Mon, Feb 22, 2010 at 12:23 PM, Raffi Krikorian ra...@twitter.comwrote: yeah - please use the /1 URLs. if api.twitter.com works without /1, then that's inadvertent, and we'll probably fix that. On Mon, Feb 22, 2010 at 9:18 AM, Ryan Alford ryanalford...@gmail.comwrote: I *believe* Twitter is moving to versioning the API(which is what the /1/ means..it's version 1). So I would use the URL with the /1/, since the other way be deprecated in the future. Ryan On Mon, Feb 22, 2010 at 11:19 AM, Dmitri Snytkine d.snytk...@gmail.com wrote: Is there a difference between using http://api.twitter.com/1/statuses/update.format and http://api.twitter.com/statuses/update.format (without the /1/)? -- Raffi Krikorian Twitter Platform Team http://twitter.com/raffi -- Raffi Krikorian Twitter Platform Team http://twitter.com/raffi
Re: [twitter-dev] Which api url to use?
Its actually listed on all of the twitter api method pages, except for the OAuth methods. Ryan Sent from my DROID On Feb 22, 2010 1:58 PM, Isaiah Carew isa...@mac.com wrote: i'm bound to forget this in about an hour. is this old/new versioned/not listed somewhere in the API docs? On Feb 22, 2010, at 9:42 AM, Ryan Alford wrote: Yes, those are the ones I am talking about. ...
Re: [twitter-dev] Which api url to use?
The documentation for the 4 OAuth methods do not show the versioning URL. I didn't know if they were moved over or not. Ryan Sent from my DROID On Feb 22, 2010 2:08 PM, Raffi Krikorian ra...@twitter.com wrote: the API wiki docs were painstakingly converted to use the api.twitter.com/1endpoint. if you spot a place we missed, feel free to pass it along! thanks! On Mon, Feb 22, 2010 at 10:33 AM, Isaiah Carew isa...@mac.com wrote: i'm bound to forget thi...
Re: [twitter-dev] Re: oauth request token failing
Can you post the string that you hash to create the signature? Ryan On Thu, Feb 18, 2010 at 8:42 AM, Berto mstbe...@gmail.com wrote: Even with the URL like this: http://twitter.com/oauth/request_token?oauth_consumer_key= valueoauth_nonce=1266501098oauth_signature_method=HMAC-SHA1oauth_timestamp=1266500348oauth_version=1.0oauth_signature=eGALeAVpxt4CB%2FuHfkLq51%2FWXRk%3D It still fails for me. I've gotta be missing something obvious. Does anything need to go into my header? On Feb 17, 9:47 pm, Ryan Alford ryanalford...@gmail.com wrote: You order all parameters EXCEPT the signature, then create the signature, then append the signature to the end. All other parameters should be in order. Ryan On Wed, Feb 17, 2010 at 6:42 PM, Berto mstbe...@gmail.com wrote: I thought that was only for the signature which is in the right order? Ryan Alford wrote: Your querystring parameters are in the wrong order. You have the oauth_nonce AFTER oauth_timestamp. It needs to be before it. The parameters must be in order. Ryan Sent from my DROID On Feb 17, 2010 6:18 PM, Berto mstbe...@gmail.com wrote: To answer the first email, I was doing that so I could put it in the request header's authorization field to get this effect: (Taken from oauth.net) Authorization: OAuth realm=http://sp.example.com/;, oauth_consumer_key=0685bd9184jfhq22, oauth_token=ad180jjd733klru7, oauth_signature_method=HMAC-SHA1, oauth_signature=wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D, oauth_timestamp=137131200, oauth_nonce=4572616e48616d6d65724c61686176, oauth_version=1.0 Then, I thought it might need to go into the WWW-Authenticate field as opposed to the Authorization field so I tried that too with no success. I've also just tried formatting them as GET parameters and attaching them to the request URL, but that isn't working either. It would look like: http://twitter.com/oauth/request_token?oauth_consumer_key= valueoauth_signature_method=HMAC-SHA1oauth_timestamp=1266440918oauth_nonce=1266440928oauth_version=1.0oauth_signature=l%2BYDrTyWGpvDu3owDlVQLakzVns%3D On Feb 17, 3:52 pm, Ryan Alford ryanalford...@gmail.com wrote: Can you post the URL with querys... On Wed, Feb 17, 2010 at 4:51 PM, Ryan Alford ryanalford...@gmail.com wrote: Why are you doing this? StringBuilder params = new StringBuilder(); ... On Wed, Feb 17, 2010 at 2:37 PM, Berto mstbe...@gmail.com wrote: Hey guys, I'm w...
Re: [twitter-dev] Re: oauth request token failing
That looks fine. Are you using the Consumer Secret as the key to the hash? Ryan On Thu, Feb 18, 2010 at 9:10 AM, Berto mstbe...@gmail.com wrote: GEThttp%3A%2F%2Ftwitter.com%2Foauth%2Frequest_tokenoauth_consumer_key %3D8hvUTsGttoOBN2ygbDVJw%26oauth_nonce %3D1266502068%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp %3D1266501208%26oauth_version%3D1.0 On Feb 18, 8:04 am, Ryan Alford ryanalford...@gmail.com wrote: Can you post the string that you hash to create the signature? Ryan On Thu, Feb 18, 2010 at 8:42 AM, Berto mstbe...@gmail.com wrote: Even with the URL like this: http://twitter.com/oauth/request_token?oauth_consumer_key= valueoauth_nonce=1266501098oauth_signature_method=HMAC-SHA1oauth_timestamp=1266500348oauth_version=1.0oauth_signature=eGALeAVpxt4CB%2FuHfkLq51%2FWXRk%3D It still fails for me. I've gotta be missing something obvious. Does anything need to go into my header? On Feb 17, 9:47 pm, Ryan Alford ryanalford...@gmail.com wrote: You order all parameters EXCEPT the signature, then create the signature, then append the signature to the end. All other parameters should be in order. Ryan On Wed, Feb 17, 2010 at 6:42 PM, Berto mstbe...@gmail.com wrote: I thought that was only for the signature which is in the right order? Ryan Alford wrote: Your querystring parameters are in the wrong order. You have the oauth_nonce AFTER oauth_timestamp. It needs to be before it. The parameters must be in order. Ryan Sent from my DROID On Feb 17, 2010 6:18 PM, Berto mstbe...@gmail.com wrote: To answer the first email, I was doing that so I could put it in the request header's authorization field to get this effect: (Taken from oauth.net) Authorization: OAuth realm=http://sp.example.com/;, oauth_consumer_key=0685bd9184jfhq22, oauth_token=ad180jjd733klru7, oauth_signature_method=HMAC-SHA1, oauth_signature=wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D, oauth_timestamp=137131200, oauth_nonce=4572616e48616d6d65724c61686176, oauth_version=1.0 Then, I thought it might need to go into the WWW-Authenticate field as opposed to the Authorization field so I tried that too with no success. I've also just tried formatting them as GET parameters and attaching them to the request URL, but that isn't working either. It would look like: http://twitter.com/oauth/request_token?oauth_consumer_key= valueoauth_signature_method=HMAC-SHA1oauth_timestamp=1266440918oauth_nonce=1266440928oauth_version=1.0oauth_signature=l%2BYDrTyWGpvDu3owDlVQLakzVns%3D On Feb 17, 3:52 pm, Ryan Alford ryanalford...@gmail.com wrote: Can you post the URL with querys... On Wed, Feb 17, 2010 at 4:51 PM, Ryan Alford ryanalford...@gmail.com wrote: Why are you doing this? StringBuilder params = new StringBuilder(); ... On Wed, Feb 17, 2010 at 2:37 PM, Berto mstbe...@gmail.com wrote: Hey guys, I'm w...
Re: [twitter-dev] Oauth Signatures
I just tried it and I do get the 401 Unauthorized error when I don't normalize the status text. Ryan On Thu, Feb 18, 2010 at 1:07 PM, Dewald Pretorius dpr...@gmail.com wrote: Can computing the OAuth signature on un-normalized tweet text cause Incorrect Signature issues?
Re: [twitter-dev] Re: Oauth Signatures
In my testing, I got the 401 error when posting a simple status such as testing testing instead of normalizing it to testing%20testing. I can't tell if it's the invalid signature error since I can't figure out how to see that in .Net, but I can see that it's the 401: Unauthorized error. Ryan On Thu, Feb 18, 2010 at 3:03 PM, Dewald Pretorius dpr...@gmail.com wrote: Ryan, Is that with just plain ASCII in the update text that you get a 401 when not normalized? The bulk of my signatures work fine, and I'm not normalizing at this point. It's just now and again that Twitter says 401 Invalid signature on a status update. So, I wondering if the text has some strange characters that cause a discrepancy between my sig calc and their sig check. On Feb 18, 3:13 pm, Ryan Alford ryanalford...@gmail.com wrote: I just tried it and I do get the 401 Unauthorized error when I don't normalize the status text. Ryan On Thu, Feb 18, 2010 at 1:07 PM, Dewald Pretorius dpr...@gmail.com wrote: Can computing the OAuth signature on un-normalized tweet text cause Incorrect Signature issues?
Re: [twitter-dev] oauth request token failing
Why are you doing this?
StringBuilder params = new StringBuilder();
params.append(encode(oauth_consumer_key));
params.append(=\);
params.append(encode(CONSUMER_KEY));
params.append(\, );
params.append(encode(oauth_signature_method));
params.append(=\);
params.append(encode(HMAC-SHA1));
params.append(\, );
params.append(encode(oauth_signature));
params.append(=\);
params.append(encode(sig));
params.append(\, );
params.append(encode(oauth_timestamp));
params.append(=\);
params.append(encode(Long.toString(timestamp)));
params.append(\, );
params.append(encode(oauth_nonce));
params.append(=\);
params.append(encode(Long.toString(timestamp +
tmp.nextInt(1000;
params.append(\, );
params.append(encode(oauth_version));
params.append(=\);
params.append(encode(1.0));
params.append(\);
Are you putting quotation marks around the values?
Ryan
On Wed, Feb 17, 2010 at 2:37 PM, Berto mstbe...@gmail.com wrote:
Hey guys,
I'm writing a client in java and trying to use oauth to get an access
token. However, I keep getting an IOException which essentially means
I'm getting an HTTP 401 error back (unauthorized). I've verified that
my signature algorithm is correct by using some provided examples over
at oauth.net, but nothing seems to be working for me. Does the
consumer key need an after it? I'm using the exact values provided
via the register oauth client page. Here's a snippet of the code:
HttpURLConnection connection = null;
BufferedReader reader = null;
StringBuilder responseBuilder;
Date date = new Date();
long time = date.getTime();
long timestamp = time / 1000;
Random tmp = new Random();
try {
StringBuilder stuff = new StringBuilder();
stuff.append(encode(oauth_consumer_key));
stuff.append(=);
stuff.append(encode(CONSUMER_KEY));
stuff.append();
stuff.append(encode(oauth_nonce));
stuff.append(=);
stuff.append(encode(Long.toString(timestamp +
tmp.nextInt(1000;
stuff.append();
stuff.append(encode(oauth_signature_method));
stuff.append(=);
stuff.append(encode(HMAC-SHA1));
stuff.append();
stuff.append(encode(oauth_timestamp));
stuff.append(=);
stuff.append(encode(Long.toString(timestamp)));
stuff.append();
stuff.append(encode(oauth_version));
stuff.append(=);
stuff.append(encode(1.0));
StringBuffer base = new
StringBuffer(GET).append()
.append(encode(http://twitter.com/oauth/
request_token)).append();
base.append(encode(stuff.toString()));
String oauthBaseString = base.toString();
String sig = signature(oauthBaseString,
CONSUMER_SECRET);
StringBuilder params = new StringBuilder();
params.append(encode(oauth_consumer_key));
params.append(=\);
params.append(encode(CONSUMER_KEY));
params.append(\, );
params.append(encode(oauth_signature_method));
params.append(=\);
params.append(encode(HMAC-SHA1));
params.append(\, );
params.append(encode(oauth_signature));
params.append(=\);
params.append(encode(sig));
params.append(\, );
params.append(encode(oauth_timestamp));
params.append(=\);
params.append(encode(Long.toString(timestamp)));
params.append(\, );
params.append(encode(oauth_nonce));
params.append(=\);
params.append(encode(Long.toString(timestamp +
tmp.nextInt(1000;
params.append(\, );
params.append(encode(oauth_version));
params.append(=\);
params.append(encode(1.0));
params.append(\);
// Prepare the connection
URL url = new URL(http://twitter.com/oauth/
request_token);
connection = (HttpURLConnection) url.openConnection();
connection.setRequestMethod(GET);
connection.setRequestProperty(WWW-Authenticate,
OAuth + params.toString());
connection.setConnectTimeout(3);
connection.setReadTimeout(3);
// Read the response
Re: [twitter-dev] oauth request token failing
Can you post the URL with querystring parameters when you make the request?
Ryan
On Wed, Feb 17, 2010 at 4:51 PM, Ryan Alford ryanalford...@gmail.comwrote:
Why are you doing this?
StringBuilder params = new StringBuilder();
params.append(encode(oauth_consumer_key));
params.append(=\);
params.append(encode(CONSUMER_KEY));
params.append(\, );
params.append(encode(oauth_signature_method));
params.append(=\);
params.append(encode(HMAC-SHA1));
params.append(\, );
params.append(encode(oauth_signature));
params.append(=\);
params.append(encode(sig));
params.append(\, );
params.append(encode(oauth_timestamp));
params.append(=\);
params.append(encode(Long.toString(timestamp)));
params.append(\, );
params.append(encode(oauth_nonce));
params.append(=\);
params.append(encode(Long.toString(timestamp +
tmp.nextInt(1000;
params.append(\, );
params.append(encode(oauth_version));
params.append(=\);
params.append(encode(1.0));
params.append(\);
Are you putting quotation marks around the values?
Ryan
On Wed, Feb 17, 2010 at 2:37 PM, Berto mstbe...@gmail.com wrote:
Hey guys,
I'm writing a client in java and trying to use oauth to get an access
token. However, I keep getting an IOException which essentially means
I'm getting an HTTP 401 error back (unauthorized). I've verified that
my signature algorithm is correct by using some provided examples over
at oauth.net, but nothing seems to be working for me. Does the
consumer key need an after it? I'm using the exact values provided
via the register oauth client page. Here's a snippet of the code:
HttpURLConnection connection = null;
BufferedReader reader = null;
StringBuilder responseBuilder;
Date date = new Date();
long time = date.getTime();
long timestamp = time / 1000;
Random tmp = new Random();
try {
StringBuilder stuff = new StringBuilder();
stuff.append(encode(oauth_consumer_key));
stuff.append(=);
stuff.append(encode(CONSUMER_KEY));
stuff.append();
stuff.append(encode(oauth_nonce));
stuff.append(=);
stuff.append(encode(Long.toString(timestamp +
tmp.nextInt(1000;
stuff.append();
stuff.append(encode(oauth_signature_method));
stuff.append(=);
stuff.append(encode(HMAC-SHA1));
stuff.append();
stuff.append(encode(oauth_timestamp));
stuff.append(=);
stuff.append(encode(Long.toString(timestamp)));
stuff.append();
stuff.append(encode(oauth_version));
stuff.append(=);
stuff.append(encode(1.0));
StringBuffer base = new
StringBuffer(GET).append()
.append(encode(http://twitter.com/oauth/
request_token)).append();
base.append(encode(stuff.toString()));
String oauthBaseString = base.toString();
String sig = signature(oauthBaseString,
CONSUMER_SECRET);
StringBuilder params = new StringBuilder();
params.append(encode(oauth_consumer_key));
params.append(=\);
params.append(encode(CONSUMER_KEY));
params.append(\, );
params.append(encode(oauth_signature_method));
params.append(=\);
params.append(encode(HMAC-SHA1));
params.append(\, );
params.append(encode(oauth_signature));
params.append(=\);
params.append(encode(sig));
params.append(\, );
params.append(encode(oauth_timestamp));
params.append(=\);
params.append(encode(Long.toString(timestamp)));
params.append(\, );
params.append(encode(oauth_nonce));
params.append(=\);
params.append(encode(Long.toString(timestamp +
tmp.nextInt(1000;
params.append(\, );
params.append(encode(oauth_version));
params.append(=\);
params.append(encode(1.0));
params.append(\);
// Prepare the connection
URL url = new URL(http://twitter.com/oauth/
request_token);
connection = (HttpURLConnection) url.openConnection();
connection.setRequestMethod(GET);
connection.setRequestProperty(WWW
Re: [twitter-dev] Re: oauth request token failing
Your querystring parameters are in the wrong order. You have the oauth_nonce AFTER oauth_timestamp. It needs to be before it. The parameters must be in order. Ryan Sent from my DROID On Feb 17, 2010 6:18 PM, Berto mstbe...@gmail.com wrote: To answer the first email, I was doing that so I could put it in the request header's authorization field to get this effect: (Taken from oauth.net) Authorization: OAuth realm=http://sp.example.com/;, oauth_consumer_key=0685bd9184jfhq22, oauth_token=ad180jjd733klru7, oauth_signature_method=HMAC-SHA1, oauth_signature=wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D, oauth_timestamp=137131200, oauth_nonce=4572616e48616d6d65724c61686176, oauth_version=1.0 Then, I thought it might need to go into the WWW-Authenticate field as opposed to the Authorization field so I tried that too with no success. I've also just tried formatting them as GET parameters and attaching them to the request URL, but that isn't working either. It would look like: http://twitter.com/oauth/request_token?oauth_consumer_key= valueoauth_signature_method=HMAC-SHA1oauth_timestamp=1266440918oauth_nonce=1266440928oauth_version=1.0oauth_signature=l%2BYDrTyWGpvDu3owDlVQLakzVns%3D On Feb 17, 3:52 pm, Ryan Alford ryanalford...@gmail.com wrote: Can you post the URL with querys... On Wed, Feb 17, 2010 at 4:51 PM, Ryan Alford ryanalford...@gmail.com wrote: Why are you doing this? StringBuilder params = new StringBuilder(); ... On Wed, Feb 17, 2010 at 2:37 PM, Berto mstbe...@gmail.com wrote: Hey guys, I'm w...
Re: [twitter-dev] Re: oauth request token failing
You order all parameters EXCEPT the signature, then create the signature, then append the signature to the end. All other parameters should be in order. Ryan On Wed, Feb 17, 2010 at 6:42 PM, Berto mstbe...@gmail.com wrote: I thought that was only for the signature which is in the right order? Ryan Alford wrote: Your querystring parameters are in the wrong order. You have the oauth_nonce AFTER oauth_timestamp. It needs to be before it. The parameters must be in order. Ryan Sent from my DROID On Feb 17, 2010 6:18 PM, Berto mstbe...@gmail.com wrote: To answer the first email, I was doing that so I could put it in the request header's authorization field to get this effect: (Taken from oauth.net) Authorization: OAuth realm=http://sp.example.com/;, oauth_consumer_key=0685bd9184jfhq22, oauth_token=ad180jjd733klru7, oauth_signature_method=HMAC-SHA1, oauth_signature=wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D, oauth_timestamp=137131200, oauth_nonce=4572616e48616d6d65724c61686176, oauth_version=1.0 Then, I thought it might need to go into the WWW-Authenticate field as opposed to the Authorization field so I tried that too with no success. I've also just tried formatting them as GET parameters and attaching them to the request URL, but that isn't working either. It would look like: http://twitter.com/oauth/request_token?oauth_consumer_key= valueoauth_signature_method=HMAC-SHA1oauth_timestamp=1266440918oauth_nonce=1266440928oauth_version=1.0oauth_signature=l%2BYDrTyWGpvDu3owDlVQLakzVns%3D On Feb 17, 3:52 pm, Ryan Alford ryanalford...@gmail.com wrote: Can you post the URL with querys... On Wed, Feb 17, 2010 at 4:51 PM, Ryan Alford ryanalford...@gmail.com wrote: Why are you doing this? StringBuilder params = new StringBuilder(); ... On Wed, Feb 17, 2010 at 2:37 PM, Berto mstbe...@gmail.com wrote: Hey guys, I'm w...
Re: [twitter-dev] Re: Application Suspended
Is it even worst that Raffi has seen this thread and posted in it, and still not a peep? You would think that he would look into it and help out, or contact somebody that could look into it. It's seems like they just have their head in the sand. Ryan On Tue, Feb 16, 2010 at 9:13 AM, Jim Fulford j...@fulford.me wrote: 5 Days not and applicatin is still down and no response at all from Twitter on my Support Ticket. Beware of Oauth, Twitter can disable your site in a second with no notice. I have still not gotten any feedback, communication of any kind. The only nice thing about this process is that my users have been patient and understanding. Wish I could say the same about Twitter. See Below -- easyduzzit sent a message using the contact form at http://www.gotwitr.com/contact. When I look in my Twitter connections your service appears as follows: GoTwitr by Phazer Systems Suspended. I'd appreciate knowing if there is anything your customers can do to let Twitter know we appreciate your service.
Re: [twitter-dev] Re: What's up with OAuth?
If I am not mistaken, the oauth_verifier is for the PIN. So if you are not a desktop app, then its not required. Ryan Sent from my DROID On Feb 14, 2010 1:04 AM, jon jonhoff...@gmail.com wrote: It worked for a one time oauth conversion for about 3000 accounts (i ran a batch job across five processes and think it took an hour or so to finish)-- however, that was back in may. the script was also written pre oauth 1.0a, so there's no oauth_verifier. I'm not sure if that's required now. On Feb 13, 11:41 am, Dewald Pretorius dpr...@gmail.com wrote: Mmmm it looks as if you're sc...
Re: [twitter-dev] Re: Looking for someone to help wiith oauth
You can ask technical questions here. You had developers that gave up because of cookie handling? Uhhh... Ryan Sent from my DROID On Feb 13, 2010 10:44 AM, Merrows sa...@merrows.co.uk wrote: Thanks for all the interesting comments. Actually I have found it hard to locate the expertise. I have some code samples already, but I really need someone or at least a technical forum (similar to the kind of thing for Google Products which allows QA type of messages) for twitter. Is there anything like that for twitter or is this it? I have already hired a few developers for this task, and they implement Basic Auth, or they just give up as finding the code too hard (mainly handling the callbacks and cookie handling seems the hard part). If anyone is interested the actual application it is a new site called www.fullbe.com I am buillding which will allow users to comment on products via their twitter names. On Feb 11, 6:02 pm, alexro arodyg...@gmail.com wrote: Also check out LinqToTwitter, it includes... http://twittervb.codeplex.com- Hide quoted text - - Show quoted text -
Re: [twitter-dev] Re: What's up with OAuth?
He specifically states the possibility for mobile apps to use xAuth. Ryan Sent from my DROID On Feb 11, 2010 11:27 PM, kehers keh...@gmail.com wrote: Talking xAuth, hope mobile apps count as 'applications except web applications'
Re: [twitter-dev] Looking for someone to help wiith oauth
I have implemented OAuth into my own WPFapplication.(written in C#) You can view my library at CodePlex. http://twiteclipseapi.codeplex.com/ Ryan On Wed, Feb 10, 2010 at 9:48 AM, Merrows sa...@merrows.co.uk wrote: I am seeking someone skilled in .NET 3.5, C# to help with implementing twitter oauth, and I would welcome any suggestions of how to find someone.
Re: [twitter-dev] Re: oAuth and more users?
The user doesn't actually create their OAuth tokens manually. The tokens are created automatically by Twitter and given to you through responses after the user has given your application permission to their account. Ryan On Wed, Feb 10, 2010 at 8:27 AM, _Bensn benjaminroh...@t-online.de wrote: And where get the users there own keys to use the application with there own twitter account? (e.g tweet deck) On 9 Feb., 18:29, John Meyer john.l.me...@gmail.com wrote: On 2/9/2010 10:03 AM, ryan alford wrote: So you are saying that the user of a third party application must register a completely new consumer key and consumer secret? Again, you have your terminology wrong. They get a completely new set of oAuth tokens. Same as the fact that every user of twitter has to register his or her own Twitter username/password So when TweetDeck goes to OAuth, every user will create their own consumer key and consumer secret, therefore, having 10s of thousands of TweetDeck applications registered? No. One TweetDeck application is registered. Those users have just authorized TweetDeck to access their application.
Re: [twitter-dev] Re: oAuth and more users?
Your users should not be required to get their own consumer key and consumer secret. Ryan Sent from my DROID On Feb 9, 2010 10:04 AM, _Bensn benjaminroh...@t-online.de wrote: Where can they create there own keys? here - https://twitter.com/apps/new ? On 8 Feb., 18:55, John Meyer john.l.me...@gmail.com wrote: On 2/8/2010 7:25 AM, _Bensn wrote: Hi there, is it possible to develope a twitter appl...
Re: [twitter-dev] Re: oAuth and more users?
Yes it does seem backwards. I made my statement because the link he gave was for application consumer keys, not the OAuth tokens. Ryan Sent from my DROID On Feb 9, 2010 11:27 AM, John Meyer john.l.me...@gmail.com wrote: On 2/9/2010 9:20 AM, ryan alford wrote: Your users should not be required to get their own consumer key and consumer secret. Ryan ... On Feb 9, 2010 10:04 AM, _Bensn benjaminroh...@t-online.de mailto:benjaminroh...@t-online.de wrote: Where can they create there own keys? here - ht... They create their own (oAuth) keys for that app by authorizing it through twitter. And while we're on this point, whose idea was it to name the keys that the applications have _Consumer_ keys while the consumers have oAuth Tokens? Seems totally counter-intuitive to me.
Re: [twitter-dev] Re: oAuth and more users?
So you are saying that the user of a third party application must register a completely new consumer key and consumer secret? So when TweetDeck goes to OAuth, every user will create their own consumer key and consumer secret, therefore, having 10s of thousands of TweetDeck applications registered? I am talking about the user going to the site where you have to give it a name, tell twitter whether its a desktop or web application, and fill in the other information? Is that what every user is going to have to do? Sent from my DROID On Feb 9, 2010 11:53 AM, John Meyer john.l.me...@gmail.com wrote: On 2/9/2010 8:09 AM, _Bensn wrote: @ John Meyer - thanks for editing my post with the url. Is ... Yeah. It might be construed as more effort than a basic authentication, but I don't believe it is that onerous. The big issue is the web interface and how it breaks the look of the application.
Re: [twitter-dev] Re: 'Incorrect signature' on status update with OAuth when verify credentials works
Does it fail everytime? I will test mine when I get to work in about an hour. Ryan Sent from my DROID On Feb 4, 2010 12:23 AM, Duane Roelands duane.roela...@gmail.com wrote: And please forgive my obnoxious tone; I'm tired and frustrated. :) On Feb 4, 12:05 am, Duane Roelands duane.roela...@gmail.com wrote: Ryan: If posting Hello ...
Re: [twitter-dev] .NET and oAuth update problems
I just did a test with this status... Testing my Twitter OAuth library with some special characters !?:*^%...@!~`=+-_ and it went through without any errors and posted the correct status. Ryan On Wed, Feb 3, 2010 at 8:02 PM, ryan alford ryanalford...@gmail.com wrote: I don't know which version(if there are multiple versions). I downloaded it in October I believe. Ryan Sent from my DROID On Feb 3, 2010 7:59 PM, Andrew Badera and...@badera.us wrote: From Shannon's original stuff, or something more recent? I'd worked with OAuthBase.cs in the past, but seemed to recall there were explicit exceptions in that ver of that stuff ... maybe a year ago now? --ab On Wed, Feb 3, 2010 at 7:57 PM, ryan alford ryanalford...@gmail.com wrote: I don't want to tak...
Re: [twitter-dev] Re: 'Incorrect signature' on status update with OAuth when verify credentials works
I just posted this status using my library with OAuth and it worked fine.. Testing my Twitter OAuth library with some special characters !?:*^%...@!~`=+-_ Ryan On Thu, Feb 4, 2010 at 6:19 AM, Bhavani Sankar Sikakolli b.san...@gmail.com wrote: Yes, it fails everytime. I have checked to see that I am configuring everything the right way. On Thu, Feb 4, 2010 at 4:43 PM, ryan alford ryanalford...@gmail.comwrote: Does it fail everytime? I will test mine when I get to work in about an hour. Ryan Sent from my DROID On Feb 4, 2010 12:23 AM, Duane Roelands duane.roela...@gmail.com wrote: And please forgive my obnoxious tone; I'm tired and frustrated. :) On Feb 4, 12:05 am, Duane Roelands duane.roela...@gmail.com wrote: Ryan: If posting Hello ...
Re: [twitter-dev] .NET and oAuth update problems
I have it working and have had it working for months. My code is open-source and written in C#. http://twiteclipseapi.codeplex.com/ I haven't tried every special character, though I haven't run across a character that didn't work. Ryan Sent from my DROID On Feb 3, 2010 6:53 PM, Andrew Badera and...@badera.us wrote: Are you following the proper URL encoding? Basic .NET URLEncode doesn't meet OAuth's encoding spec. I forget what it is offhand, but they aren't 100% equivalent. ∞ Andy Badera ∞ +1 518-641-1280 Google Voice ∞ This email is: [ ] bloggable [x] ask first [ ] private ∞ Google me: http://www.google.com/search?q=andrew%20badera On Wed, Feb 3, 2010 at 6:50 PM, John Meyer john.l.me...@gmail.com wrote: has anybody on a .NE...
Re: [twitter-dev] .NET and oAuth update problems
I don't want to take credit for it as it is from Shannon Whitley's OAuth library. Ryan Sent from my DROID On Feb 3, 2010 7:53 PM, Andrew Badera and...@badera.us wrote: Interesting, for some reason I thought there were a few explicit exceptions that had to be made, but your solution looks pretty elegant. --ab On Wed, Feb 3, 2010 at 7:48 PM, ryan alford ryanalford...@gmail.com wrote: I have it working ...
Re: [twitter-dev] .NET and oAuth update problems
I don't know which version(if there are multiple versions). I downloaded it in October I believe. Ryan Sent from my DROID On Feb 3, 2010 7:59 PM, Andrew Badera and...@badera.us wrote: From Shannon's original stuff, or something more recent? I'd worked with OAuthBase.cs in the past, but seemed to recall there were explicit exceptions in that ver of that stuff ... maybe a year ago now? --ab On Wed, Feb 3, 2010 at 7:57 PM, ryan alford ryanalford...@gmail.com wrote: I don't want to tak...
Re: [twitter-dev] Mobile java client - happy with OAuth as it is
Another problem with this approach is that you are now required to have a server. So now a developer would have the added expense of paying for a server. Now if the developer already had a server, then it's a moot point, but not all developers have their own hosted servers. What happens when your server goes down, or your hosting provider has connectivity problems? Your app is now dead, even though Twitter is still functioning normally. Ryan On Tue, Feb 2, 2010 at 7:08 AM, Anton Krasovsky anton.krasov...@gmail.comwrote: With all that talk about OAuth, I thought I might share my experience using it in for a mobile (j2me) twitter client. I guess my approach is nothing new, and probably is not applicable to iPhone apps because of the appstore distribution process, but anyways. So the way I handle OAuth is as follows: All application downloads are handled by my own server. Before allowing user to download the app I initiate OAuth authorization with Twitter and then, save user tokens along with generated unique id for a user. Once authorized, user is permitted to download the application which is tagged with that unique user id I generated earlier. Once user starts the app, it uses it's id to authenticate itself to my server. All communicatin between Twitter and user's appication is handled/proxied by the server that performs all necessary oauth signing on behalf of the user. So, this way I have all benefits of using OAuth in a mobile app. The only drawback really, is that user must visit my web site at least once to perform authorization. Regards, Anton http://pavo.me
Re: [twitter-dev] Re: 'Incorrect signature' on status update with OAuth when verify credentials works
Remember that the status update is different from most of the other requests, because it adds the status parameter that is not in the other requests. This means that it needs to be part of the query string and also the signature. Leaving this out could cause an issue. Ryan Sent from my DROID On Feb 2, 2010 10:03 PM, ohauske ovonhau...@gmail.com wrote: Hi Ryan, I tried getting the home timeline and a couple of other methods and everything works, everything except the update status here's my request: http://twitter.com/statuses/update.xml?oauth_consumer_key=**oauth_nonce=d985f559241ea3ba0fc9d6ae842e87a3oauth_signature=hgWo0cdbttaQnUEEWkFU1USCjMc%3Doauth_signature_method=HMAC-SHA1oauth_timestamp=1265164536oauth_token=***oauth_version=1.0status=%5C%27hello%5C%27 I'm using this library http://code.google.com/p/oauth/ On Jan 29, 6:10 am, ryan alford ryanalford...@gmail.com wrote: Try getting the home timeline and... On Jan 28, 2010 11:14 PM, arian cabezas arian.cabe...@gmail.com wrote: Hi Ryan. I´m havi...
Re: [twitter-dev] Re: 'Incorrect signature' on status update with OAuth when verify credentials works
Try getting the home timeline and see if you get the incorrect signature
message.
Ryan
Sent from my DROID
On Jan 28, 2010 11:14 PM, arian cabezas arian.cabe...@gmail.com wrote:
Hi Ryan.
I´m having the same problem with the statuses/update using the php
library provided by Twitter, name as : Twitter-async, as said eco_bach
i verified my signatures and i receive information back on verify
credentials (and no 'incorrect signature' error), it´s really rare
what it´s happening couse some times it works and some times apeear
when a do a ¨$connection-post('statuses/update', array('status' =
$statusStr))¨ the misterious message ¨incorrect signatures¨ as
response. I dont know what to do, becouse i´m following all the stuffs
that are described on the Twitter-async API. It began to happen the
last Tuesday 26th.
My regards.
Arian
On 27 ene, 00:30, ryan alford ryanalford...@gmail.com wrote: It is still
a POST, you just don't...
On Jan 26, 2010 4:32 PM, eco_bach bac...@gmail.com wrote: Hi Ryan
Changed to 'GET' and i...
Re: [twitter-dev] Re: 'Incorrect signature' on status update with OAuth when verify credentials works
I still don't see your status in the query string of the URL. I see it in string for the signature, but in your actual URL, it's not there. This is my entire URL when posting a status update: http://twitter.com/statuses/update.xml?oauth_consumer_key=**oauth_nonce=57a0d0d1-89e9-4f73-ac3d-f2f26bb2a56doauth_signature_method=HMAC-SHA1oauth_timestamp=1264530600oauth_token=36116361-8YRR4w9rRwz7HOc0nYTMmNWjCDrQdFYtnPwsiP7jmoauth_version=1.0status=really%20ready%20for%20the%20game%20tonightoauth_signature=EGq5udax8bM5yuoZhJC0cIbM8uA%3d notice how my status is a query string parameter also. I don't see that in yours. Ryan On Tue, Jan 26, 2010 at 12:50 PM, eco_bach bac...@gmail.com wrote: Ryan Still 'Incorrect signature' Here's my BASE signature query string BEFORE % encoding (NOTE all SORTED and asterisks for my consumer key!) oauth_consumer_key=oauth_nonce=16EAFA36-2A91-32A5-4A5C-6BB80EF9B45Boauth_signature_method=HMAC- SHA1oauth_timestamp=1264527609oauth_token=9353572- G8h52Icbe0cjWIMl59fepUofRxoHzHznhzEwo9oqIstatus=having some fun getting OAuth and the Twitter api working This is my final request URL, the %253D at the end of my signature looks suspect, doubly encoded? But pretty sure worked with verify credentials request.url==http://www.bitstream.ca/twitter/proxy.php?path=http%3A%2F %2Ftwitter.com%2Fstatuses%2Fupdate.json%3Foauth_consumer_key %3D%26oauth_nonce %3D16EAFA36-2A91-32A5-4A5C-6BB80EF9B45B%26oauth_signature_method %3DHMAC-SHA1%26oauth_timestamp%3D1264527609%26oauth_token%3D9353572- G8h52Icbe0cjWIMl59fepUofRxoHzHznhzEwo9oqI%26oauth_signature %3D5QuhEDae4gZHAxel8JVwLwkQ5J4%253D
Re: [twitter-dev] Re: 'Incorrect signature' on status update with OAuth when verify credentials works
Don't do the POST request data. You do that for Basic Auth, but not for OAuth. Ryan On Tue, Jan 26, 2010 at 1:44 PM, eco_bach bac...@gmail.com wrote: Ryan Since its a POST its part of my request.data. Didn't think I also needed as part of my query string but will try. Do you know if there is an official Twitter Oauth test page like http://developer.netflix.com/resources/OAuthTest or Google's? http://oauth.googlecode.com/svn/code/javascript/example/signature.html Tried both and getting a different signature value, so my next question is If I receive information back on verify credentials (and no 'incorrect signature' error), am I safe to assume my signature generation is corect?
Re: [twitter-dev] Re: 'Incorrect signature' on status update with OAuth when verify credentials works
Yes, you could assume your signature creation is correct for most API calls. However, as you see with the update status API call, it has the extra parameter that is the status. Ryan On Tue, Jan 26, 2010 at 1:46 PM, ryan alford ryanalford...@gmail.comwrote: Don't do the POST request data. You do that for Basic Auth, but not for OAuth. Ryan On Tue, Jan 26, 2010 at 1:44 PM, eco_bach bac...@gmail.com wrote: Ryan Since its a POST its part of my request.data. Didn't think I also needed as part of my query string but will try. Do you know if there is an official Twitter Oauth test page like http://developer.netflix.com/resources/OAuthTest or Google's? http://oauth.googlecode.com/svn/code/javascript/example/signature.html Tried both and getting a different signature value, so my next question is If I receive information back on verify credentials (and no 'incorrect signature' error), am I safe to assume my signature generation is corect?
Re: [twitter-dev] Re: 'Incorrect signature' on status update with OAuth when verify credentials works
The hash algorithm can product both upper and lower case letters.. Ryan On Tue, Jan 26, 2010 at 1:53 PM, eco_bach bac...@gmail.com wrote: Also noticed, minor thing, but your signature ends in '%253d' Mine in uppercase '%253D'
Re: [twitter-dev] Re: 'Incorrect signature' on status update with OAuth when verify credentials works
It is still a POST, you just don't write the post data to the request. That post data is now in the query string where Twitter is expecting it. Ryan Sent from my DROID On Jan 26, 2010 4:32 PM, eco_bach bac...@gmail.com wrote: Hi Ryan Changed to 'GET' and it seems I still get the Incorrect signature. error And the second time I try to update status, I also get 'This method requires a POST.' error.
Re: [twitter-dev] Re: getting more information than 'Could not authenticate...'
Are you putting the status parameter in the query string? If not, you should be, or atleast, that's what I had to do to get it to work. Ryan On Mon, Jan 25, 2010 at 8:22 AM, eco_bach bac...@gmail.com wrote: Hi Michael Good point. Actionscript 3. Chices are Twitterscript and Tweetr. As far as I know, Twitterscript has no example using OAuth. And Tweetr has no example of working with browser based web authentication WITHOUT also requiring the PIN handshake. If you think I am wrong in NOT choosing either of the above, would appreciate your rationale. After some research, decided to use as a base what Sonke Rohde has done http://soenkerohde.com/2010/01/twitter-as3-oauth-lib-with-flex-4-example/ Sonke's example is Flex4 and for an AIR application, so I've modified it quite a bit to work for an Actionscript only web application. Sonke in turn is using code this open source project to create requests, generate signatures http://code.google.com/p/oauth-as3/ The fact that I've gotten OAuth to work up to the point of verify credentials working would seem to indcate that I am at least on the right path. And I've learned a heck of a lot as well;) Perhaps what I'm trying to do isn't possible (ie creating browser based web OAuth authentication WITHOUT also requiring the PIN handshake) but I'm determined to find out if this is the case.
Re: [twitter-dev] Not able to read unicode from Twitter Response XML in C#.net
Can you paste an example of the bad characters as .Net shows them, and what they should really be? Ryan On Mon, Jan 25, 2010 at 5:36 AM, Rejeev rejeevtho...@gmail.com wrote: Hi all, My Twitter response XML contains some unicode characters , I am not able to read that in C#.net. Its showing junk characters. Please help me to read that in proper text. Thanks, Rejeev
Re: [twitter-dev] Re: Can new twitter account be created from API?
If Twitter allowed the API to create new accounts, what's to say that somebody won't create a script to create millions of new accounts? Ryan On Mon, Jan 25, 2010 at 11:22 AM, Cameron Kaiser spec...@floodgap.comwrote: Or is the reason this is not implemented anywhere is because this sort of thing is not allowed by Twitter? Correct. -- personal: http://www.cameronkaiser.com/ -- Cameron Kaiser * Floodgap Systems * www.floodgap.com * ckai...@floodgap.com -- When life gives you lemons, make it into a blog and get comments. -- Locke -
Re: [twitter-dev] 'Incorrect signature' on status update with OAuth when verify credentials works
I am just wondering why you can't keep all of your questions in the same thread? If somebody was having the same issues as you, they would have to look through 10+ of your threads. To try to answer the question, are you including the status parameter as part of the query string, which in turn, will be part of the signature? Ryan On Mon, Jan 25, 2010 at 10:17 PM, eco_bach bac...@gmail.com wrote: Almost there... Already googled this error and changed my request from http to https. Still getting same error... Any suggestions?
Re: [twitter-dev] Re: sqllite command for writing to local DB
Searching Google for writing data to sqlite java would help you out. Sent from my DROID On Jan 24, 2010 7:41 PM, Kidd jva...@gmail.com wrote: Bump!!? On Jan 17, 3:38 pm, Kidd jva...@gmail.com wrote: Hello all, I'm trying to capture data from...
Re: [twitter-dev] Re: sqllite command for writing to local DB
Not java though. Thought this was the Android email list Sent from my DROID On Jan 24, 2010 7:41 PM, Kidd jva...@gmail.com wrote: Bump!!? On Jan 17, 3:38 pm, Kidd jva...@gmail.com wrote: Hello all, I'm trying to capture data from...
Re: [twitter-dev] Rate limits
If I am not mistaken, the reset time in seconds is the number of seconds from 1/1/1970. Ryan Sent from my DROID On Jan 24, 2010 8:42 PM, EastSideDev eastside...@gmail.com wrote: When I get the rate_limit_status.xml, this is what I get: Array ( [hash] = Array ( [hourly-limit] = Array ( [content] = 2 [attributes] = Array ( [type] = integer ) ) [reset-time-in-seconds] = Array ( [content] = 1264386634 [attributes] = Array ( [type] = integer ) ) [reset-time] = Array ( [content] = 2010-01-25T02:30:34+00:00 [attributes] = Array ( [type] = datetime ) ) [remaining-hits] = Array ( [content] = 2 [attributes] = Array ( [type] = integer ) ) ) ) The value for [reset-time-in-seconds] cannot be right. The reset time seems right, but I would rather work with an integer value. What am I doing wrong? Is this a Twitter API bug?
Re: [twitter-dev] Better understanding of 'signature'
That is one of your problems. The signature needs to be created for each request. Here is how I do it in C#. I know it's not the language you are using, but hopefully it will help on how to create the signature. Then you can use similar libraries in Flash(if there are similar libraries) to make your signature. http://codepaste.net/mhqqg3 http://codepaste.net/mhqqg3Ryan On Fri, Jan 22, 2010 at 2:11 PM, eco_bach bac...@gmail.com wrote: Hi My OAuth sign In process is failing to verify my signature, so I thought I should at least ensure I understand the meaning of the term. Every time my web application launches, it generates a unique signature, which doesn't change for the current session. ie, if I quit the application, then restart, a new signature is generated. This signature should be appended to the end of my initial request token request my access token request my verify credentials request and my status update requests. Am I correct in the above?
Re: [twitter-dev] Confused about OAuth 1.0 vs 1.0a and Twitter API docs
If you look at the very top of the 1.0 spec, you will see a yellow box... This specification was obsoleted by OAuth Core 1.0 Revision Ahttp://oauth.net/core/1.0a on June 24th, 2009 to address a session fixation attackhttp://oauth.net/advisories/2009-1/. The OAuth Core 1.0 Revision A specification is being obsoleted by the proposed IETF draft draft-hammer-oauthhttp://tools.ietf.org/html/draft-hammer-oauth. The draft is currently pending IESG approval before publication as an RFC. *Implementers should use draft-hammer-oauthhttp://tools.ietf.org/html/draft-hammer-oauth instead of this specification*. Here is the link to the 1.0a spec. http://oauth.net/core/1.0a/ Ryan On Fri, Jan 22, 2010 at 10:29 AM, Marc Hedlund marcprecip...@gmail.comwrote: I'm confused about the OAuth docs linked to from http://apiwiki.twitter.com/ -- especially these: http://apiwiki.twitter.com/Twitter-REST-API-Method%3A-oauth-request_token http://apiwiki.twitter.com/Twitter-REST-API-Method%3A-oauth-access_token Both of these link to the OAuth 1.0 spec for a list of required parameters. Shouldn't they link to the 1.0a spec instead? I came to the docs remembering the news story from last April about OAuth and session fixation vulnerabilities: http://oauth.net/advisories/2009-1/ http://hueniverse.com/2009/04/explaining-the-oauth-session-fixation-attack/ http://www.readwriteweb.com/archives/how_the_oauth_security_battle_was_won_open_web_sty.php And how it affected Twitter: http://blog.twitter.com/2009/04/whats-deal-with-oauth.html http://news.cnet.com/8301-13577_3-10225103-36.html But if you look at the API docs today, it's like none of this happened. I can't find 1.0a documented anywhere, and all but one of the code examples the docs link to continue to use the 1.0 token flow (only http://github.com/moomerman/twitter_oauth appears to get it right of the ones I checked -- http://github.com/henriklied/django-twitter-oauth and http://github.com/tav/tweetapp don't, for instance). http://apiwiki.twitter.com/OAuth+Example+-+Ruby isn't publicly visible. Session fixation isn't mentioned on the Security Best Practices page (http://apiwiki.twitter.com/Security-Best-Practices). 1.0 vs 1.0a isn't in the OAuth FAQ (http://apiwiki.twitter.com/OAuth- FAQ) or the main FAQ. (I do see http://groups.google.com/group/twitter-development-talk/browse_thread/thread/472500cfe9e7cdb9 and of course all the discussion of OAuth and the PIN problems for mobile apps.) Shouldn't the documentation point people towards the current spec, and show examples that implement it? Or is there some reason people are being pointed to 1.0? I'm asking because Tornado (http://www.tornadoweb.org/) provides a Twitter OAuth mixin in its auth module (http://github.com/facebook/ tornado/blob/master/tornado/auth.py) which uses the 1.0 token flow (as do all of the OAuth mixins in Tornado). Google OAuth implements 1.0a, and shows the user a security warning if the 1.0 flow is used, but Tornado makes this hard to implement using their auth module. I'm working on a patch to send them and want to know whether the Twitter OAuth mixin should be upgraded for 1.0a or if there's some reason it shouldn't. Thanks. (I'll stay on this list long enough to hear the discussion but will probably bail out after that, since it's a high-volume list and my interest is just in making the patch right.) -Marc
Re: [twitter-dev] Confused about OAuth 1.0 vs 1.0a and Twitter API docs
most likely, Twitter has other things to do and updating the API documentation isn't very high on the list. Ryan On Fri, Jan 22, 2010 at 4:40 PM, Marc Hedlund marcprecip...@gmail.comwrote: Yup, I know, that's what I'm asking. Why not link to and tell people to use 1.0a (or the IETF draft) rather than 1.0? For the record I checked all the other code examples and none of them support oauth_verifier (some do send oauth_callback with the first request), unless I'm missing something. http://github.com/moomerman/twitter_oauthis the only one that's up to date. -M On Jan 22, 2010, at 1:18 PM, ryan alford wrote: If you look at the very top of the 1.0 spec, you will see a yellow box... This specification was obsoleted by OAuth Core 1.0 Revision A on June 24th, 2009 to address a session fixation attack. The OAuth Core 1.0 Revision A specification is being obsoleted by the proposed IETF draft draft-hammer-oauth. The draft is currently pending IESG approval before publication as an RFC. Implementers should use draft-hammer-oauth instead of this specification. Here is the link to the 1.0a spec. http://oauth.net/core/1.0a/ Ryan On Fri, Jan 22, 2010 at 10:29 AM, Marc Hedlund marcprecip...@gmail.com wrote: I'm confused about the OAuth docs linked to from http://apiwiki.twitter.com/ -- especially these: http://apiwiki.twitter.com/Twitter-REST-API-Method%3A-oauth-request_token http://apiwiki.twitter.com/Twitter-REST-API-Method%3A-oauth-access_token Both of these link to the OAuth 1.0 spec for a list of required parameters. Shouldn't they link to the 1.0a spec instead? I came to the docs remembering the news story from last April about OAuth and session fixation vulnerabilities: http://oauth.net/advisories/2009-1/ http://hueniverse.com/2009/04/explaining-the-oauth-session-fixation-attack/ http://www.readwriteweb.com/archives/how_the_oauth_security_battle_was_won_open_web_sty.php And how it affected Twitter: http://blog.twitter.com/2009/04/whats-deal-with-oauth.html http://news.cnet.com/8301-13577_3-10225103-36.html But if you look at the API docs today, it's like none of this happened. I can't find 1.0a documented anywhere, and all but one of the code examples the docs link to continue to use the 1.0 token flow (only http://github.com/moomerman/twitter_oauth appears to get it right of the ones I checked -- http://github.com/henriklied/django-twitter-oauth and http://github.com/tav/tweetapp don't, for instance). http://apiwiki.twitter.com/OAuth+Example+-+Ruby isn't publicly visible. Session fixation isn't mentioned on the Security Best Practices page (http://apiwiki.twitter.com/Security-Best-Practices). 1.0 vs 1.0a isn't in the OAuth FAQ (http://apiwiki.twitter.com/OAuth- FAQ) or the main FAQ. (I do see http://groups.google.com/group/twitter-development-talk/browse_thread/thread/472500cfe9e7cdb9 and of course all the discussion of OAuth and the PIN problems for mobile apps.) Shouldn't the documentation point people towards the current spec, and show examples that implement it? Or is there some reason people are being pointed to 1.0? I'm asking because Tornado (http://www.tornadoweb.org/) provides a Twitter OAuth mixin in its auth module (http://github.com/facebook/ tornado/blob/master/tornado/auth.py) which uses the 1.0 token flow (as do all of the OAuth mixins in Tornado). Google OAuth implements 1.0a, and shows the user a security warning if the 1.0 flow is used, but Tornado makes this hard to implement using their auth module. I'm working on a patch to send them and want to know whether the Twitter OAuth mixin should be upgraded for 1.0a or if there's some reason it shouldn't. Thanks. (I'll stay on this list long enough to hear the discussion but will probably bail out after that, since it's a high-volume list and my interest is just in making the patch right.) -Marc
Re: [twitter-dev] Re: Not getting correct access token when using OAuth for sign in
The plus sign (+) in your signature should be encoded. You should URL encode the signature just as you do the other parameters. Ryan On Thu, Jan 21, 2010 at 2:25 PM, eco_bach bac...@gmail.com wrote: Hmm still not working, signature at the end. I believe I get an Httpstatus of '0' immediately after calling twitter.com/oauth/access_token Also, pretty sure that my oauth_token received is different than my original request token, AND I do ge the correct screen name returned, which led me to believe that it was the correct 'access token'. http://twitter.com/oauth/access_token?oauth_consumer_key=QGs6W7DlEx9Q3Ay4DzI0Wgoauth_nonce=E65BD866-C285-C8CE-7BA3-524FB8D8D0C0oauth_signature_method=HMAC-SHA1oauth_timestamp=1264101341oauth_token=OcVawxazvOQWYrDSonFdFRjskqaOOriClf6ULsPMoauth_signature=7kpl8+MxM6BtOZecDc1Y65qo0zo=
Re: [twitter-dev] temporarily overloaded 503 Service Unavailable
I don't think they user cares why Twitter is overloaded, so simply telling them that its overloaded should be enough. Ryan Sent from my DROID On Jan 20, 2010 7:13 AM, eco_bach bac...@gmail.com wrote: Noticing quite a few ' temporarily overloaded 503 Service Unavailable messages when trying to log in lately. I assume Twitter is aware of and trying to correct this, but in the meantime, when building applications, are there any guidelines or best practices to follow when your application is presented with a 503 status? SImple tell the user 'the service is unavailable, please try again later'? Or perhaps a more detailed message, explaining why the service is unavailable?
Re: [twitter-dev] Beginner question : How to get the user ID after authorize OAuth step?
The screen_name is returned in the querystring along with the oauth_token and the oauth_token_secret values. Ryan On Wed, Jan 20, 2010 at 6:26 AM, Pitt pierre.mar...@gmail.com wrote: Hi, I'm trying to implement a browser app and Im just blocking at the first step... After the user granted the access to his data (OAuth authorize step), I want to get the user's profile (users/show) but I don't know how to recover the user's id or screen_name... Sorry if I missed something in the API documentation but I really searched... ...And thank you in advance! :) Pitt
Re: [twitter-dev] Obtaining access token WITHOUT using a PIN
You DO NOT need the PIN for a browser app. It is ONLY REQUIRED for desktop apps. 1. oauth_consumer_key = Consumer key given to you by Twitter 2. oauth_token = The token 3. oauth_signature_method = HMAC-SHA1 4. oauth_signature = computed HMAC-SHA1 hash value of the other parameters 5. oauth_timestamp = the number of seconds since Jan 1 1970 6. oauth_nonce = a unique value. I would suggest using a GUID. For the signature, here is an example of what needs to be hashed: this is a GET request to rate_limit_status GEThttp%3A%2F%2Ftwitter.com%2Faccount%2Frate_limit_status.xmloauth_consumer_key%3DYourConsumerKey%26oauth_nonce%3D0f419e62-8680-468f-a647-0532706af529%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D126354%26oauth_token%3D36116361-8YRR4w9rRwz7HOc0nYTMmNWjCDrQdFYtnPwsiP7jm%26oauth_version%3D1.0 You would take this value and hash it. The KEY to the hash would be yourConsumerSecrettokenSecret, and tokenSecret is allowed to be blank for the cases where you don't have the secret. Even though the documentation says the oauth_version is optional, I include it anyway. Ryan On Wed, Jan 20, 2010 at 9:59 AM, eco_bach bac...@gmail.com wrote: Hi According to the offcial OAuth spec, in order to obtain an access token, the consumer request MUST contain the following parameters 1 oauth_consumer_key:The Consumer Key. 2 oauth_token:The Request Token obtained previously. 3 oauth_signature_method: The signature method the Consumer used to sign the request. 4 oauth_signature: The signature as defined in Signing Requests (Signing Requests). 5 oauth_timestamp: As defined in Nonce and Timestamp (Nonce and Timestamp). 6 oauth_nonce: As defined in Nonce and Timestamp (Nonce and Timestamp). I'm developing a web application in Flash and hence, NOT using the extra pin handshake. (at least I've been told it wasn't necessary, my Application Type is defined as 'Browser'). So far, I've been unsuccessful, 'verified'= false in my access token request handler. Can someone cofirm for me that I in fact don't need the PIN, and if so, do I need to explicitly define all six parametres above in my request? Thanks for any feedback!
Re: [twitter-dev] please help - sporadic '403 Forbidden:' error message when using OAuth Sign-In process
Isn't this the same problem that you posted about yesterday? http://groups.google.com/group/twitter-development-talk/browse_thread/thread/90cb64e3706e1337# http://groups.google.com/group/twitter-development-talk/browse_thread/thread/90cb64e3706e1337#Why create a new post? Ryan On Wed, Jan 20, 2010 at 10:29 AM, eco_bach bac...@gmail.com wrote: Building an actionscript Twitter client and using OAuth for the sign in process. Having an extrememely frustrating issue with a sporadic error message. '403 Forbidden: The server understood the request, but is refusing to fulfill it.' I'm using, of necessity, a php proxy to get to the Twitter oauth authenticate page at twitter.com/oauth/authenticate/ I get here no problem so I'm assuming there's nothing wrong with my proxy script. However, immediately AFTER clicking 'Sign In' I sometimes get the error message. Also, when I am getting the message, I can even leave the username and password fields blank and click 'Sign In'. I still get the error message, instead of a correct message indicating that the username- password fields are missing. Because this error only seems to happen sporadically, without me having changed anything in my code, it makes it difficult to troubleshoot properly. Anyone else experience this?
Re: [twitter-dev] Need Help on posting Message
You need to add this
messageRequest.ServicePoint.Expect100Continue = false;
so your code should look like this...
http://codepaste.net/ababkc
Ryan
On Wed, Jan 20, 2010 at 10:22 AM, Atul atul101...@gmail.com wrote:
Hello Frenz,
I'm building an application in C#.Net 3.5. My Requirement is to post
message to twitter user, defined by me in text box, on button click
i'm passing my credentials and user name with message but i' m getting
following error:-
the remote server returned an error 403 forbidden
My Code is Below:-
try
{
HttpWebRequest messageRequest = (HttpWebRequest)
WebRequest.Create(http://twitter.com/direct_messages/new.xml?user=; +
sendTo + text= + message);
messageRequest.Method = POST;
messageRequest.Credentials = new NetworkCredential
(username, password);
messageRequest.ContentLength = 0;
messageRequest.ContentType = application/x-www-form-
urlencoded;
WebResponse response = messageRequest.GetResponse();
}
catch(Exception ex)
{
MessageBox.Show(ex.Message);
}
any Help is Appreciated,
Re: [twitter-dev] Re: OAuth best practice
You are correct. The PIN handshaking is only for Desktop Apps. Ryan On Mon, Jan 18, 2010 at 9:12 AM, eco_bach bac...@gmail.com wrote: Jeff, I might be wrong, as there seems to be some confusion on this, but I believe the extra PIN handshaking is ONLY required for what Twitter defines as 'Desktop Apps'. See the response to my questions here http://bit.ly/5xbydH As a newcomer to OAuth and the Twitter API I'm currently muddling thru the whole proxy requirements(I'm using actionscript)
Re: [twitter-dev] Re: Basic Auth Deprecation in June
yes, it's official. The depreciation of Basic Auth will start in June. Ryan On Mon, Jan 18, 2010 at 10:57 AM, Hwee-Boon Yar hweeb...@gmail.com wrote: Thanks. Hope it's not official. I don't remember reading anything like that on the 2 lists. -- Hwee-Boon On Jan 18, 7:01 pm, Rich rhyl...@gmail.com wrote: Ryan Sarver said it last last yearhttp:// twitter.com/Scobleizer/status/6493268213 On Jan 17, 4:46 am, Hwee-Boon Yar hweeb...@gmail.com wrote: On Jan 14, 8:30 am, twittme_mobi nlupa...@googlemail.com wrote: Hello , Regarding Basic Auth Deprecation is June Any where this is announced? -- Hwee-Boon
Re: [twitter-dev] Re: OAuth best practice
Native mobile apps(native Android, native IPhone, etc., meaning they run on the device itself and NOT in the browser) are considered Desktop apps. Yes, the mobile UX is one of the biggest issues with Twitter's OAuth implementation. Ryan On Mon, Jan 18, 2010 at 11:35 AM, Jeff Enderwick jeff.enderw...@gmail.comwrote: Is a mobile app more like a desktop app or a web app? The PIN in the 'desktop' flow handles this in the 'non-desktop' flow: Once Jane approves the request, Faji marks the Request Token as User-authorized by Jane. Jane’s browser is redirected back to Beppa, to the URL previously provided http://beppa.com/order together with the Request Token. This allows Beppa to know it can now continue to fetch Jane’s photos. With desktop (and possibly unanticipated) mobile apps, there isn't that redirect back. I'm all for whatever makes the best UX for oath+mobile. On Mon, Jan 18, 2010 at 6:20 AM, ryan alford ryanalford...@gmail.comwrote: You are correct. The PIN handshaking is only for Desktop Apps. Ryan On Mon, Jan 18, 2010 at 9:12 AM, eco_bach bac...@gmail.com wrote: Jeff, I might be wrong, as there seems to be some confusion on this, but I believe the extra PIN handshaking is ONLY required for what Twitter defines as 'Desktop Apps'. See the response to my questions here http://bit.ly/5xbydH As a newcomer to OAuth and the Twitter API I'm currently muddling thru the whole proxy requirements(I'm using actionscript)
Re: [twitter-dev] Using OAuth keys in an open source application
You are reading it correct. You do not want to give out your Consumer Key or Consumer Secret. If somebody downloads the source of your application, they are most likely going to be using it in their own application. Therefore, they need their own Consumer Key and Consumer Secret. Ryan On Mon, Jan 18, 2010 at 12:56 PM, Isaiah supp...@yourhead.com wrote: So you're saying that each individual end-user of the open source app would register with Twitter for separate Twitter Application credentials, add those credentials to the app, and then recompile the application? Or did I read that incorrectly? Isaiah YourHead Software supp...@yourhead.com http://www.yourhead.com On Jan 18, 2010, at 9:46 AM, Raffi Krikorian wrote: that's precisely what i would do - author your code to read from a configuration file that contains the keys. don't distribute that configuration file, but, instead, distribute a README or an example configuration file that the end user would fill in. On Mon, Jan 18, 2010 at 9:43 AM, John Meyer john.l.me...@gmail.comwrote: On 1/18/2010 1:19 AM, Ryan McCue wrote: Hey guys, I'm looking to integrate Twitter posting into an application I'm developing. The catch to this is that because it's open source, and programmed in PHP, I'd have to distribute the secret key with it. What's the best way to go about this? I've fallen back onto the ordinary basic auth API for now. Thanks, Ryan. Technically, you don't. All opensource requires is that you distribute the source code, not the individual data. So you could specify that the secret key is in a particular file and then other users could insert their own secret key. -- Raffi Krikorian Twitter Platform Team http://twitter.com/raffi
Re: [twitter-dev] Re: Using OAuth keys in an open source application
There is a difference between giving your application to others to install and use, and others downloading your code for their own applications. If a user is installing your application to use, then your code would include your consumer key. If a user is downloading your open source code to use for their own app, then they need to get their own consumer key to relate to their app. Ryan Sent from my DROID On Jan 18, 2010 2:18 PM, M. Edward (Ed) Borasky zzn...@gmail.com wrote: OK ... let me make *sure* I understand this. Is this the best practice?: 1. I write a desktop application. Whether it's closed or open source is irrelevant. I advertise this application for sale, saying, It runs on Windows, Macintosh and Linux desktops (KDE, Gnome, XFCE, let's say), it does all these wonderful things, *and* it's oAuth-secure! 2. I *sell* Bob a copy of my application. It contains code but *no* oAuth tokens of any kind. 3. Bob installs the application. Bob starts up the application. 4. The application starts up the browser and points it to http://twitter.com/apps/new, and directs Bob to do the following: 4.a. Log in to Twitter. 4.b. Fill in the form. I tried this with a dummy application, and the Application Name must be *unique*. So what does Bob put in this field? Bob's copy of Ed's wonderful application? 4.c. Now Bob has a consumer key and consumer secret, unique to *his* copy of the application, *not* generic to the application. 5. The application instructs him to enter the freshly-minted consumer key and secret via copy and paste into a dialog box, checks them for validity against the Twitter oAuth servers, and then stores them someplace that an attacker can't find them. This is, of course, platform dependent - the application needs special code for Windows, Mac, and at least two Linux desktops. See http://apiwiki.twitter.com/Security-Best-Practices for the application's responsibilities in this area. 6. OK, now Bob has registered the application with Twitter. He actually wants to use it now. The application starts up, picks up the stored consumer key and secret, starts up the browser again, and goes to the PIN-generation site. If Bob hasn't logged in to Twitter yet, that site will ask him to do so. Bob gets his PIN and copies it into a dialog box. The application does its thing, and Bob tweets about how wonderful it is that he can do all this stuff with Ed's wonderful application. I sell 3,000 copies of it, hire a support engineer, and make the front page of Mashable! ;-) But there's two ways I can go with this: 6.a. Grant Bob indefinite permission by getting the PIN once and storing the resulting tokens on his machine, again someplace that an attacker can't find them. 6.b. Require Bob to get a new PIN each time he uses the application. What's the best practice here? Personally, I'm leaning towards a new PIN each time as long as it isn't an impact to Twitter servers, because it exposes one less place for an attack. -- M. Edward (Ed) Borasky http://borasky-research.net/smart-at-znmeb A mathematician is a device for turning coffee into theorems. ~ Paul Erdős
Re: [twitter-dev] Re: Using OAuth keys in an open source application
Agreed. The reason you don't want to give out YOUR consumer key and consumer secret in your open-source code is because somebody could download your code, make malicious changes to make it do something bad, and now their app looks exactly like yours to Twitter since the consumer keys are the same. So when that app starts causing problems for users, it YOU that they start contacting. Ryan On Mon, Jan 18, 2010 at 2:32 PM, John Meyer john.l.me...@gmail.com wrote: On 1/18/2010 12:22 PM, ryan alford wrote: There is a difference between giving your application to others to install and use, and others downloading your code for their own applications. If a user is installing your application to use, then your code would include your consumer key. If a user is downloading your open source code to use for their own app, then they need to get their own consumer key to relate to their app. Ryan An addendum. If you were seriously concerned about others grabbing those codes you could specify that the app fetches those keys from an ftp server or some sort of web service that you ran. But I would guess that this would be a bit more paranoid than what you are trying to prevent.
Re: [twitter-dev] Re: Using OAuth keys in an open source application
Just the consumer key, or both the consumer key and consumer secret? both are needed when doing OAuth. Ryan On Mon, Jan 18, 2010 at 2:52 PM, M. Edward (Ed) Borasky zzn...@gmail.comwrote: On Jan 18, 11:32 am, John Meyer john.l.me...@gmail.com wrote: On 1/18/2010 12:22 PM, ryan alford wrote: There is a difference between giving your application to others to install and use, and others downloading your code for their own applications. If a user is installing your application to use, then your code would include your consumer key. Just the consumer key, or both the consumer key and consumer secret? If a user is downloading your open source code to use for their own app, then they need to get their own consumer key to relate to their app. Ryan An addendum. If you were seriously concerned about others grabbing those codes you could specify that the app fetches those keys from an ftp server or some sort of web service that you ran. But I would guess that this would be a bit more paranoid than what you are trying to prevent. The paranoia is directly from Twitter's Security Best Practices http://apiwiki.twitter.com/Security-Best-Practices: Don't store passwords. Just store OAuth tokens. Please. As aforementioned, for optimal security you should be using OAuth. But once you have a token with which to make requests on behalf of a user, where do you put it? Ideally, in an encrypted store managed by your operating system. On Mac OS X, this would be the Keychain. In the GNOME desktop environment, there's the Keyring. In the KDE desktop environment, there's KWallet. As an aside, 90% of the desktops/laptops out there run Windows. I'd hope that the Security Best Practices document would include a little more on dealing with Windows desktops than a link to the MSDN Security Developer Center. ;-) I think the FTP server idea is a good one - it gives me a log file of everyone who's obtained the consumer key and secret for Ed's Wonderful Desktop App, so when someone fires up a debugger, runs my app, grabs all the authentication codes and uses them to do a DOS attack on Twitter and gets my app blacklisted, I'll have a list of people for my attorney to call and depose. ;-) -- M. Edward (Ed) Borasky http://borasky-research.net/smart-at-znmeb A mathematician is a device for turning coffee into theorems. ~ Paul Erdős
Re: [twitter-dev] Re: Using OAuth keys in an open source application
Why would you be required to have a server? To keep your consumer key and consumer secret out of your app? It's not required. Mine are stored in a database that is coupled with my application. The database is password protected, so nobody is getting in. Ryan On Mon, Jan 18, 2010 at 4:27 PM, M. Edward (Ed) Borasky zzn...@gmail.comwrote: On Jan 18, 11:48 am, Dossy Shiobara do...@panoptic.com wrote: Seriously, are we still beating this dead old horse? Closed or open source doesn't matter. The fact that a consumer key and secret (!) are redistributed = design FAILURE. It's trivial to recover the consumer key and secret from a closed source application, which can in turn be used in a malicious application ... The consumer key and secret CANNOT be used as a form of application authentication. It's not trustworthy enough. This is an inherent design deficiency in OAuth. If that's the case, then *desktop* Twitter applications are not a viable business model. You *must* have a server, with the extra overhead that involves, and the extra cost that must be passed on to your customers, in order to protect yourself and Twitter from malicious users. Given the other limitations of the desktop application model, e.g., no production access to the Streaming API and no easy mobile deployment options, it's seriously looking like I am wasting my time developing desktop applications. Sigh ... off to do some more research ... -- M. Edward (Ed) Borasky http://borasky-research.net/smart-at-znmeb A mathematician is a device for turning coffee into theorems. ~ Paul Erdős
Re: [twitter-dev] Re: Using OAuth keys in an open source application
Also, the consumer secret is harder to get since its not sent as a parameter. Ryan Sent from my DROID On Jan 18, 2010 7:18 PM, Abraham Williams 4bra...@gmail.com wrote: It would be less work for me to run charles proxy and see catch the consumer key/secret in transit then to decompile it and figure out where in the code it is actually stored when distributed with the app. Previously with basicauth you could use anybodies source param and spoof their application. At least with OAuth you have to acquire their consumer key/secret first. You guys are all freaking out about this when this is how the internet works. Just look at email. With a single line of PHP I can send any of you an email from any email address.* Abraham *There technologies to stop this but very few mail servers use them. Currently Gmail refuses email from paypal.com unless it is signed by their key. On Mon, Jan 18, 2010 at 15:35, M. Edward (Ed) Borasky zzn...@gmail.com wrote: On Jan 18,... -- Abraham Williams | Moved to Seattle | May cause email delays Project | Intersect | http://intersect.labs.poseurtech.com Hacker | http://abrah.am | http://twitter.com/abraham This email is: [ ] shareable [x] ask first [ ] private.
Re: [twitter-dev] Using OAuth keys in an open source application
PHP as in web-based? Why wouldn't the user just login to the website? Ryan Sent from my DROID On Jan 18, 2010 10:03 PM, Ryan McCue li...@rotorised.com wrote: John Meyer wrote: Technically, you don't. All opensource requires is that you distribute the so... Right, so everyone would have to get their own API key? Sounds a bit counter intuitive to me. ryan alford wrote: You do not want to give out your Consumer Key or Consumer Secret. If someb... ryan alford wrote:There is a difference between giving your application to others to install ... The problem with that is that the application is written in PHP, so they need the source to run it, hence, any normal users would need to have an API key. -- Ryan McCue http://ryanmccue.info/
Re: [twitter-dev] Using OAuth keys in an open source application
The consumer secret is not public. The consumer key can be seen in the query parameters, but the consumer secret is not a query parameter. It would have to be reverse engineered using the signature. If twitter determines that a specific application is malware, I would only hope that they would blacklist the app. Ryan Sent from my DROID On Jan 18, 2010 10:45 PM, Marc Mims marc.m...@gmail.com wrote: * Isaiah Carew isa...@me.com [100118 19:02]: If every person that uses an app accesses the API with their own personal app credentials that wou... Hopefully twitter suspends user accounts, not application access, when malicious activity is detected. Otherwise, all desktop apps, whether closed or open source, are vulnerable. It isn't difficult to extract the consumer key and secret from any desktop application that ships with them and use them in malicious code. Registering a consumer key/secret for every instance of a desktop application seems like an unreasonable requirement to place on users. So, I agree that isn't the solution. I certainly want to see the user count on my OAuth apps page for the desktop apps I release. Per user consumer keys not only prevent Twitter from application tracking, they also prevent the application developer from tracking it as well. Consider the consumer key and secret public for desktop apps. They are. -Marc
Re: [twitter-dev] Re: Using OAuth keys in an open source application
Who said that was even an option? I haven't seen one person who said that requiring every user to create their own consumer keys to use with an application was an option. The only reason that is even in this discussion is because somebody misinterpreted an answer and that's what they thought was meant. I have never seen one person from twitter even come close to suggesting this as an option. Raffi's answer in the third post was under the impression that the OP was referring to releasing his consumer keys as part of his open source code for others to download his CODE and use for their own applications. This is what Raffi was referring to when he said to use a configuration file to store the consumer keys and have a README file for the end user. The end user being the developer that downloaded the code. Ryan Sent from my DROID On Jan 18, 2010 11:53 PM, Marc Mims marc.m...@gmail.com wrote: * Abraham Williams 4bra...@gmail.com [100118 20:10]: If rolling out a new update is a burdon on you and your user you are doing it wrong. http://code... Rolling out a new version because someone compromised the consumer key pair is a burden. Are you prepared to roll out a new version every few minutes? -Marc
Re: [twitter-dev] Re: Failed to validate oauth signature and token
Yeah, the Nonce needs to be a unique value. If your language can create GUIDs, that might be the best option. Ryan On Sat, Jan 16, 2010 at 11:11 PM, eco_bach bac...@gmail.com wrote: solved, apparently my oauth_nonce value was incorrect, I assumed it was simply a random string and I didn't use the mx.utils.UIDUtil class to generate. I'll try also switching the order so the signature is at the end.
Re: [twitter-dev] Sign in with Twitter, PIN authentication and Desktop Clients
1. Desktop applications are those that are installed or ran from a PC /Mac/Linux or on a mobile device. They are outside of the browser. 2. One is used for web applications, the other is for desktop applications. 3. You are correct. PIN workflow is only for desktop applications. Ryan Sent from my DROID On Jan 17, 2010 5:00 PM, eco_bach bac...@gmail.com wrote: Hi Building an AS3 based web application using OAuth. So far I've coded a demo that successfully obtains a request token, redirects the user to the oauth url, and, on successful login redirects the user back to the previously supplied consumer- application URL. However somewhat confused by several things. 1)Definition of Desktop Clients http://apiwiki.twitter.com/Authentication Is a desktop client any web based application? or does it specifically refer to any application OUTSIDE of the browser (ie AIR based)? 2) SignIn with Twitter Can someone explain the difference between 'oauth/authorize' and 'oauth/authenticate' urls? What is meant by 'normal flow' (2nd paragraph) here http://apiwiki.twitter.com/Sign-in-with-Twitter 3) PIN handshake My assumption is that the extra PIN handshake is ONLY necessary for what I understand to be desktop clients (ie #1 above) So 'Sign in with Twitter' for a web-based application shouldn't require the extra PIN handshake. Am I correct? Thanks for any feedback on the above!
Re: [twitter-dev] Failed to validate oauth signature and token
The signature needs to be the very last parameter. You put all of the parameters in order except for the signature. Then you create the signature and append it to the end of the query string. Ryan Sent from my DROID On Jan 16, 2010 9:48 PM, eco_bach bac...@gmail.com wrote: Ok Yes this IS a common error message. I've read most of the posts, the entire OAuth beginner's documentation, registered my application, checked for capitalization , checked my system clock. So far, no luck As a base library I am using Sönke Rohde's open source Twitter library http://github.com/srohde/Twitter, though might switch to Tweetr and see if I make better progress. This is my header GET /oauth/request_token? oauth_consumer_key=C4eEz9MqGy28wuCj8hJC4woauth_nonce=0020a00%2001oauth_signature=gX9Uk20RF70D6sxljfvcIK4szr4%3Doauth_signature_method=HMAC- SHA1oauth_timestamp=1263675366 HTTP/1.1 Also , I am testing from the desktop at the moment so needing a proxy for security sandbox issues isn't a problem. Can anyone help with troubleshooting?
Re: [twitter-dev] List of Common Error messages and possible causes, ie 'Failed to validate oauth signature and token'.
Going by your other email, your query string parameters are not in the correct order. This is a very important part of OAuth. Ryan Sent from my DROID On Jan 16, 2010 9:48 PM, eco_bach bac...@gmail.com wrote: Hi I've read the FAQ, and all the documentation. Am attempting to get an AS3 client working using OaUth. I am getting the following error message 'Failed to validate oauth signature and token'. tried resetting my consumer key, secret, and also checked my system clock which seems fine. After a quick search this seems to be a VERY common error message with many possible causes. Is there a list somewhere of common error messages such as this with probable causes?
Re: [twitter-dev] Re: Reinstate 'from app' for Basic Auth desktop apps until OAuth is fixed
I've been using OAuth for more than 3 months now, about 8 hours a day during the week while at work, using my own library and my own twitter client. I've never had an issue with stability. Now the desktop implementation is crappy(been posted about 50 billion times), but other than that, I've never run into issues with OAuth. Now I don't use search or streaming, though I don't even know if those use OAuth. Is there a specific stability issue? Ryan On Wed, Jan 13, 2010 at 4:32 PM, Dewald Pretorius dpr...@gmail.com wrote: Raffi, As I have noted before, the reliability of OAuth is an actual concern. Also the availability of that easy one-time migration method (getting the OAuth stuff when you have the username and password). Twitter OAuth is still in beta. Ryan said that migration to OAuth will become mandatory this year. That cannot be done until you move Twitter OAuth into stable production mode. If you do not have the necessary confidence in your OAuth implementation to do that, then you cannot force anyone to use it. On Jan 12, 3:01 am, Raffi Krikorian ra...@twitter.com wrote: As it stands, developers who have relatively new desktop apps are penalized by having updates from their app say 'from web'. Older Basic Auth desktop clients continue to enjoy a link back to the client web site with a 'from app' link. ... I understand Twitter is trying to force people to use OAuth, but that won't happen in a meaningful way until OAuth is reliable, has a truly usable workflow (PIN method isn't it), and can work well with other services (Twitpic, yfrog, etc). We aren't there yet. i'm trying to gather use cases around OAuth to help it make sense for more people to use it -- as it stands, we are not going to allow the source parameter to be set in new applications unless they come from OAuth. so, please help me out! is the reliability of OAuth an actual concern? do you have a suggestion as to what you would like to see other than the PIN workflow? additionally, we're actively working on a delegation method for integration with other services. -- Raffi Krikorian Twitter Platform Teamhttp://twitter.com/raffi
Re: [twitter-dev] Re: Reinstate 'from app' for Basic Auth desktop apps until OAuth is fixed
I agree. I believe OAuth for mobile and the delegation between apps are the biggest concerns that need to be addressed before the depreciation of basic oauth in June. Both of these have been beaten to a pulp. However, these issues certainly do not push OAuth into an unstable beta state that couldn't be used in production apps. Ryan Sent from my DROID On Jan 13, 2010 5:46 PM, Tim Haines tmhai...@gmail.com wrote: On Thu, Jan 14, 2010 at 10:52 AM, ryan alford ryanalford...@gmail.com wrote: I've been using O... I've found it just as stable as the rest of the API. It's not perfect, but is generally pretty good. My main concern is that I'd like the mobile pages to be formatted for mobile devices. Oh - and the ability to delegate between apps. Sooo looking forward to that. Tim.
Re: [twitter-dev] question about PIN code
When you direct the user to oauth/authorize, the user will be presented with an Allow/Deny page from Twitter. If they Allow, they then will be given an PIN on the screen. The user will need to give this PIN to you. Ryan On Tue, Jan 12, 2010 at 7:59 PM, dduby nezzi...@gmail.com wrote: hi,,, i am trying to make mobile app for Android. For athenticaion, i followed this procedure. i got concumer key and secret key,, problem is , i don't know how to generate PIN code.. is there any web site? please answer my question. The application uses oauth/request_token to obtain a request token from twitter.com. The application directs the user to oauth/authorize on twitter.com. After obtaining approval from the user, a prompt on twitter.com will display a 7 digit PIN. The user is instructed to copy this PIN and return to the appliction. The application will prompt the user to enter the PIN from step 4. The application uses the PIN as the value for the oauth_verifier parameter in a call to oauth/access_token which will verify the PIN and exchange a request_token for an access_token. Twitter will return an access_token for the application to generate subsequent OAuth signatures.
Re: [twitter-dev] Re: Please Help
You are don't have the parameters in the proper order. The signature goes last. The rest of the parameters must be in order. Put the parameters in order, create the signature, then append the signature to the end or the query string. Ryan Sent from my DROID On Jan 6, 2010 2:05 AM, Vikram vikram.prav...@gmail.com wrote: This my query string https://twitter.com/oauth/request_token?oauth_signature=dIjtVqiRK %2BnWo5UYRSSs6WWwKII %3Doauth_callback=ooboauth_consumer_key=gUutCG9HjEOT0N8IxvW9woauth_nonce=hO3CY2tN7OblsYdp0sOoThPRGEMypcWdM1PMoauth_signature_method=HMAC- SHA1oauth_timestamp=1262716897oauth_version=1.0a
Re: [twitter-dev] Please Help
Post your query string. Don't necessarily need to see the code yet, just need to see the URL that you are requesting. The error means that your signature is incorrect. Ryan On Tue, Jan 5, 2010 at 2:06 PM, Vikram vikram.prav...@gmail.com wrote: When I try to get the QAuth Request token I get Failed to validate oauth signature and token error message from twitter. What can be the possible reason? If required I can share my entire code with you people.
Re: [twitter-dev] Re: Skipping the PIN based workflow for Desktop clients using OAuth
In the Desktop workflow, you don't have to enter the PIN every time. The user is NOT required to authorize your application every time they want to use it.After the first authorization, YOU store the access token and access token secret either in a database, file, or some other type of storage mechanism. You use those stored values until they expire(which could be never). Ryan On Sun, Jan 3, 2010 at 9:44 AM, Vikram vikram.prav...@gmail.com wrote: @Duane Roelands I am working on desktop app,but the fact that I need a PIN for trading my request tokens for OAuth Access tokens made me look at PHP route. My idea was to use PHP get the access tokens and then use them in my desktop app. The rationale behind this was that I didn't want user to be entering PIN every time. With PHP I could use the callback URL for automatically getting the access tokens. @srikanth reddy Srikanth how can I make the PIN entering a one time process. If I save the access tokens will I be able to use them in the next instance of my App??
Re: [twitter-dev] Removing Registered Application
You can revoke access from the Connections tab in the Settings on the web site. Ryan Sent from my DROID On Jan 3, 2010 7:56 PM, Greg gregory.av...@gmail.com wrote: Is it possible to remove a application that you registered? Like delete it from your list?
Re: [twitter-dev] Re: Request without oauth
Twitter is going to be making changes to OAuth to where the user can give you their credentials, and you can use those to get an Access Token. This is an option to bypass the PIN workflow. On Thu, Dec 10, 2009 at 10:03 AM, Fauzil Hamdi asfau...@gmail.com wrote: some body please 2009/12/10 Fauzil Hamdi asfau...@gmail.com can i request my mobile application without oauth ? my users run away because aouth is not friendly with mobile.
Re: [twitter-dev] Re: What Is The Status of Twitter OAuth?
I never knew that asking questions would be considered whining. Twitter has never officially stated that OAuth is in production like they announce other features (like Lists). Now they seem to be telling developers to start moving to OAuth. You state to don't use it. It doesn't look like we will have much of a choice soon. Twitter is recommending third-parties move to OAuth. Looks like it won't be long before basic auth is depreciated. On Tue, Dec 1, 2009 at 10:17 AM, Duane Roelands duane.roela...@gmail.comwrote: Use it or don't, and own your decision. It works. It's stable. It's more secure than Basic Auth. It's what Twitter wants you to use. What's the problem here? So tired of OAuth whining. If Twitter OAuth is stable enough for Twitter to recommend that that all third-party applications connect through OAuth connection, then move it out of beta and into production mode, and announce it as such. If not, then don't make that recommendation.
Re: [twitter-dev] What Is The Status of Twitter OAuth?
He's not referring to OAuth the specification. He is referring to Twitter's implementation of it. Ryan On Mon, Nov 30, 2009 at 1:54 PM, Chris Babcock cbabc...@kolonelpanic.orgwrote: On Mon, 30 Nov 2009 10:27:24 -0800 (PST) Dewald Pretorius dpr...@gmail.com wrote: Last information I've seen said that Twitter OAuth is in public beta, if I remember correctly. Has that status changed, as in, has OAuth been moved out of beta and into production? This doesn't look beta to me: http://oauth.net/core/1.0a A is a revision code, not alpha. Chris
Re: [twitter-dev] oauth Process flow and status Part 1
The signature has to go last. That's one mistake that most people make. You are suppose to put the parameters in order EXCEPT the signature parameter. The signature parameter is created by using the other parameters, then it's appended to the end of the query string. The OAuth signature is generated. I made a blog post where I tried to explain it a little better than the documentation does. It's for .Net for the desktop, but the process is the same for any language, and only slightly different for web applications. http://eclipsed4utoo.com/blog/net-twitter-desktop-oauth-authentication/ On Tue, Nov 24, 2009 at 3:12 PM, abruton andrebru...@gmail.com wrote: Hi All I am trying to get my head around the Twitter oauth flow. The twitter documentation links to oauth.net for parameters, but these are general and not well documented. Is the first step to use http://twitter.com/oauth/request_token ? 1. I created the following URL: http://twitter.com/oauth/request_token?oauth_consumer_key=3Uu...1HAoauth_signature=Diz...cnIoauth_timestamp=1259100056oauth_nonce=120092402256OY2H6DC7VT053U3HI69HA861oauth_version=1.0 When I put this in a browser to test it, I get the following error: Failed to validate oauth signature and token 1. What is wrong with the string? - Is the oauth_signature just your Consumer secret string? - Do I have to use oauth_signature_method and what method do I use. If it is sha1, what string do I hash? The whole URL? Do I POST the data to http://twitter.com/oauth/request_token or GET or what? Best regards Andre F Bruton
Re: [twitter-dev] Authentication (user/pass )after Oauth authentication.....:S
After you get the pin, what URL do you go to? On Nov 23, 2009 7:50 AM, dmsiva danielmartinssi...@gmail.com wrote: hello. I make well oauth authentication. I put the pin, and I get the access_token, etc.. but when I request a 'get' the browser asks me another authentication (username, password). what can I be doing wrong? After the access tokens, what should I send in the next request? best regards,
Re: [twitter-dev] Get screen name with OAuth
In the query string of the returned response, there is a field called screen_name. That will contain the screen name of the user that authorized the application. So when you get oauth_token and oauth_token_secret from the response, get screen_name also. Ryan On Fri, Nov 20, 2009 at 10:51 AM, Raffi Krikorian ra...@twitter.com wrote: http://apiwiki.twitter.com/Twitter-REST-API-Method%3A-account%C2%A0verify_credentials I guess this is a simple call to the API but I am not able to find the right answer, and the twitter gem I am using doesn't seem to provide that functionality, so what I want to know if is there a way I can get the screen_name or Id of an authenticated user via oauth using the access token and secret? -- Raffi Krikorian Twitter Platform Team ra...@twitter.com | @raffi
[twitter-dev] Re: Read / Write Access By Default, But Can't POST
Delete your registration and add it again. On Nov 14, 2009 3:52 PM, Twlisted twlistedm...@gmail.com wrote: If I go to my application details page, it's marked as read/write access by default. But when I attempt to POST such as http://api.twitter.com/1/.$list_user./.$user_list./members.json; I get back the error: Read-only application cannot POST So if I'm a read only application, why does my application page say I'm read/write, and how do I get the app changed to be read/write?
[twitter-dev] Re: Getting started with a twitter application
You can use one of the many libraries for most of the more popular languages(and some for the less popular), or you can create your own library to communicate to the API. Ryan On Thu, Nov 12, 2009 at 3:09 AM, albana tejashree1@gmail.com wrote: Hi everybody! I am about to develop a twitter application and I am stuck with starting the development of the application.How should I connect my application with a twitter api?
[twitter-dev] Re: .NET Class for handling Twitter Updates and Rate Checks
You are suppose to post it on a code repository site (like CodePlex or
Google Code), then post a link to it here. Nobody wants 300 lines of code
in their emails.
Ryan
On Thu, Nov 12, 2009 at 2:03 PM, ch...@stuffworldwide.com
ch...@stuffworldwide.com wrote:
I sent it to the twitter people to post on their site but they asked
me to post here as well... I was like... okay
On Nov 10, 5:53 pm, Andrew Badera and...@badera.us wrote:
I for one tend to prefer Google Code or Code Plex for posting lengthy
chunks of code intended for resharing ...
Also, LinqToTwitter is a pretty solid reference implementation ...
FWIW. (Not affiliated, just a user.)
∞ Andy Badera
∞ +1 518-641-1280 Google Voice
∞ This email is: [ ] bloggable [x] ask first [ ] private
∞ Google me:http://www.google.com/search?q=andrew%20badera
On Tue, Nov 10, 2009 at 5:49 PM, ch...@stuffworldwide.com
ch...@stuffworldwide.com wrote:
Not many .NETexamples out there... here it is... have fun...
using System;
using System.Text;
using System.Net;
using System.IO;
using System.Xml;
namespace Tweeter
{
public class TwitterTools
{
#region Members
#endregion
public TwitterTools()
{
this.Initialize();
}
public TwitterTools(string userName,string password)
{
this.UserName=userName;
this.Password=password;
this.Initialize();
}
private void Initialize()
{
}
public void Dispose()
{
}
#region Properties
public string UserName=null;
public string Password=null;
#endregion
#region Methods
public int Update(string message)
{
int retval=0;
string code=null;
string url=http://twitter.com/account/
rate_limit_status.xml; //gen.Get(twitterRateService);
string result=null;
try
{
result=this.Request(url + ?
,null
,GET
);
// gen.Test(result);
}
catch
{
result=null;
}
if(result==null)
retval=2;
else
{
//parse results
try
{
XmlDocument doc=new XmlDocument();
doc.LoadXml(result);
XmlNodeList nodes=doc.SelectNodes(/hash/
remaining-hits);
int remaining=System.Convert.ToInt32
(nodes[0].InnerText);
if(remaining=0)
retval=2;
nodes=null;
doc=null;
}
catch
{
retval=2;
}
if(retval!=2)
{
StringBuilder txt=new StringBuilder();
txt.Append(status=);
txt.Append(message);
code=txt.ToString();
try
{
string ret=this.Request(http://
twitter.com/statuses/update.xml//gen.Get(twitterUpdateService)
,code);
if(ret!=null)
retval=1;
else
retval=0;
}
catch
{
retval=0;
}
}
}
return retval;
}
private string Request(string url,string code)
{
return this.Request(url,code,POST);
}
private string Request(string url,string code,string
method)
{
byte[] bytes=null;
if(code!=null)
[twitter-dev] Re: OAuth from the Browser
There are no app-specific servers. With OAuth, instead of passing user credentials, you use YOUR consumer key and consumer secret which identifies your application. You get an access token after the user has allowed your application to have access to their account. You will then use that access token, your consumer secret, and your consumer key to make the requests to the API. Ryan On Sat, Nov 7, 2009 at 8:13 AM, Harshad RJ harshad...@gmail.com wrote: Hi, I am trying to wrap my mind around OAuth, and I am not sure I understand the subtleties. Is it possible to make OAuth authenticated requests from browser *directly * to the Twitter API? Is it a safe recommended way? Or do all API requests have to go through an application-specific server, to keep the credentials a secret? My hunch is that yes, an app-specific server would be required. But in that case, how do desktop-clients manage it? Or do they also route the calls through an intermediary? thanks in advance, -- Harshad RJ http://hrj.wikidot.com
[twitter-dev] Re: Handoff of Token's Between Apps
The user should authorize both applications. Yes, you can store the token and secret. That's what most apps do. On Oct 30, 2009, at 3:15 AM, YCBM youcannotb...@gmail.com wrote: Hi All, New to Twitter oAuth. We're building an app which will use the oAuth system vs. basic auth. As we're hoping that our app will be integrated into other Twitter apps that support oAuth, is there a way that if a user is authenticated by signing into the original app that they can hand that off that authorization to my app? After processing some data, we send back an XML response to the calling app. Does the user need to give permission to our app separately? Also, we're using Abraham's twitteroauth as a starting point which seems to work well. Can the token and secret be stored for that user or is that a security concern? Thanks ycbm
[twitter-dev] Re: Automated Tweets
Twitter recently implemented logic to stop the ability of duplicate tweets. I can't remember if it was ever released what the time period is. On Oct 28, 2009, at 7:24 AM, Greg gregory.av...@gmail.com wrote: Hello, I have an application that sends out a Tweet when a user Authorizes the Application and asks a Question to a particular user. Does Twitter block continous sending out of a Tweet within a time period? I am doing testing of the application and whenever I try to do a Update Status - it returns the ID of the last Tweet that I made from the account. Did my Consumer Key/Consumer Key get blocked, or will Twitter not allow the same tweet to be posted in a certain time period? Greg
[twitter-dev] Re: user+password
You are not required. I just used this API method without credentials. http://twitter.com/statuses/user_timeline/[InsertScreenNameHere].xml No credentials needed. Some API methods do required you to be authenticated, but some do not. You can view the methods at http://apiwiki.twitter.com/Twitter-API-Documentation and it will tell you if you have to be authenticated to do the method. Ryan On Wed, Oct 28, 2009 at 3:17 PM, Abava dnam...@gmail.com wrote: and why do we need user name+password just for reading something from the public list? E.g. just read members id's, read statuses etc. Why it is password protected?
[twitter-dev] Re: Find username/screenname through email addresses
No, and don't expect it to ever be available. On Oct 27, 2009, at 6:51 AM, dhaval dhaval.parik...@gmail.com wrote: Hey all Is it possible to find the screen name of a twitter user from an email address? Say suppose an email address is a...@abc.com then what is the corresponding screen name of the user with that email id if there exists a registered user with that email. Please let me know if there is any way to find that out. Thanks
