[twitter-dev] Re: Issues getting started with xAuth
SOLVED!
The moral of the story is to keep your nonce values SIMPLE.
We were generating a random value:
Base64.encode('1:' + counter++ + ':' + random + Date.now());
which most of the time resulted in a string that contained an equals
sign character, which then gets urlencoded to %3D.
It appears the % character was confusing the server and so we kept
getting 401s.
Our solution is to make a simpler, non-Base64-encoded nonce. NO
PERCENTS!!! And all is now well.
-dwf
On May 12, 3:30 pm, DWF dwfr...@pivotallabs.com wrote:
Taylor: Here's what we're sending now. The signature looks like the
correct length. But we're getting the same error.
POST /oauth/access_token HTTP/1.1
Host: api.twitter.com
Authorization: OAuth oauth_signature_method=HMAC-SHA1,
oauth_nonce=MToxOjQyOTY0NzEyNzM3MDMzMzQwMTU%3D,
oauth_timestamp=1273703334,
oauth_consumer_key=WFKpuxJsIdVbesPtUAN6w, oauth_version=1.0,
oauth_signature=NU%2BLWGJ7lDm2DmPYKkT8P45YsZA%3D
Accept: application/json
Content-Length: 93
Content-Type: application/x-www-form-urlencoded
x%5Fauth%5Fusername=Xx%5Fauth%5Fpassword=Xx%5Fauth
%5Fmode=client%5Fauth
HTTP/1.1 401 Unauthorized
Date: Wed, 12 May 2010 22:29:11 GMT
Server: hi
Status: 401 Unauthorized
X-Transaction: 1273703351-32476-1016
Last-Modified: Wed, 12 May 2010 22:29:11 GMT
X-Runtime: 0.01211
Content-Type: text/html; charset=utf-8
Content-Length: 44
Pragma: no-cache
X-Revision: DEV
Expires: Tue, 31 Mar 1981 05:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-
check=0
Set-Cookie: k=74.207.226.80.1273703350241947; path=/; expires=Wed, 19-
May-10 22:29:10 GMT; domain=.twitter.com
Set-Cookie: guest_id=127370335144417010; path=/; expires=Fri, 11 Jun
2010 22:29:11 GMT
Set-Cookie:
_twitter_sess=BAh7CToPY3JlYXRlZF9hdGwrCJXEoo4oAToRdHJhbnNfcHJvbXB0MDoHaWQi
%250AJWUwNmRiODNlMDlmY2FhNzk3YTE1YWNlODFiMzllZDVjIgpmbGFzaElDOidB
%250AY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--
a76c125e0d8422759ab95667e37db1decdc56861; domain=.twitter.com; path=/
Vary: Accept-Encoding
Connection: close
Failed to validate oauth signature and token
On May 12, 2:56 pm,DWFdwfr...@pivotallabs.com wrote:
It turns out that we have a base64 encoding problem, which means our
signature actually is bad.
Working on it now.
--dwf
On May 12, 1:06 pm,DWFdwfr...@pivotallabs.com wrote:
We just coded up a simple Ruby script to make the same request,
building our post body by hand into a string to ensure the escaping
(or not) of the params.
So we know that going into Net::HTTP the underscores are underscores
and NOT %5F's.
Same response from the server.
--dwf
On May 12, 11:14 am, Taylor Singletary taylorsinglet...@twitter.com
wrote:
Just eyeballing this: your POST body is over-URL encoded. Your POST body
should be simply:
x_auth_username=Xx_auth_password=Xx_auth_mode=client_auth
But the values of each key should be URL escaped (so if there's an email
address, username, or password with non-URL safe characters, they would
be
URL encoded -- and double URL encoded in your signature base string)
Otherwise, at first glance anyway, this looks pretty close to right.
Taylor Singletary
Developer Advocate, Twitterhttp://twitter.com/episod
On Wed, May 12, 2010 at 10:58 AM,DWFdwfr...@pivotallabs.com wrote:
We're trying this out now think we're approved. But we're still
seeing 401s when requesting a user token.
(username password hidden with XX below)
Here's our base string:
POSThttps%3A%2F%2Fapi.twitter.com%2Foauth
%2Faccess_tokenoauth_consumer_key%3DWFKpuxJsIdVbesPtUAN6w
%26oauth_nonce%3DMTowOjk1NDE2ODEyNzM2ODY1OTM4Mjc%3D
%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp
%3D1273686593%26oauth_version%3D1.0%26x_auth_mode%3Dclient_auth
%26x_auth_password%3DX%26x_auth_username%3DX
Here's our POST (using hurl.it as it looks like twurl doesn't support
this API endpoint yet):
-
POST /oauth/access_token HTTP/1.1
Host: api.twitter.com
Authorization: OAuth oauth_signature_method=HMAC-SHA1,
oauth_nonce=MToxOjEyMzcxNzEyNzM2ODY1OTM4Mjc%3D,
oauth_timestamp=1273686593,
oauth_consumer_key=WFKpuxJsIdVbesPtUAN6w, oauth_version=1.0,
oauth_signature=4f23193590c2b66c5ea23ce5deae9c767998a902
Accept: application/json
Content-Length: 93
Content-Type: application/x-www-form-urlencoded
x%5Fauth%5Fusername=Xx%5Fauth%5Fpassword=Xx%5Fauth
%5Fmode=client%5Fauth
-
And we're getting this response (sad panda):
-
HTTP/1.1 401 Unauthorized
Date: Wed, 12 May 2010 17:52:11 GMT
Server: hi
Status: 401 Unauthorized
X-Transaction: 1273686731-92894-17698
Last-Modified: Wed, 12 May 2010 17:52:11 GMT
X-Runtime: 0.03752
Content-Type: text/html; charset=utf-8
[twitter-dev] Re: Issues getting started with xAuth
We just coded up a simple Ruby script to make the same request, building our post body by hand into a string to ensure the escaping (or not) of the params. So we know that going into Net::HTTP the underscores are underscores and NOT %5F's. Same response from the server. --dwf On May 12, 11:14 am, Taylor Singletary taylorsinglet...@twitter.com wrote: Just eyeballing this: your POST body is over-URL encoded. Your POST body should be simply: x_auth_username=Xx_auth_password=Xx_auth_mode=client_auth But the values of each key should be URL escaped (so if there's an email address, username, or password with non-URL safe characters, they would be URL encoded -- and double URL encoded in your signature base string) Otherwise, at first glance anyway, this looks pretty close to right. Taylor Singletary Developer Advocate, Twitterhttp://twitter.com/episod On Wed, May 12, 2010 at 10:58 AM, DWF dwfr...@pivotallabs.com wrote: We're trying this out now think we're approved. But we're still seeing 401s when requesting a user token. (username password hidden with XX below) Here's our base string: POSThttps%3A%2F%2Fapi.twitter.com%2Foauth %2Faccess_tokenoauth_consumer_key%3DWFKpuxJsIdVbesPtUAN6w %26oauth_nonce%3DMTowOjk1NDE2ODEyNzM2ODY1OTM4Mjc%3D %26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp %3D1273686593%26oauth_version%3D1.0%26x_auth_mode%3Dclient_auth %26x_auth_password%3DX%26x_auth_username%3DX Here's our POST (using hurl.it as it looks like twurl doesn't support this API endpoint yet): - POST /oauth/access_token HTTP/1.1 Host: api.twitter.com Authorization: OAuth oauth_signature_method=HMAC-SHA1, oauth_nonce=MToxOjEyMzcxNzEyNzM2ODY1OTM4Mjc%3D, oauth_timestamp=1273686593, oauth_consumer_key=WFKpuxJsIdVbesPtUAN6w, oauth_version=1.0, oauth_signature=4f23193590c2b66c5ea23ce5deae9c767998a902 Accept: application/json Content-Length: 93 Content-Type: application/x-www-form-urlencoded x%5Fauth%5Fusername=Xx%5Fauth%5Fpassword=Xx%5Fauth %5Fmode=client%5Fauth - And we're getting this response (sad panda): - HTTP/1.1 401 Unauthorized Date: Wed, 12 May 2010 17:52:11 GMT Server: hi Status: 401 Unauthorized X-Transaction: 1273686731-92894-17698 Last-Modified: Wed, 12 May 2010 17:52:11 GMT X-Runtime: 0.03752 Content-Type: text/html; charset=utf-8 Content-Length: 44 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post- check=0 Set-Cookie: k=74.207.226.80.1273686729321903; path=/; expires=Wed, 19- May-10 17:52:09 GMT; domain=.twitter.com Set-Cookie: guest_id=127368673134928431; path=/; expires=Fri, 11 Jun 2010 17:52:11 GMT Set-Cookie: _twitter_sess=BAh7CToPY3JlYXRlZF9hdGwrCFUqpY0oAToRdHJhbnNfcHJvbXB0MDoHaWQi %250AJTc1OGJjN2ZjODIwYWNhYzY3NjJlZGQzYWFjNTFlYmEyIgpmbGFzaElDOidB %250AY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA-- ab999812f9cfb9a01a8095a2e3d0f84fd9c1e0d7; domain=.twitter.com; path=/ Vary: Accept-Encoding Connection: close Failed to validate oauth signature and token This look familiar to anyone? Thanks, --dwf
[twitter-dev] Re: Issues getting started with xAuth
It turns out that we have a base64 encoding problem, which means our signature actually is bad. Working on it now. --dwf On May 12, 1:06 pm, DWF dwfr...@pivotallabs.com wrote: We just coded up a simple Ruby script to make the same request, building our post body by hand into a string to ensure the escaping (or not) of the params. So we know that going into Net::HTTP the underscores are underscores and NOT %5F's. Same response from the server. --dwf On May 12, 11:14 am, Taylor Singletary taylorsinglet...@twitter.com wrote: Just eyeballing this: your POST body is over-URL encoded. Your POST body should be simply: x_auth_username=Xx_auth_password=Xx_auth_mode=client_auth But the values of each key should be URL escaped (so if there's an email address, username, or password with non-URL safe characters, they would be URL encoded -- and double URL encoded in your signature base string) Otherwise, at first glance anyway, this looks pretty close to right. Taylor Singletary Developer Advocate, Twitterhttp://twitter.com/episod On Wed, May 12, 2010 at 10:58 AM, DWF dwfr...@pivotallabs.com wrote: We're trying this out now think we're approved. But we're still seeing 401s when requesting a user token. (username password hidden with XX below) Here's our base string: POSThttps%3A%2F%2Fapi.twitter.com%2Foauth %2Faccess_tokenoauth_consumer_key%3DWFKpuxJsIdVbesPtUAN6w %26oauth_nonce%3DMTowOjk1NDE2ODEyNzM2ODY1OTM4Mjc%3D %26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp %3D1273686593%26oauth_version%3D1.0%26x_auth_mode%3Dclient_auth %26x_auth_password%3DX%26x_auth_username%3DX Here's our POST (using hurl.it as it looks like twurl doesn't support this API endpoint yet): - POST /oauth/access_token HTTP/1.1 Host: api.twitter.com Authorization: OAuth oauth_signature_method=HMAC-SHA1, oauth_nonce=MToxOjEyMzcxNzEyNzM2ODY1OTM4Mjc%3D, oauth_timestamp=1273686593, oauth_consumer_key=WFKpuxJsIdVbesPtUAN6w, oauth_version=1.0, oauth_signature=4f23193590c2b66c5ea23ce5deae9c767998a902 Accept: application/json Content-Length: 93 Content-Type: application/x-www-form-urlencoded x%5Fauth%5Fusername=Xx%5Fauth%5Fpassword=Xx%5Fauth %5Fmode=client%5Fauth - And we're getting this response (sad panda): - HTTP/1.1 401 Unauthorized Date: Wed, 12 May 2010 17:52:11 GMT Server: hi Status: 401 Unauthorized X-Transaction: 1273686731-92894-17698 Last-Modified: Wed, 12 May 2010 17:52:11 GMT X-Runtime: 0.03752 Content-Type: text/html; charset=utf-8 Content-Length: 44 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post- check=0 Set-Cookie: k=74.207.226.80.1273686729321903; path=/; expires=Wed, 19- May-10 17:52:09 GMT; domain=.twitter.com Set-Cookie: guest_id=127368673134928431; path=/; expires=Fri, 11 Jun 2010 17:52:11 GMT Set-Cookie: _twitter_sess=BAh7CToPY3JlYXRlZF9hdGwrCFUqpY0oAToRdHJhbnNfcHJvbXB0MDoHaWQi %250AJTc1OGJjN2ZjODIwYWNhYzY3NjJlZGQzYWFjNTFlYmEyIgpmbGFzaElDOidB %250AY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA-- ab999812f9cfb9a01a8095a2e3d0f84fd9c1e0d7; domain=.twitter.com; path=/ Vary: Accept-Encoding Connection: close Failed to validate oauth signature and token This look familiar to anyone? Thanks, --dwf
[twitter-dev] Re: Issues getting started with xAuth
Taylor: Here's what we're sending now. The signature looks like the correct length. But we're getting the same error. POST /oauth/access_token HTTP/1.1 Host: api.twitter.com Authorization: OAuth oauth_signature_method=HMAC-SHA1, oauth_nonce=MToxOjQyOTY0NzEyNzM3MDMzMzQwMTU%3D, oauth_timestamp=1273703334, oauth_consumer_key=WFKpuxJsIdVbesPtUAN6w, oauth_version=1.0, oauth_signature=NU%2BLWGJ7lDm2DmPYKkT8P45YsZA%3D Accept: application/json Content-Length: 93 Content-Type: application/x-www-form-urlencoded x%5Fauth%5Fusername=Xx%5Fauth%5Fpassword=Xx%5Fauth %5Fmode=client%5Fauth HTTP/1.1 401 Unauthorized Date: Wed, 12 May 2010 22:29:11 GMT Server: hi Status: 401 Unauthorized X-Transaction: 1273703351-32476-1016 Last-Modified: Wed, 12 May 2010 22:29:11 GMT X-Runtime: 0.01211 Content-Type: text/html; charset=utf-8 Content-Length: 44 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post- check=0 Set-Cookie: k=74.207.226.80.1273703350241947; path=/; expires=Wed, 19- May-10 22:29:10 GMT; domain=.twitter.com Set-Cookie: guest_id=127370335144417010; path=/; expires=Fri, 11 Jun 2010 22:29:11 GMT Set-Cookie: _twitter_sess=BAh7CToPY3JlYXRlZF9hdGwrCJXEoo4oAToRdHJhbnNfcHJvbXB0MDoHaWQi %250AJWUwNmRiODNlMDlmY2FhNzk3YTE1YWNlODFiMzllZDVjIgpmbGFzaElDOidB %250AY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA-- a76c125e0d8422759ab95667e37db1decdc56861; domain=.twitter.com; path=/ Vary: Accept-Encoding Connection: close Failed to validate oauth signature and token On May 12, 2:56 pm, DWF dwfr...@pivotallabs.com wrote: It turns out that we have a base64 encoding problem, which means our signature actually is bad. Working on it now. --dwf On May 12, 1:06 pm, DWF dwfr...@pivotallabs.com wrote: We just coded up a simple Ruby script to make the same request, building our post body by hand into a string to ensure the escaping (or not) of the params. So we know that going into Net::HTTP the underscores are underscores and NOT %5F's. Same response from the server. --dwf On May 12, 11:14 am, Taylor Singletary taylorsinglet...@twitter.com wrote: Just eyeballing this: your POST body is over-URL encoded. Your POST body should be simply: x_auth_username=Xx_auth_password=Xx_auth_mode=client_auth But the values of each key should be URL escaped (so if there's an email address, username, or password with non-URL safe characters, they would be URL encoded -- and double URL encoded in your signature base string) Otherwise, at first glance anyway, this looks pretty close to right. Taylor Singletary Developer Advocate, Twitterhttp://twitter.com/episod On Wed, May 12, 2010 at 10:58 AM, DWF dwfr...@pivotallabs.com wrote: We're trying this out now think we're approved. But we're still seeing 401s when requesting a user token. (username password hidden with XX below) Here's our base string: POSThttps%3A%2F%2Fapi.twitter.com%2Foauth %2Faccess_tokenoauth_consumer_key%3DWFKpuxJsIdVbesPtUAN6w %26oauth_nonce%3DMTowOjk1NDE2ODEyNzM2ODY1OTM4Mjc%3D %26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp %3D1273686593%26oauth_version%3D1.0%26x_auth_mode%3Dclient_auth %26x_auth_password%3DX%26x_auth_username%3DX Here's our POST (using hurl.it as it looks like twurl doesn't support this API endpoint yet): - POST /oauth/access_token HTTP/1.1 Host: api.twitter.com Authorization: OAuth oauth_signature_method=HMAC-SHA1, oauth_nonce=MToxOjEyMzcxNzEyNzM2ODY1OTM4Mjc%3D, oauth_timestamp=1273686593, oauth_consumer_key=WFKpuxJsIdVbesPtUAN6w, oauth_version=1.0, oauth_signature=4f23193590c2b66c5ea23ce5deae9c767998a902 Accept: application/json Content-Length: 93 Content-Type: application/x-www-form-urlencoded x%5Fauth%5Fusername=Xx%5Fauth%5Fpassword=Xx%5Fauth %5Fmode=client%5Fauth - And we're getting this response (sad panda): - HTTP/1.1 401 Unauthorized Date: Wed, 12 May 2010 17:52:11 GMT Server: hi Status: 401 Unauthorized X-Transaction: 1273686731-92894-17698 Last-Modified: Wed, 12 May 2010 17:52:11 GMT X-Runtime: 0.03752 Content-Type: text/html; charset=utf-8 Content-Length: 44 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post- check=0 Set-Cookie: k=74.207.226.80.1273686729321903; path=/; expires=Wed, 19- May-10 17:52:09 GMT; domain=.twitter.com Set-Cookie: guest_id=127368673134928431; path=/; expires=Fri, 11 Jun 2010 17:52:11 GMT Set-Cookie: _twitter_sess=BAh7CToPY3JlYXRlZF9hdGwrCFUqpY0oAToRdHJhbnNfcHJvbXB0MDoHaWQi %250AJTc1OGJjN2ZjODIwYWNhYzY3NjJlZGQzYWFjNTFlYmEyIgpmbGFzaElDOidB %250AY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--
