[twitter-dev] Re: Issues getting started with xAuth
SOLVED! The moral of the story is to keep your nonce values SIMPLE. We were generating a random value: Base64.encode('1:' + counter++ + ':' + random + Date.now()); which most of the time resulted in a string that contained an equals sign character, which then gets urlencoded to %3D. It appears the % character was confusing the server and so we kept getting 401s. Our solution is to make a simpler, non-Base64-encoded nonce. NO PERCENTS!!! And all is now well. -dwf On May 12, 3:30 pm, DWF dwfr...@pivotallabs.com wrote: Taylor: Here's what we're sending now. The signature looks like the correct length. But we're getting the same error. POST /oauth/access_token HTTP/1.1 Host: api.twitter.com Authorization: OAuth oauth_signature_method=HMAC-SHA1, oauth_nonce=MToxOjQyOTY0NzEyNzM3MDMzMzQwMTU%3D, oauth_timestamp=1273703334, oauth_consumer_key=WFKpuxJsIdVbesPtUAN6w, oauth_version=1.0, oauth_signature=NU%2BLWGJ7lDm2DmPYKkT8P45YsZA%3D Accept: application/json Content-Length: 93 Content-Type: application/x-www-form-urlencoded x%5Fauth%5Fusername=Xx%5Fauth%5Fpassword=Xx%5Fauth %5Fmode=client%5Fauth HTTP/1.1 401 Unauthorized Date: Wed, 12 May 2010 22:29:11 GMT Server: hi Status: 401 Unauthorized X-Transaction: 1273703351-32476-1016 Last-Modified: Wed, 12 May 2010 22:29:11 GMT X-Runtime: 0.01211 Content-Type: text/html; charset=utf-8 Content-Length: 44 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post- check=0 Set-Cookie: k=74.207.226.80.1273703350241947; path=/; expires=Wed, 19- May-10 22:29:10 GMT; domain=.twitter.com Set-Cookie: guest_id=127370335144417010; path=/; expires=Fri, 11 Jun 2010 22:29:11 GMT Set-Cookie: _twitter_sess=BAh7CToPY3JlYXRlZF9hdGwrCJXEoo4oAToRdHJhbnNfcHJvbXB0MDoHaWQi %250AJWUwNmRiODNlMDlmY2FhNzk3YTE1YWNlODFiMzllZDVjIgpmbGFzaElDOidB %250AY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA-- a76c125e0d8422759ab95667e37db1decdc56861; domain=.twitter.com; path=/ Vary: Accept-Encoding Connection: close Failed to validate oauth signature and token On May 12, 2:56 pm,DWFdwfr...@pivotallabs.com wrote: It turns out that we have a base64 encoding problem, which means our signature actually is bad. Working on it now. --dwf On May 12, 1:06 pm,DWFdwfr...@pivotallabs.com wrote: We just coded up a simple Ruby script to make the same request, building our post body by hand into a string to ensure the escaping (or not) of the params. So we know that going into Net::HTTP the underscores are underscores and NOT %5F's. Same response from the server. --dwf On May 12, 11:14 am, Taylor Singletary taylorsinglet...@twitter.com wrote: Just eyeballing this: your POST body is over-URL encoded. Your POST body should be simply: x_auth_username=Xx_auth_password=Xx_auth_mode=client_auth But the values of each key should be URL escaped (so if there's an email address, username, or password with non-URL safe characters, they would be URL encoded -- and double URL encoded in your signature base string) Otherwise, at first glance anyway, this looks pretty close to right. Taylor Singletary Developer Advocate, Twitterhttp://twitter.com/episod On Wed, May 12, 2010 at 10:58 AM,DWFdwfr...@pivotallabs.com wrote: We're trying this out now think we're approved. But we're still seeing 401s when requesting a user token. (username password hidden with XX below) Here's our base string: POSThttps%3A%2F%2Fapi.twitter.com%2Foauth %2Faccess_tokenoauth_consumer_key%3DWFKpuxJsIdVbesPtUAN6w %26oauth_nonce%3DMTowOjk1NDE2ODEyNzM2ODY1OTM4Mjc%3D %26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp %3D1273686593%26oauth_version%3D1.0%26x_auth_mode%3Dclient_auth %26x_auth_password%3DX%26x_auth_username%3DX Here's our POST (using hurl.it as it looks like twurl doesn't support this API endpoint yet): - POST /oauth/access_token HTTP/1.1 Host: api.twitter.com Authorization: OAuth oauth_signature_method=HMAC-SHA1, oauth_nonce=MToxOjEyMzcxNzEyNzM2ODY1OTM4Mjc%3D, oauth_timestamp=1273686593, oauth_consumer_key=WFKpuxJsIdVbesPtUAN6w, oauth_version=1.0, oauth_signature=4f23193590c2b66c5ea23ce5deae9c767998a902 Accept: application/json Content-Length: 93 Content-Type: application/x-www-form-urlencoded x%5Fauth%5Fusername=Xx%5Fauth%5Fpassword=Xx%5Fauth %5Fmode=client%5Fauth - And we're getting this response (sad panda): - HTTP/1.1 401 Unauthorized Date: Wed, 12 May 2010 17:52:11 GMT Server: hi Status: 401 Unauthorized X-Transaction: 1273686731-92894-17698 Last-Modified: Wed, 12 May 2010 17:52:11 GMT X-Runtime: 0.03752 Content-Type: text/html; charset=utf-8
[twitter-dev] Re: Issues getting started with xAuth
We just coded up a simple Ruby script to make the same request, building our post body by hand into a string to ensure the escaping (or not) of the params. So we know that going into Net::HTTP the underscores are underscores and NOT %5F's. Same response from the server. --dwf On May 12, 11:14 am, Taylor Singletary taylorsinglet...@twitter.com wrote: Just eyeballing this: your POST body is over-URL encoded. Your POST body should be simply: x_auth_username=Xx_auth_password=Xx_auth_mode=client_auth But the values of each key should be URL escaped (so if there's an email address, username, or password with non-URL safe characters, they would be URL encoded -- and double URL encoded in your signature base string) Otherwise, at first glance anyway, this looks pretty close to right. Taylor Singletary Developer Advocate, Twitterhttp://twitter.com/episod On Wed, May 12, 2010 at 10:58 AM, DWF dwfr...@pivotallabs.com wrote: We're trying this out now think we're approved. But we're still seeing 401s when requesting a user token. (username password hidden with XX below) Here's our base string: POSThttps%3A%2F%2Fapi.twitter.com%2Foauth %2Faccess_tokenoauth_consumer_key%3DWFKpuxJsIdVbesPtUAN6w %26oauth_nonce%3DMTowOjk1NDE2ODEyNzM2ODY1OTM4Mjc%3D %26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp %3D1273686593%26oauth_version%3D1.0%26x_auth_mode%3Dclient_auth %26x_auth_password%3DX%26x_auth_username%3DX Here's our POST (using hurl.it as it looks like twurl doesn't support this API endpoint yet): - POST /oauth/access_token HTTP/1.1 Host: api.twitter.com Authorization: OAuth oauth_signature_method=HMAC-SHA1, oauth_nonce=MToxOjEyMzcxNzEyNzM2ODY1OTM4Mjc%3D, oauth_timestamp=1273686593, oauth_consumer_key=WFKpuxJsIdVbesPtUAN6w, oauth_version=1.0, oauth_signature=4f23193590c2b66c5ea23ce5deae9c767998a902 Accept: application/json Content-Length: 93 Content-Type: application/x-www-form-urlencoded x%5Fauth%5Fusername=Xx%5Fauth%5Fpassword=Xx%5Fauth %5Fmode=client%5Fauth - And we're getting this response (sad panda): - HTTP/1.1 401 Unauthorized Date: Wed, 12 May 2010 17:52:11 GMT Server: hi Status: 401 Unauthorized X-Transaction: 1273686731-92894-17698 Last-Modified: Wed, 12 May 2010 17:52:11 GMT X-Runtime: 0.03752 Content-Type: text/html; charset=utf-8 Content-Length: 44 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post- check=0 Set-Cookie: k=74.207.226.80.1273686729321903; path=/; expires=Wed, 19- May-10 17:52:09 GMT; domain=.twitter.com Set-Cookie: guest_id=127368673134928431; path=/; expires=Fri, 11 Jun 2010 17:52:11 GMT Set-Cookie: _twitter_sess=BAh7CToPY3JlYXRlZF9hdGwrCFUqpY0oAToRdHJhbnNfcHJvbXB0MDoHaWQi %250AJTc1OGJjN2ZjODIwYWNhYzY3NjJlZGQzYWFjNTFlYmEyIgpmbGFzaElDOidB %250AY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA-- ab999812f9cfb9a01a8095a2e3d0f84fd9c1e0d7; domain=.twitter.com; path=/ Vary: Accept-Encoding Connection: close Failed to validate oauth signature and token This look familiar to anyone? Thanks, --dwf
[twitter-dev] Re: Issues getting started with xAuth
It turns out that we have a base64 encoding problem, which means our signature actually is bad. Working on it now. --dwf On May 12, 1:06 pm, DWF dwfr...@pivotallabs.com wrote: We just coded up a simple Ruby script to make the same request, building our post body by hand into a string to ensure the escaping (or not) of the params. So we know that going into Net::HTTP the underscores are underscores and NOT %5F's. Same response from the server. --dwf On May 12, 11:14 am, Taylor Singletary taylorsinglet...@twitter.com wrote: Just eyeballing this: your POST body is over-URL encoded. Your POST body should be simply: x_auth_username=Xx_auth_password=Xx_auth_mode=client_auth But the values of each key should be URL escaped (so if there's an email address, username, or password with non-URL safe characters, they would be URL encoded -- and double URL encoded in your signature base string) Otherwise, at first glance anyway, this looks pretty close to right. Taylor Singletary Developer Advocate, Twitterhttp://twitter.com/episod On Wed, May 12, 2010 at 10:58 AM, DWF dwfr...@pivotallabs.com wrote: We're trying this out now think we're approved. But we're still seeing 401s when requesting a user token. (username password hidden with XX below) Here's our base string: POSThttps%3A%2F%2Fapi.twitter.com%2Foauth %2Faccess_tokenoauth_consumer_key%3DWFKpuxJsIdVbesPtUAN6w %26oauth_nonce%3DMTowOjk1NDE2ODEyNzM2ODY1OTM4Mjc%3D %26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp %3D1273686593%26oauth_version%3D1.0%26x_auth_mode%3Dclient_auth %26x_auth_password%3DX%26x_auth_username%3DX Here's our POST (using hurl.it as it looks like twurl doesn't support this API endpoint yet): - POST /oauth/access_token HTTP/1.1 Host: api.twitter.com Authorization: OAuth oauth_signature_method=HMAC-SHA1, oauth_nonce=MToxOjEyMzcxNzEyNzM2ODY1OTM4Mjc%3D, oauth_timestamp=1273686593, oauth_consumer_key=WFKpuxJsIdVbesPtUAN6w, oauth_version=1.0, oauth_signature=4f23193590c2b66c5ea23ce5deae9c767998a902 Accept: application/json Content-Length: 93 Content-Type: application/x-www-form-urlencoded x%5Fauth%5Fusername=Xx%5Fauth%5Fpassword=Xx%5Fauth %5Fmode=client%5Fauth - And we're getting this response (sad panda): - HTTP/1.1 401 Unauthorized Date: Wed, 12 May 2010 17:52:11 GMT Server: hi Status: 401 Unauthorized X-Transaction: 1273686731-92894-17698 Last-Modified: Wed, 12 May 2010 17:52:11 GMT X-Runtime: 0.03752 Content-Type: text/html; charset=utf-8 Content-Length: 44 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post- check=0 Set-Cookie: k=74.207.226.80.1273686729321903; path=/; expires=Wed, 19- May-10 17:52:09 GMT; domain=.twitter.com Set-Cookie: guest_id=127368673134928431; path=/; expires=Fri, 11 Jun 2010 17:52:11 GMT Set-Cookie: _twitter_sess=BAh7CToPY3JlYXRlZF9hdGwrCFUqpY0oAToRdHJhbnNfcHJvbXB0MDoHaWQi %250AJTc1OGJjN2ZjODIwYWNhYzY3NjJlZGQzYWFjNTFlYmEyIgpmbGFzaElDOidB %250AY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA-- ab999812f9cfb9a01a8095a2e3d0f84fd9c1e0d7; domain=.twitter.com; path=/ Vary: Accept-Encoding Connection: close Failed to validate oauth signature and token This look familiar to anyone? Thanks, --dwf
[twitter-dev] Re: Issues getting started with xAuth
Taylor: Here's what we're sending now. The signature looks like the correct length. But we're getting the same error. POST /oauth/access_token HTTP/1.1 Host: api.twitter.com Authorization: OAuth oauth_signature_method=HMAC-SHA1, oauth_nonce=MToxOjQyOTY0NzEyNzM3MDMzMzQwMTU%3D, oauth_timestamp=1273703334, oauth_consumer_key=WFKpuxJsIdVbesPtUAN6w, oauth_version=1.0, oauth_signature=NU%2BLWGJ7lDm2DmPYKkT8P45YsZA%3D Accept: application/json Content-Length: 93 Content-Type: application/x-www-form-urlencoded x%5Fauth%5Fusername=Xx%5Fauth%5Fpassword=Xx%5Fauth %5Fmode=client%5Fauth HTTP/1.1 401 Unauthorized Date: Wed, 12 May 2010 22:29:11 GMT Server: hi Status: 401 Unauthorized X-Transaction: 1273703351-32476-1016 Last-Modified: Wed, 12 May 2010 22:29:11 GMT X-Runtime: 0.01211 Content-Type: text/html; charset=utf-8 Content-Length: 44 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post- check=0 Set-Cookie: k=74.207.226.80.1273703350241947; path=/; expires=Wed, 19- May-10 22:29:10 GMT; domain=.twitter.com Set-Cookie: guest_id=127370335144417010; path=/; expires=Fri, 11 Jun 2010 22:29:11 GMT Set-Cookie: _twitter_sess=BAh7CToPY3JlYXRlZF9hdGwrCJXEoo4oAToRdHJhbnNfcHJvbXB0MDoHaWQi %250AJWUwNmRiODNlMDlmY2FhNzk3YTE1YWNlODFiMzllZDVjIgpmbGFzaElDOidB %250AY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA-- a76c125e0d8422759ab95667e37db1decdc56861; domain=.twitter.com; path=/ Vary: Accept-Encoding Connection: close Failed to validate oauth signature and token On May 12, 2:56 pm, DWF dwfr...@pivotallabs.com wrote: It turns out that we have a base64 encoding problem, which means our signature actually is bad. Working on it now. --dwf On May 12, 1:06 pm, DWF dwfr...@pivotallabs.com wrote: We just coded up a simple Ruby script to make the same request, building our post body by hand into a string to ensure the escaping (or not) of the params. So we know that going into Net::HTTP the underscores are underscores and NOT %5F's. Same response from the server. --dwf On May 12, 11:14 am, Taylor Singletary taylorsinglet...@twitter.com wrote: Just eyeballing this: your POST body is over-URL encoded. Your POST body should be simply: x_auth_username=Xx_auth_password=Xx_auth_mode=client_auth But the values of each key should be URL escaped (so if there's an email address, username, or password with non-URL safe characters, they would be URL encoded -- and double URL encoded in your signature base string) Otherwise, at first glance anyway, this looks pretty close to right. Taylor Singletary Developer Advocate, Twitterhttp://twitter.com/episod On Wed, May 12, 2010 at 10:58 AM, DWF dwfr...@pivotallabs.com wrote: We're trying this out now think we're approved. But we're still seeing 401s when requesting a user token. (username password hidden with XX below) Here's our base string: POSThttps%3A%2F%2Fapi.twitter.com%2Foauth %2Faccess_tokenoauth_consumer_key%3DWFKpuxJsIdVbesPtUAN6w %26oauth_nonce%3DMTowOjk1NDE2ODEyNzM2ODY1OTM4Mjc%3D %26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp %3D1273686593%26oauth_version%3D1.0%26x_auth_mode%3Dclient_auth %26x_auth_password%3DX%26x_auth_username%3DX Here's our POST (using hurl.it as it looks like twurl doesn't support this API endpoint yet): - POST /oauth/access_token HTTP/1.1 Host: api.twitter.com Authorization: OAuth oauth_signature_method=HMAC-SHA1, oauth_nonce=MToxOjEyMzcxNzEyNzM2ODY1OTM4Mjc%3D, oauth_timestamp=1273686593, oauth_consumer_key=WFKpuxJsIdVbesPtUAN6w, oauth_version=1.0, oauth_signature=4f23193590c2b66c5ea23ce5deae9c767998a902 Accept: application/json Content-Length: 93 Content-Type: application/x-www-form-urlencoded x%5Fauth%5Fusername=Xx%5Fauth%5Fpassword=Xx%5Fauth %5Fmode=client%5Fauth - And we're getting this response (sad panda): - HTTP/1.1 401 Unauthorized Date: Wed, 12 May 2010 17:52:11 GMT Server: hi Status: 401 Unauthorized X-Transaction: 1273686731-92894-17698 Last-Modified: Wed, 12 May 2010 17:52:11 GMT X-Runtime: 0.03752 Content-Type: text/html; charset=utf-8 Content-Length: 44 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post- check=0 Set-Cookie: k=74.207.226.80.1273686729321903; path=/; expires=Wed, 19- May-10 17:52:09 GMT; domain=.twitter.com Set-Cookie: guest_id=127368673134928431; path=/; expires=Fri, 11 Jun 2010 17:52:11 GMT Set-Cookie: _twitter_sess=BAh7CToPY3JlYXRlZF9hdGwrCFUqpY0oAToRdHJhbnNfcHJvbXB0MDoHaWQi %250AJTc1OGJjN2ZjODIwYWNhYzY3NjJlZGQzYWFjNTFlYmEyIgpmbGFzaElDOidB %250AY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--