Thanks for the reply Taylor. So to get a request token, should I send a POST request with no body? I'm basing my code around the documentation at http://dev.twitter.com/pages/auth which says:
> Go for the gold. Go for header-based OAuth. Fair enough. Under "Acquiring a request token" it also says: > Twitter's end point for the request token step is > http://api.twitter.com/oauth/request_token. You should use the POST HTTP > method when using this end point. Given this, I've changed my request to the following: POST http://api.twitter.com/oauth/request_token HTTP/1.1 Host: api.twitter.com Pragma: no-cache Accept: */* Proxy-Connection: Keep-Alive Authorization: OAuth oauth_nonce="0628cff78ee32e99ab45c614057c67c4", oauth_callback="http%3A%2F%2Fcraiga.id.au%2Ftwitter%2Fconnected", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1275525934", oauth_consumer_key="tm5...DOg", oauth_signature="LrteVeKYd%2F6QYnKM8kl %2BswW8GcA%3D", oauth_version="1.0" Still, I'm getting the "Failed to validate oauth signature and token." I've also tried this as a GET request (changing the signature to reflect the change in method); still no luck. What am I doing wrong? Am I URL encoding something where I shouldn't be? Am I not URL encoding something I should be? I'm running ntpdate to keep the system clock in sync with pool.ntp.org and I've verified that my nonce is amongst the requests I'm sending. Any further help would be greatly appreciated. Thanks, Craig On Jun 3, 12:11 am, Taylor Singletary <taylorsinglet...@twitter.com> wrote: > Hi Craig, > > It looks like you are passing oauth_* parameters in your POST body in > addition to the OAuth HTTP headers. It's really a choice between one or the > other -- either you send the oauth_* parameters in a HTTP header or you send > them in either a POST body or querystring. > > When using HTTP header based auth (which I always recommend) the only query > parameters in a query string or POST body are ones that are directly related > to the resource your are requesting or posting data to. > > Taylor Singletary > Developer Advocate, Twitterhttp://twitter.com/episod > > > > On Tue, Jun 1, 2010 at 9:48 PM, craiga <cra...@craiga.id.au> wrote: > > Hi guys, > > > Sorry for troubling you with yet *another* "Failed to validate oauth > > signature and token" error, but I just can't figure out what's wrong > > with my request. > > > I'm constructing my signature from this string: > > > POST&http%3A%2F%2Fapi.twitter.com%2Foauth > > %2Frequest_token&oauth_callback%3Dhttp%3A%2F%2Fcraiga.id.au%2Ftwitter > > %2Fconnected%26oauth_consumer_key%3Dtm5...DOg%26oauth_nonce%3D8...22b > > %26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp > > %3D1275453048%26oauth_version%3D1.0 > > > From this I generate a 28 character signature using the following PHP > > code: > > > base64_encode(hash_hmac('sha1', $raw, 'YUo...HIU' . '&', true)); > > > Using this signature, I send the following request: > > > POSThttp://api.twitter.com/oauth/request_tokenHTTP/1.1 > > Host: api.twitter.com > > Pragma: no-cache > > Accept: */* > > Proxy-Connection: Keep-Alive > > Authorization: OAuth oauth_nonce="3D8...22b", oauth_callback="http%3A > > %2F%2Fcraiga.id.au%2Ftwitter%2Fconnected", > > oauth_signature_method="HMAC-SHA1", oauth_timestamp="1275453048", > > oauth_consumer_key="tm5...DOg", oauth_signature="aYd...c6E%3D", > > oauth_version="1.0" > > Content-Length: 266 > > Content-Type: application/x-www-form-urlencoded > > > oauth_callback=http%3A%2F%2Fcraiga.id.au%2Ftwitter > > > %2Fconnected&oauth_consumer_key=tm5...DOg&oauth_nonce=3D8...22b&oauth_signa > > ture_method=HMAC- > > SHA1&oauth_timestamp= 1275453048&oauth_version=1.0 > > > I get the following response from Twitter to this request: > > > HTTP/1.1 401 Unauthorized > > Date: Wed, 02 Jun 2010 04:40:14 GMT > > Server: hi > > Status: 401 Unauthorized > > X-Transaction: 1275453614-48409-7443 > > Last-Modified: Wed, 02 Jun 2010 04:40:14 GMT > > X-Runtime: 0.01083 > > Content-Type: text/html; charset=utf-8 > > Content-Length: 44 > > Pragma: no-cache > > X-Revision: DEV > > Expires: Tue, 31 Mar 1981 05:00:00 GMT > > Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post- > > check=0 > > Set-Cookie: k=58.161.42.101.1275453614748615; path=/; expires=Wed, 09- > > Jun-10 04:40:14 GMT; domain=.twitter.com > > Set-Cookie: guest_id=12754536147577949; path=/; expires=Fri, 02 Jul > > 2010 04:40:14 GMT > > Set-Cookie: > > _twitter_sess=BAh7CToPY3JlYXRlZF9hdGwrCKaq9fYoAToRdHJhbnNfcHJvbXB0MDoHaWQi > > %250AJWU0ZDFhMGQzMWU0NTZjMzJiZWFkNWUzMTA4ZDRjOTg3IgpmbGFzaElDOidB > > %250AY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA-- > > f1e5c7649858a1694f24307504354846bbc1d16b; domain=.twitter.com; path=/ > > Vary: Accept-Encoding > > Connection: close > > > Failed to validate oauth signature and token > > > If anyone can cast any light on why this might be failing, I'd love to > > hear. > > > Thanks, > > Craig
