Just an FYI, there should be nothing sensitive in an OAuth URI... Which is a good thing because even under SSL nothing in a querystring is encrypted.
Thank you for bringing this up... because there is something sensitive in your URI which is also sent by my own implementation, the oauth_token_secret should be included in the signature but not in the request...
I did a quick edit on my code to elide the secret but when I do that I get the same error that you are getting, I am going to have to do a more in-depth review of my code to figure out what is going wrong.
See the OAuth spec section 6 [1] it shows the pieces of data that should flow between the consumer and provider at each step in the authentication flow.
1. http://oauth.net/core/1.0/#anchor9 rlamfink wrote:
Oauth noob. I've got all the token exchange parts working and can get an access_token& secret. But when I make an http POST, the captured url string looks right, but I get Invalid Oauth Request with a status code of 401. Here's the string with the security sensitive parts changed. Is there something obvious that I'm missing? http://twitter.com/statuses/update.xml?oauth_consumer_key=XXXXXXXXXXXXXXXXXXXXXX&oauth_nonce=2BE987BF09EE5AE2DCA94A447FF8B3FC14E36C71&oauth_signature=bteU8GlfvyCV3ZAJAvmMRLqfO1k%3D&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1237482847&oauth_version=1.0&oauth_token=14846470-ilTLdARSApNrEnLuhqeZvswnrkTWCBtrnHanrq...&oauth_token_secret=pOqVBimjUuca1NvzPlLC2VesFIMu1sDDO3guW0sfVAc
