Alright, I got it working, I was removing it from the actual request but
wasn't removing it from the request normalization routine... So my
requests now work properly without the oauth_token_secret parameter in
the request. I'm not sure why the implementation I am using was
including that parameter erroneously...
Joshua Perry wrote:
Just an FYI, there should be nothing sensitive in an OAuth URI...
Which is a good thing because even under SSL nothing in a querystring
is encrypted.
Thank you for bringing this up... because there is something sensitive
in your URI which is also sent by my own implementation, the
oauth_token_secret should be included in the signature but not in the
request...
I did a quick edit on my code to elide the secret but when I do that I
get the same error that you are getting, I am going to have to do a
more in-depth review of my code to figure out what is going wrong.
See the OAuth spec section 6 [1] it shows the pieces of data that
should flow between the consumer and provider at each step in the
authentication flow.
1. http://oauth.net/core/1.0/#anchor9
rlamfink wrote:
Oauth noob. I've got all the token exchange parts working and can get
an access_token& secret. But when I make an http POST, the captured
url string looks right, but I get Invalid Oauth Request with a status
code of 401.
Here's the string with the security sensitive parts changed.
Is there something obvious that I'm missing?
http://twitter.com/statuses/update.xml?oauth_consumer_key=XXXXXXXXXXXXXXXXXXXXXX&oauth_nonce=2BE987BF09EE5AE2DCA94A447FF8B3FC14E36C71&oauth_signature=bteU8GlfvyCV3ZAJAvmMRLqfO1k%3D&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1237482847&oauth_version=1.0&oauth_token=14846470-ilTLdARSApNrEnLuhqeZvswnrkTWCBtrnHanrq...&oauth_token_secret=pOqVBimjUuca1NvzPlLC2VesFIMu1sDDO3guW0sfVAc
