Hi i think now both access secret and consumer secret are required. i verified this by giving blank consumer secret and valid access secret and i got invalid signature error. It works fine when i give correct values for both. Looks like there is no way you can protect your consumer secret
On Tue, Jul 28, 2009 at 2:59 PM, thetago...@googlemail.com < anto...@cloudangels.com> wrote: > > @Doug - Can you confirm that it is now MANDATORY to supply both access > token and access secret as well as the consumer key and consumer > secret to generate a valid signature? OAuth spec states in #4 that > consumer secret may be empty if no consumer verification is neeeded. > > ------[excerpt from spec]------ > "Service Providers SHOULD NOT rely on the Consumer Secret as a method > to verify the Consumer identity, unless the Consumer Secret is known > to be inaccessible to anyone other than the Consumer and the Service > Provider. The Consumer Secret MAY be an empty string (for example when > no Consumer verification is needed, or when verification is achieved > through other means such as RSA)." > ------[end excerpt from spec]------ > > This would mean that you'd have to ship the customer secret to the > client with each deliverable you publish, regardless of whether you > want to do client verification or consumer (i.e. Server) verfication. > > best regards, > Toni > > On 28 Jul., 10:56, kosso <kos...@gmail.com> wrote: > > my problems are opposite (using some php scripts) verification is ok, > > tweeting ok, but verified timelines (friends and mentions) not ok. > > > > On Jul 27, 9:29 pm, winrich <winric...@gmail.com> wrote: > > > > > ok guys. > > > > > so my calls were failing on the verify_credentials call and not on the > > > update or timeline calls. the only difference i saw was the the > > > verify_credential call wasn't secured. i changed it to https and it > > > worked. ??? lol > > > > > On Jul 27, 9:19 pm, Chad Etzel <jazzyc...@gmail.com> wrote: > > > > > > On Mon, Jul 27, 2009 at 11:55 PM, Duane > > > > > > Roelands<duane.roela...@gmail.com> wrote: > > > > > RTFM is not a helpful answer, especially when many developers are > > > > > relying on libraries that they did not write. > > > > > > That's a risk you run when using code you didn't write. > > > > > > I'm not saying that this situation doesn't suck for those affected. > > > > I'm sure that it does. But, for a technology so new as OAuth, the > > > > libraries may not be mature yet. > > > > > > Officially, Twitter OAuth is still in Public Beta and has never been > > > > officially recommended to integrate into production code. That being > > > > said, there could still be a problem on Twitter's end with their > > > > signature verification mechanism and the libraries could all be > valid. > > > > I don't have a way of knowing. > > > > > > I do agree that at least a note that "a security change was pushed > > > > today" would be nice, though. > > > > > > -Chad >
