It turns out that we have a base64 encoding problem, which means our signature actually is bad.
Working on it now. --dwf On May 12, 1:06 pm, DWF <dwfr...@pivotallabs.com> wrote: > We just coded up a simple Ruby script to make the same request, > building our post body by hand into a string to ensure the escaping > (or not) of the params. > > So we know that going into Net::HTTP the underscores are underscores > and NOT %5F's. > > Same response from the server. > > --dwf > > On May 12, 11:14 am, Taylor Singletary <taylorsinglet...@twitter.com> > wrote: > > > > > Just eyeballing this: your POST body is over-URL encoded. Your POST body > > should be simply: > > x_auth_username=XXXXX&x_auth_password=XXXXX&x_auth_mode=client_auth > > > But the values of each key should be URL escaped (so if there's an email > > address, username, or password with non-URL safe characters, they would be > > URL encoded -- and double URL encoded in your signature base string) > > > Otherwise, at first glance anyway, this looks pretty close to right. > > > Taylor Singletary > > Developer Advocate, Twitterhttp://twitter.com/episod > > > On Wed, May 12, 2010 at 10:58 AM, DWF <dwfr...@pivotallabs.com> wrote: > > > We're trying this out now & think we're approved. But we're still > > > seeing 401s when requesting a user token. > > > > (username & password hidden with XXXXXX below) > > > > Here's our base string: > > > > POST&https%3A%2F%2Fapi.twitter.com%2Foauth > > > %2Faccess_token&oauth_consumer_key%3DWFKpuxJsIdVbesPtUAN6w > > > %26oauth_nonce%3DMTowOjk1NDE2ODEyNzM2ODY1OTM4Mjc%3D > > > %26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp > > > %3D1273686593%26oauth_version%3D1.0%26x_auth_mode%3Dclient_auth > > > %26x_auth_password%3DXXXXX%26x_auth_username%3DXXXXX > > > > Here's our POST (using hurl.it as it looks like twurl doesn't support > > > this API endpoint yet): > > > > ----- > > > POST /oauth/access_token HTTP/1.1 > > > Host: api.twitter.com > > > Authorization: OAuth oauth_signature_method="HMAC-SHA1", > > > oauth_nonce="MToxOjEyMzcxNzEyNzM2ODY1OTM4Mjc%3D", > > > oauth_timestamp="1273686593", > > > oauth_consumer_key="WFKpuxJsIdVbesPtUAN6w", oauth_version="1.0", > > > oauth_signature="4f23193590c2b66c5ea23ce5deae9c767998a902" > > > Accept: application/json > > > Content-Length: 93 > > > Content-Type: application/x-www-form-urlencoded > > > > x%5Fauth%5Fusername=XXXXX&x%5Fauth%5Fpassword=XXXXX&x%5Fauth > > > %5Fmode=client%5Fauth > > > > ----- > > > > And we're getting this response (sad panda): > > > > ----- > > > HTTP/1.1 401 Unauthorized > > > Date: Wed, 12 May 2010 17:52:11 GMT > > > Server: hi > > > Status: 401 Unauthorized > > > X-Transaction: 1273686731-92894-17698 > > > Last-Modified: Wed, 12 May 2010 17:52:11 GMT > > > X-Runtime: 0.03752 > > > Content-Type: text/html; charset=utf-8 > > > Content-Length: 44 > > > Pragma: no-cache > > > X-Revision: DEV > > > Expires: Tue, 31 Mar 1981 05:00:00 GMT > > > Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post- > > > check=0 > > > Set-Cookie: k=74.207.226.80.1273686729321903; path=/; expires=Wed, 19- > > > May-10 17:52:09 GMT; domain=.twitter.com > > > Set-Cookie: guest_id=127368673134928431; path=/; expires=Fri, 11 Jun > > > 2010 17:52:11 GMT > > > Set-Cookie: > > > _twitter_sess=BAh7CToPY3JlYXRlZF9hdGwrCFUqpY0oAToRdHJhbnNfcHJvbXB0MDoHaWQi > > > %250AJTc1OGJjN2ZjODIwYWNhYzY3NjJlZGQzYWFjNTFlYmEyIgpmbGFzaElDOidB > > > %250AY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA-- > > > ab999812f9cfb9a01a8095a2e3d0f84fd9c1e0d7; domain=.twitter.com; path=/ > > > Vary: Accept-Encoding > > > Connection: close > > > > Failed to validate oauth signature and token > > > > ---- > > > > This look familiar to anyone? > > > > Thanks, > > > --dwf