Hi Craig, It looks like you are passing oauth_* parameters in your POST body in addition to the OAuth HTTP headers. It's really a choice between one or the other -- either you send the oauth_* parameters in a HTTP header or you send them in either a POST body or querystring.
When using HTTP header based auth (which I always recommend) the only query parameters in a query string or POST body are ones that are directly related to the resource your are requesting or posting data to. Taylor Singletary Developer Advocate, Twitter http://twitter.com/episod On Tue, Jun 1, 2010 at 9:48 PM, craiga <cra...@craiga.id.au> wrote: > Hi guys, > > Sorry for troubling you with yet *another* "Failed to validate oauth > signature and token" error, but I just can't figure out what's wrong > with my request. > > I'm constructing my signature from this string: > > POST&http%3A%2F%2Fapi.twitter.com%2Foauth > %2Frequest_token&oauth_callback%3Dhttp%3A%2F%2Fcraiga.id.au%2Ftwitter > %2Fconnected%26oauth_consumer_key%3Dtm5...DOg%26oauth_nonce%3D8...22b > %26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp > %3D1275453048%26oauth_version%3D1.0 > > From this I generate a 28 character signature using the following PHP > code: > > base64_encode(hash_hmac('sha1', $raw, 'YUo...HIU' . '&', true)); > > Using this signature, I send the following request: > > POST http://api.twitter.com/oauth/request_token HTTP/1.1 > Host: api.twitter.com > Pragma: no-cache > Accept: */* > Proxy-Connection: Keep-Alive > Authorization: OAuth oauth_nonce="3D8...22b", oauth_callback="http%3A > %2F%2Fcraiga.id.au%2Ftwitter%2Fconnected", > oauth_signature_method="HMAC-SHA1", oauth_timestamp="1275453048", > oauth_consumer_key="tm5...DOg", oauth_signature="aYd...c6E%3D", > oauth_version="1.0" > Content-Length: 266 > Content-Type: application/x-www-form-urlencoded > > oauth_callback=http%3A%2F%2Fcraiga.id.au%2Ftwitter > > %2Fconnected&oauth_consumer_key=tm5...DOg&oauth_nonce=3D8...22b&oauth_signature_method=HMAC- > SHA1&oauth_timestamp= 1275453048&oauth_version=1.0 > > I get the following response from Twitter to this request: > > HTTP/1.1 401 Unauthorized > Date: Wed, 02 Jun 2010 04:40:14 GMT > Server: hi > Status: 401 Unauthorized > X-Transaction: 1275453614-48409-7443 > Last-Modified: Wed, 02 Jun 2010 04:40:14 GMT > X-Runtime: 0.01083 > Content-Type: text/html; charset=utf-8 > Content-Length: 44 > Pragma: no-cache > X-Revision: DEV > Expires: Tue, 31 Mar 1981 05:00:00 GMT > Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post- > check=0 > Set-Cookie: k=58.161.42.101.1275453614748615; path=/; expires=Wed, 09- > Jun-10 04:40:14 GMT; domain=.twitter.com > Set-Cookie: guest_id=12754536147577949; path=/; expires=Fri, 02 Jul > 2010 04:40:14 GMT > Set-Cookie: > _twitter_sess=BAh7CToPY3JlYXRlZF9hdGwrCKaq9fYoAToRdHJhbnNfcHJvbXB0MDoHaWQi > %250AJWU0ZDFhMGQzMWU0NTZjMzJiZWFkNWUzMTA4ZDRjOTg3IgpmbGFzaElDOidB > %250AY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA-- > f1e5c7649858a1694f24307504354846bbc1d16b; domain=.twitter.com; path=/ > Vary: Accept-Encoding > Connection: close > > Failed to validate oauth signature and token > > If anyone can cast any light on why this might be failing, I'd love to > hear. > > Thanks, > Craig >