FACTS (you don't want to see my Java): The nonce is a unique string. You create this on the fly for every request you make. A simple way to do this is to do a MD5_hex( current_time . access_token . request_path ) -- the nonce must be unique for every request sent by your API key.
The signature is the result of signing your OAuth signature base string. For requests that don't involve an oauth_token (the request_token step, for example) you sign the request using your consumer key followed by an ampersand, for requests that do involve an oauth_token (like the access token step where your oauth_token is a request_token that you are exchanging for an access_token, and any REST API calls with an access token) you sign the request using your consumer_key joined with the oauth_token_secret in play by an ampersand. Here's some of the most basic Java for all of this around: http://oauth.googlecode.com/svn/code/java/ Taylor On Thu, Jun 17, 2010 at 12:30 PM, Rob <robert-h...@comcast.net> wrote: > > Sheesh, digests are always such a PITA. I wrote my own HTTP/DIGEST > auth routine once and what a pain to wade through the RFC and try to > get coding to work. I'd really like NOT to have to do that, BUT, I > want to be articulate enough (code-wise) so I'm not just blindly > relying on someone's library. > > So, for the single token solution, I would: > > -- for each Twitter account with server-side access, I register "my- > server-side-app" at dev.twitter.com/..., obtaining the Access Token > (oauth_token) and Access Token Secret (oauth_token_secret); > > -- somehow, I plug token/secret into my HTTP request; I'm OK with > using the HTTP Authorization header: > (example from: > http://hueniverse.com/2008/10/beginners-guide-to-oauth-part-iv-signing-requests/ > ) > > ----------------------------------------------------------------------------------------- > GET /photos?size=original&file=vacation.jpg HTTP/1.1 > Host: photos.example.net:80 > Authorization: OAuth realm="http://photos.example.net/photos";, > oauth_consumer_key="dpf43f3p2l4k3l03", oauth_token="nnch734d00sl2jdk", > oauth_nonce="kllo9940pd9333jh", oauth_timestamp="1191242096", > oauth_signature_method="HMAC-SHA1", oauth_version="1.0", > oauth_signature="tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3D" > > ----------------------------------------------------------------------------------------- > oauth_consumer_key - check! (supplied by Twitter app registration > info) > oauth_token - check! (supplied by Twitter "my access token") > > leaving me without a oauth_nonce or oauth_signature. > > > So, again, I ask (anyone) for some (fairly) LOW-LEVEL example Java > code; I'd like to know the lower-level coding mechanics WITHOUT > becoming married to the RFC AND not having to wade through someone's > framework. Like Joe Friday used to say, "Just the facts..." > > Thanks. > > > > >
