Hi Colin, Right now we report nonce errors in a few cases -- not all of them having much to do with nonces unfortunately.
Check that the clock on the machines you are executing this on are within 5 minutes of the clock on api.twitter.com -- one easy way to do this before you even start making OAuth-based requests is to send a HTTP HEAD request to http://api.twitter.com/1/help/test.xml -- you'll get a "Date" HTTP header, which you can consume and compare against the system clock in your environment, adjusting the time as necessary when creating your oauth_timestamp such that it's as close to as in sync with our systems as possible. Additionally, you'll want to avoid oauth_nonce values with any kind of non-alpha-numeric characters, and generally strive to keep them globally unique across all possible instances of your application. If you adjust your clock and ensure these truths about your oauth_nonce, and are still having issues -- we'll explore other reasons it might be invalid. Taylor On Tue, Aug 17, 2010 at 7:19 AM, Tom van der Woerdt <[email protected]> wrote: > On 8/17/10 5:35 AM, Colin Hill wrote: > > I ran into an issue when authenticating via OAuth, using the > > token/secret pair offered for one of my apps, on the dev site (example) > > http://dev.twitter.com/apps/12345/my_token > > > > we use the perl OAuth::Lite::Consumer module and have no difficulty > > authenticating using the typical dance for our user facing web app, but > > when migrating a cron job from basic to OAuth, using the generated token > > pair as above, we now consistently get the following error: > > > > 401 Unauthorized > > {"request":"/1/account/verify_credentials.json","error":"Invalid / used > > nonce"} > > > > the passed OAuth Parameters are (consumer key redacted): > > > > $VAR1 = { > > 'oauth_signature' => 'uHd1S9mCVG/dGNaHCFbl8vLHh2s=', > > 'oauth_timestamp' => 1282000377, > > 'oauth_consumer_key' => 'xxxxxxxxxxxxxxxxxxxxxxx', > > 'oauth_nonce' => '95881ba3c50fa67a54fb', > > 'oauth_version' => '1.0', > > 'oauth_signature_method' => 'HMAC-SHA1' > > }; > > > > I'm reasonably sure that this all worked when I wrote and tested it > > three weeks back, but when I went to roll it into our cron job this > > afternoon, authentication consistently fails. I wonder if anyone on the > > list has seen a similar change in behavior, and/or could offer some > > advice as to what might generate this error. Thanks. > > > > -- Colin > > Hi Colin, > > Quoting RFC 5849 (OAuth 1.0) : > A nonce is a random string, uniquely generated by the client to allow > the server to verify that a request has never been made before and > helps prevent replay attacks when requests are made over a non-secure > channel. The nonce value MUST be unique across all requests with the > same timestamp, client credentials, and token combinations. > > In other words, it has to be unique. > > I'm not entirely sure, but I *think* that Twitter's implementation of > this says that it has to be unique, but you can re-use it after 10 > minutes. That might explain why it worked before. > > Tom >
