I have done some more digging around (WireShark is amazing!) and I have gotten past a big initial hurdle: I was building the signature base string wrong (building it, then setting more parameters, which should have been part of the base string in the first place). As a sanity check, at this point my code can, using xAuth, post twitter status updates. But I'm incredibly confused as to what I need to send to twaud.io's server. It says x_verify_credentials_authorization should contain the Authorization header.
That authorization header is built with a base string of POST&http[All those oauth_* params and the encoded twaud.io params] but if the base string is supposed to include all the post form parameters, x_auth_service_provider and x_verify_credentials_authorization are form parameters, but I can't include authorization, since that is defined as something that contains the output of this whole thing. So what SHOULD be in the base string's params? I tried just putting in everything except the x_verify_credentials_authorization and x_auth_service_provider and get the very opaque 403 Forbidden / Not Authorized. I mean, the account is Authorized by twaud.io and twitter, and we have an xAuth token from twitter, so that doesn't seem very informative. Here's a sample base string: POST&http%3A%2F%2Ftwaud.io%2Fapi%2Fv2%2Fupload.json&oauth_consumer_key%3DofEzSNkKNMzu4ANhII5g%26oauth_nonce%3D8BE06737-9C9C-4EB1-A3B7-CDFCDAD7DF13%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1298633580%26oauth_token%3D257264155-voUkUaayPjhrtW4a1Aid2lS2LshC5JDIM9p2LMXO%26oauth_version%3D1.0%26sound%255Bmessage%255D%3DTESTING123 containing POST, then http:// (tried https as well, but http is helpful while debugging), the all the oauth_* params, then sound[message]. One thing that jumps out at me is that I'm not sure what to do about the sound[file] part, as that parameter is a multipart encoded thing, not just another normal post parameter. Maybe that has to be part of the base string? On Thu, Feb 24, 2011 at 6:43 AM, Matt Harris <thematthar...@twitter.com> wrote: > > Hi Seth, > Twaud.io isn't part of the Twitter API but i'll try and help you anyway. > The first thing to note is the Headers should be of the > format X-Verify-Credentials-Authorization. The > x_verify_credentials_authorization is mentioned because Twaud.io supports the > OAuth Echo parameters in the header or POST body. > Looking at your sample X-Verify-Credentials-Authorization I notice you are > sending the realm as http://api.twitter.com . What i'm wondering is whether > you are sending the X-Auth-Service-Provider > as https://api.twitter.com/1/account/verify_credentials.json . According to > the twaud.io API documentation the X-Auth-Service-Provider must be: > https://api.twitter.com/1/account/verify_credentials.json > If you change the protocol to http, or use .xml instead of .json, the request > will not succeed. Double check that the verify_credentials request fits that > pattern. The other thing to ensure is the request to verify_credentials isn't > being sent to the Twitter API servers by your application. If the request is > being sent, the OAuth Echo provider cannot use it. > Check those things out and let us know how it goes, > Best, > @themattharris > Developer Advocate, Twitter > http://twitter.com/themattharris > > > On Mon, Feb 21, 2011 at 2:57 AM, Seth <seth.delack...@gmail.com> wrote: >> >> I've tried discussing with the author of twaud.io, but he says he >> doesn't really have time to look. I've tried sending even a minimal >> test iPhone app Xcode project to twitter api support, but a week later >> no response. >> >> Our app is xAuth authorized, the app sends the username and password >> and gets a token, we produce all the intended headers and post up to >> twaud.io's api as described at twaud.io/api and yet just get the below >> totally opaque response: >> >> response: HTTP/1.1 403 Forbidden / Not Authorized >> >> Made sure that the twitter account I used for testing has given both >> our app and twaud.io read/write authorization. >> >> Here's a sample of what I am putting in "X-Verify-Credentials- >> Authorization" (which we've tried naming that way and also, per the >> twaud.io api page, "x_verify_credentials_authorization"). We've also >> tried sending the value as either post values or as a request header: >> >> >> OAuth realm="http%3A%2F%2Fapi.twitter.com", >> oauth_consumer_key="ofEzSNkKNMzu4ANhII5g", >> oauth_token="123520286-U3RXmbgPPF0i4lDkVBdSCx9MEJhHMu8KvzAyosXI", >> oauth_signature_method="HMAC-SHA1", >> oauth_signature="9Z5VMPeL4QoGHCtpiMcUxF%2FPiXI%3D", >> oauth_timestamp="1297141216", >> oauth_nonce="A20C6AB4-AAF9-46A5-B1F0-574A5BD3B538", >> oauth_version="1.0" >> >> I would be more than happy to send a minimal Xcode project to anyone >> who is willing to try running it in the iOS simulator. >> >> -- >> Twitter developer documentation and resources: http://dev.twitter.com/doc >> API updates via Twitter: http://twitter.com/twitterapi >> Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list >> Change your membership to this group: >> http://groups.google.com/group/twitter-development-talk > -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk