Twitter API oAuth failed signature when adding callback url

5
votes

I'm using this code/guide another twitter oAuth cURL access token request that fails to test signing my request to the API. I'm still trying to go through step 1 of this

Note: the keys are just random, they're not real :)

when I try to make a request without oauth_callback I get a valid response from the api

https://api.twitter.com/oauth/request_token?oauth_consumer_key=nHb2kSQ2CD9MW1MdW5VeQ&oauth_nonce=1356902849&oauth_signature=MbvhwGiNPKQR0klUPx9fsmUtdJY%3D&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1356902849&oauth_version=1.0

when I add the oauth_callback string (mandatory to let users sign with a redirect!) I get "Failed to validate oauth signature and token"

https://api.twitter.com/oauth/request_token?oauth_callback=http%3A%2F%2F127.0.0.1%2Ftest%2F&oauth_consumer_key=nHb2kSQ2CD9MW1MdW5VeQ&oauth_nonce=1356902915&oauth_signature=2WTaI9jXNBaDd7f8AqIe6y3%2Beno%3D&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1356902915&oauth_version=1.0

I mean there's no difference between the two URLs, they both go through the same execution and they respect the signing method. How to fix it?

yes I added http://127.0.0.1/test/ as callback url in the twitter app settings.

Thank you

3
twitteroauthcallback
Also check that your time is synced by a NTP server, because the token are time sensitive.Luigi R. Viggiano

3 Answers

1
votes

Have you set up the callback url in the twitter application settings?

If you don't set that up, the api may fail.

Check it from here:

enter image description here

Also check that your time is in sync (use an NTP server); see: https://dev.twitter.com/discussions/1043

1
votes

Agreed that twitter API is badly documented :)

Follow this rule:

  1. If your oauth_callback does not contain any query string = Nothing funky is required.
  2. If your oauth_callback has any query string parameters = URL Encode the query string parameters separately.

Hope this explains.

0
votes

I solved the issue. The problem was that even though the callback URL was sent correctly using the querystring method or headers as you can see on the links, it was also double escaped when creating the signature from the basestring. Since the documentation is pretty bad regarding this I didn't think that you shouldn't double escape it as well like other oauth_* parameters (aka percentage encode the "&"s).