Why is Twitter returning a "Failed to validate oauth signature and token?"

Question

Sorry for troubling you with yet another "Failed to validate oauth signature and token" error, but I just can't figure out what's wrong with my request.

I'm constructing my signature from this string:

POST&http%3A%2F%2Fapi.twitter.com%2Foauth%2Frequest_token&oauth_callback%3Dhttp%3A%2F%2Fcraiga.id.au%2Ftwitter%2Fconnected%26oauth_consumer_key%3Dtm5...DOg%26oauth_nonce%3D8...22b%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1275453048%26oauth_version%3D1.0

From this I generate a 28 character signature using the following PHP code:

base64_encode(hash_hmac('sha1', $raw, 'YUo...HIU' . '&', true));

Using this signature, I send the following request:

POST http://api.twitter.com/oauth/request_token HTTP/1.1
Host: api.twitter.com
Pragma: no-cache
Accept: */*
Proxy-Connection: Keep-Alive
Authorization: OAuth oauth_nonce="3D8...22b", oauth_callback="http%3A%2F%2Fcraiga.id.au%2Ftwitter%2Fconnected", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1275453048", oauth_consumer_key="tm5...DOg", oauth_signature="aYd...c6E%3D", oauth_version="1.0"
Content-Length: 266
Content-Type: application/x-www-form-urlencoded

oauth_callback=http%3A%2F%2Fcraiga.id.au%2Ftwitter%2Fconnected&oauth_consumer_key=tm5...DOg&oauth_nonce=3D8...22b&oauth_signature_method=HMAC-SHA1&oauth_timestamp= 1275453048&oauth_version=1.0

I get the following response from Twitter to this request:

HTTP/1.1 401 Unauthorized
Date: Wed, 02 Jun 2010 04:40:14 GMT
Server: hi
Status: 401 Unauthorized
X-Transaction: 1275453614-48409-7443
Last-Modified: Wed, 02 Jun 2010 04:40:14 GMT
X-Runtime: 0.01083
Content-Type: text/html; charset=utf-8
Content-Length: 44
Pragma: no-cache
X-Revision: DEV
Expires: Tue, 31 Mar 1981 05:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
Set-Cookie: k=58.161.42.101.1275453614748615; path=/; expires=Wed, 09-Jun-10 04:40:14 GMT; domain=.twitter.com
Set-Cookie: guest_id=12754536147577949; path=/; expires=Fri, 02 Jul 2010 04:40:14 GMT
Set-Cookie: _twitter_sess=BAh7CToPY3JlYXRlZF9hdGwrCKaq9fYoAToRdHJhbnNfcHJvbXB0MDoHaWQi%250AJWU0ZDFhMGQzMWU0NTZjMzJiZWFkNWUzMTA4ZDRjOTg3IgpmbGFzaElDOidB%250AY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--f1e5c7649858a1694f24307504354846bbc1d16b; domain=.twitter.com; path=/
Vary: Accept-Encoding
Connection: close

Failed to validate oauth signature and token

If anyone can cast any light on why this might be failing, I'd love to hear.

A Twitter developer advocate has pointed out that I shouldn't be POST-ing the oauth_* fields as well as including them in the Authorize header, but still no luck with a GET or empty POST. — Craig Anderson
I'll admit this isn't really an answer, but I got around this problem using the PECL OAuth package. Rasmus Lerdorf wrote a tutorial on how to use it. — Craig Anderson
Answer of your question : http://blainegarrett.com/2009/07/14/failed-to-validate-oauth-signature-and-token-on-twitter-oauth-check-your-cloc/ — Eray
This a punt but I think the oauth parameters that make up the signature need to be in alphabetical order — Pattle

ToddJCrane ToddJCrane · Accepted Answer · 2014-06-10T22:20:42

You're using the wrong information to generate the signature. You should be using the ...

oauth_callback=http%3A%2F%2Fcraiga.id.au%2Ftwitter%2Fconnected&oauth_consumer_key=tm5...DOg&oauth_nonce=3D8...22b&oauth_signature_method=HMAC-SHA1&oauth_timestamp= 1275453048&oauth_version=1.0

... to generate the signature (Read: not using 'POST' and the request URI)

For more info...see Twitter Developers: Creating a signature

Why is Twitter returning a "Failed to validate oauth signature and token?"

3 Answers