I am trying to use fiddler to test the oauth/request_token api but am getting a 'Failed to validate oauth signature and token' 401 error. I copied the authorization header values directly from my application and added an oauth_callback header. I am trying to follow the example in the following documentation:
https://dev.twitter.com/docs/api/1/post/oauth/request_token.
Any help would be greatly appreciated.
REQUEST:
POST https://api.twitter.com/oauth/request_token HTTP/1.1
Authorization: OAuth oauth_callback="http%3A%2F%2Flocalhost%3A61921%2Ftwitter%2Fprocesscallback", oauth_consumer_key="XXXXXXXXXXXXXXXXXXXXX", oauth_nonce="53891723ad7b32501c669d97f56c6d47", oauth_signature="qzN516EVspIA0NWBbpND83YcTr4%3D",
oauth_signature_method="HMAC-SHA1",
oauth_timestamp="1402955245",
oauth_token="2514015781-KqTbOPPag7p0CYQ6xByIibV3WEk8xLsWrhb9U4M",
oauth_version="1.0"
Host: api.twitter.com
Content-Length: 0
RESPONSE:
HTTP/1.1 401 Unauthorized
cache-control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
content-length: 44
content-type: text/html; charset=utf-8
date: Mon, 16 Jun 2014 21:54:56 GMT
expires: Tue, 31 Mar 1981 05:00:00 GMT
last-modified: Mon, 16 Jun 2014 21:54:56 GMT
pragma: no-cache
server: tfe
set-cookie: _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCEIJraZGAToHaWQiJTlmOTQ3Y2MyYWNlMTkx%250AYTMyYzVlZmYyMTA4ZjU4ZTdkIgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy%250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--3afebfe1105e8a7315baba72651e76a24f53e6d2; domain=.twitter.com; path=/; secure; HttpOnly
set-cookie: guest_id=v1%3A140295569643962216; Domain=.twitter.com; Path=/; Expires=Wed, 15-Jun-2016 21:54:56 UTC
status: 401 Unauthorized
strict-transport-security: max-age=631138519
vary: Accept-Encoding
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-mid: d31abfd0b6cbb0aa6434a6ffc6efdfac089ab0a5
x-runtime: 0.01273
x-transaction: 2dd94ca53f553801
x-ua-compatible: IE=edge,chrome=1
x-xss-protection: 1; mode=block
Failed to validate oauth signature and token
Related
Sometimes Microsoft Graph's One Drive Content API does not return HTTP status 302, but HTTP Status 200.
Occurs occasionally from 8/26.
GET https://graph.microsoft.com/v1.0/drives/{drive-id}/root:/{file-name}.xlsx:/content HTTP/1.1
SdkVersion: Graph-dotnet-1.4.0
Authorization: bearer {token}
Cache-Control: no-store, no-cache
Host: graph.microsoft.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Fri, 28 Aug 2020 03:20:43 GMT
Cache-Control: no-cache
Location: https://{tenant-name}-my.sharepoint.com/personal/{user-name}_onmicrosoft_com/_layouts/15/download.aspx?UniqueId={unique-id}&Translate=false&tempauth={tempauth}&ApiVersion=2.1
Strict-Transport-Security: max-age=31536000
request-id: {request-id}
client-request-id: {client-request-id}
x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"Japan East","Slice":"E","Ring":"2","ScaleUnit":"000","RoleInstance":"TY1PEPF00000CC9"}}
Content-Length: 0
I want to call /search method of Google cloud print from my webServer.
I am using OAuth web server guide obtaining a refresh_token/access_token to use with scopes:
https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile
Then I am calling search Api but I am obtaining a 403 forbidden.
Request DefaultHttpRequest(chunked: false)
POST /cloudprint/search HTTP/1.1
Host: www.google.com
Content-Type: text/plain; charset=utf-8
Authorization: OAuth yb29.1.AADtN_U9PYyVhGpcS-8MpFhfGVbT4KsZKEoIX2HGePwoNXypjrSwVsS0pGzmaqhktfGBAQ
Connection: keep-alive
Accept: */*
User-Agent: NING/1.0
Content-Length: 0
Response DefaultHttpResponse(chunked: true)
HTTP/1.1 403 Forbidden
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Date: Tue, 03 Dec 2013 17:05:09 GMT
Set-Cookie: NID=67=MQJFdl-YkMdz875n1J2yVNmeUeAvsjVtDGlNvGkNLZdNTHX3YbnStNx9Vg_MiRsmht6hj3XrwJcPJEQeFLlnYKqt2Of1xHJ5HDwNJgOB3svOdnN-JRFcPxYt4AU10eSM;Domain=.google.com;Path=/;Expires=Wed, 04-Jun-2014 17:05:09 GMT;HttpOnly
P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Alternate-Protocol: 443:quic
Transfer-Encoding: chunked
Is the scope correct?
What am I doing wrong?
Your scopes are wrong. The correct scope is https://www.googleapis.com/auth/cloudprint
I think this related to your HTTP Header 'Authorization'.
When playing at https://developers.google.com/oauthplayground/, I see the generated requests use 'Authorization: Bearer your-token', instead of 'Authorization: OAuth your-token'.
It looks like something has recently changes with the Provisioning API when getting a user account:
https://developers.google.com/google-apps/provisioning/#retrieving_users_experimental
previously, if you specified an address that was an Alias/Nickname, not a user, you got a 1301 error. Now it returns results for the primary user. Here's what GAM shows:
Verify that admin2# is an alias of admin:
C:\gam>gam info alias admin2
send: 'GET https://apps-apis.google.com/a/feeds/alias/2.0/jay.powerposters.org/a
dmin2#jay.powerposters.org HTTP/1.1\r\nAccept-Encoding: identity\r\nHost: apps-a
pis.google.com\r\nContent-Type: application/atom+xml\r\nAuthorization: OAuth rea
lm="", oauth_nonce="xxx", oauth_timestamp="xxx", oauth_consumer_key=
"xxxx", oauth_signature_method="HMAC-SHA1", oa
uth_version="1.0", oauth_token="xxx"
, oauth_signature="xxx"\r\nUser-Agent: Google App
s Manager 2.54 / jay#ditoweb.com (Jay Lee) / Python 2.7.3 final / Windows-7-6.1.
7601-SP1 AMD64 / GData-Python 2.0.14+20110902+custom_mods\r\n\r\n'
reply: 'HTTP/1.1 200 OK\r\n'
header: Content-Type: application/atom+xml; charset=UTF-8
header: Expires: Thu, 15 Nov 2012 21:57:50 GMT
header: Date: Thu, 15 Nov 2012 21:57:50 GMT
header: Cache-Control: private, max-age=0, must-revalidate, no-transform
header: Vary: Accept, X-GData-Authorization, GData-Version
header: GData-Version: 1.0
header: Last-Modified: Thu, 15 Nov 2012 21:57:50 GMT
header: X-Content-Type-Options: nosniff
header: X-Frame-Options: SAMEORIGIN
header: X-XSS-Protection: 1; mode=block
header: Server: GSE
header: Transfer-Encoding: chunked
Alias Email: admin2#jay.powerposters.org
User Email: admin#jay.powerposters.org
Get "user" alias2:
C:\gam>gam info user admin2
send: 'GET https://apps-apis.google.com/a/feeds/user/2.0/jay.powerposters.org/ad
min2#jay.powerposters.org HTTP/1.1\r\nAccept-Encoding: identity\r\nHost: apps-ap
is.google.com\r\nContent-Type: application/atom+xml\r\nAuthorization: OAuth real
m="", oauth_nonce="xxx", oauth_timestamp="xxx", oauth_consumer_key="
xxx", oauth_signature_method="HMAC-SHA1", oau
th_version="1.0", oauth_token="xxx",
oauth_signature="xxx"\r\nUser-Agent: Google Apps Man
ager 2.54 / jay#ditoweb.com (Jay Lee) / Python 2.7.3 final / Windows-7-6.1.7601-
SP1 AMD64 / GData-Python 2.0.14+20110902+custom_mods\r\n\r\n'
reply: 'HTTP/1.1 200 OK\r\n'
header: Content-Type: application/atom+xml; charset=UTF-8
header: Expires: Thu, 15 Nov 2012 21:59:32 GMT
header: Date: Thu, 15 Nov 2012 21:59:32 GMT
header: Cache-Control: private, max-age=0, must-revalidate, no-transform
header: Vary: Accept, X-GData-Authorization, GData-Version
header: GData-Version: 1.0
header: Last-Modified: Thu, 15 Nov 2012 21:59:32 GMT
header: X-Content-Type-Options: nosniff
header: X-Frame-Options: SAMEORIGIN
header: X-XSS-Protection: 1; mode=block
header: Server: GSE
header: Transfer-Encoding: chunked
User: admin2#jay.powerposters.org
First Name: Admin+
Last Name: USER
Is an admin: true
Has agreed to terms: true
IP Whitelisted: false
Account Suspended: false
Must Change Password: false
This new behavior breaks GAM commands like "gam whatis " since that command relied on getting the 1301 when trying to access the address as a user. I can imagine other apps that functioned similarly also broke.
Jay
I'm trying to use Google's OAuth in my system. I've successfully integrated Twitter and LinkedIn but i'm having hard times with Google.
I already have the consumer key, consumer secret and a valid access token. Using the G's OAuth playground I make a call to a protected resource (https://mail.google.com/mail/feed/atom). I've generated the token using this scope.
Using the authorization data in the HTTP header:
GET /mail/feed/atom HTTP/1.1
Host: mail.google.com
Accept: */*
Authorization: OAuth oauth_version="1.0", oauth_nonce="nounce", oauth_timestamp="1314727855", oauth_consumer_key="myconsumerkey", oauth_token="myvalidtoken", oauth_signature_method="HMAC-SHA1", oauth_signature="signature"
Content-Type: application/atom+xml
GData-Version: 2.0
The response I get from this is a valid HTTP call:
HTTP/1.1 200 OK
Content-Type: text/xml; charset=UTF-8
Set-Cookie: S=gmail=yp_A23KtGOD9:gmproxy=PxCjSERnJWBbe; Path=/mail; Secure
Date: Tue, 30 Aug 2011 18:10:55 GMT
Expires: Tue, 30 Aug 2011 18:10:55 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Content-Length: 353
Server: GSE
<XML response here>
But, (and here comes the error), using the same access token but sending it in the URL as param (https://mail.google.com/mail/feed/atom?oauth_token=myvalidtoken):
GET /mail/feed/atom?oauth_version=1.0&oauth_nonce=nonce&oauth_timestamp=1314729533&oauth_consumer_key=myconsumerkey&access_token=myvalidtoken&oauth_token=oauthtoken&oauth_signature_method=HMAC-SHA1&oauth_signature=signature HTTP/1.1
Host: mail.google.com
Accept: */*
Content-Type: application/atom+xml
GData-Version: 2.0
I get an 401 error:
HTTP/1.1 401 Unauthorized
Content-Type: text/html; charset=UTF-8
WWW-Authenticate: BASIC realm="New mail feed"
Content-Length: 147
Date: Tue, 30 Aug 2011 18:38:53 GMT
Expires: Tue, 30 Aug 2011 18:38:53 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
<HTML about my 401>
EDIT
I saw this example and I tried to use anonymous as consumer key and consumer secret. Now it works... but I need to show to the user the project's name declared in the Google's app registration page. I think i'm not using the correct consumer key and consumer secret.
Any clues on this will be appreciated. :)
Thanks in advance
https://www.rfc-editor.org/rfc/rfc5849#section-3.5.3
In OAuth 1.0, the parameter name is oauth_token not access_token...
Im having loads of issues with the Twitter API and GET. Hopefully someone can point out my mistake of help me in the correct direction. I got the POST correct for posting statusses, but i want to get the users mentions, but Im receiving "Could not authenticate with OAuth" the whole time.
Below are all my strings and headers as I set / get it. Please help. :)
- Generate Base URL -
base=GET&http%3A%2F%2Fapi.twitter.com%2F1%2Fstatuses%2Fmentions.xml&oauth_consumer_key%3D0RaXE4T4CuMFJHI1jViEQ%26oauth_nonce%3DDGTQVDPXRAYASJJFJLJF%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1309954505%26oauth_token%3D298006718-8yTikfcuvQ3Xq1ZGuykhkxK2wY0ZAOxcI0jesRxd%26oauth_version%3D1.0
----------------------------------
- Build Signature -
SignKey=ey75K0x7bgyI4BwwG5mn7vLVNQiyphJo9MMT8t6bj0&Syk7tpizLGSo2xvJ9Q8Y1G318eKO8QXvPGWoOpdXWw
Signature=Q844NOw7T0oq8tNQkdR/6ez6Z8s=
----------------------------------
- Request twit Start -
postvars=
url=http://api.twitter.com/1/statuses/mentions.xml
----------------------------------
- Socket Before Header Send -
GET /1/statuses/mentions.xml HTTP/1.0
Accept: */*
Referer: http://eden.fm
User-Agent: Mozilla/4.0 (compatible; ICS)
Host: api.twitter.com
Authorization: OAuth oauth_nonce="DGTQVDPXRAYASJJFJLJF", oauth_callback="oob", oauth_token="298006718-8yTikfcuvQ3Xq1ZGuykhkxK2wY0ZAOxcI0jesRxd", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1309954505", oauth_consumer_key="0RaXE4T4CuMFJHI1jViEQ", oauth_signature="Q844NOw7T0oq8tNQkdR%2F6ez6Z8s%3D", oauth_version="1.0"
----------------------------------
- Socket Header End -
HTTP/1.1 401 Unauthorized
Date: Wed, 06 Jul 2011 12:16:11 GMT
Server: hi
Status: 401 Unauthorized
WWW-Authenticate: OAuth realm="http://api.twitter.com"
X-Runtime: 0.00899
Content-Type: application/xml; charset=utf-8
Content-Length: 152
Cache-Control: no-cache, max-age=1800
Set-Cookie: k=41.133.180.120.1309954571265496; path=/; expires=Wed, 13-Jul-11 12:16:11 GMT; domain=.twitter.com
Set-Cookie: guest_id=v1%3A130995457172572573; domain=.twitter.com; path=/; expires=Sat, 06 Jul 2013 00:16:11 GMT
Set-Cookie: original_referer=ojItV1ByhTzWh74Jc1NQEw%3D%3D; path=/
Set-Cookie: _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCNR9YP8wAToHaWQiJTQzZGVmMTE3YTI5ZjEz%250AOGYzZWEwYjlmNTRlM2I3MzA2IgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy%250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--dd24ddb28d1207c2ebf479e57b6f9edb82553bbe; domain=.twitter.com; path=/; HttpOnly
Expires: Wed, 06 Jul 2011 12:46:11 GMT
Vary: Accept-Encoding
Connection: close
----------------------------------
- Request Done Socket DocEnd -
result=
status code=401
headers=HTTP/1.1 401 Unauthorized
Date: Wed, 06 Jul 2011 12:16:11 GMT
Server: hi
Status: 401 Unauthorized
WWW-Authenticate: OAuth realm="http://api.twitter.com"
X-Runtime: 0.00899
Content-Type: application/xml; charset=utf-8
Content-Length: 152
Cache-Control: no-cache, max-age=1800
Set-Cookie: k=41.133.180.120.1309954571265496; path=/; expires=Wed, 13-Jul-11 12:16:11 GMT; domain=.twitter.com
Set-Cookie: guest_id=v1%3A130995457172572573; domain=.twitter.com; path=/; expires=Sat, 06 Jul 2013 00:16:11 GMT
Set-Cookie: original_referer=ojItV1ByhTzWh74Jc1NQEw%3D%3D; path=/
Set-Cookie: _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCNR9YP8wAToHaWQiJTQzZGVmMTE3YTI5ZjEz%250AOGYzZWEwYjlmNTRlM2I3MzA2IgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy%250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--dd24ddb28d1207c2ebf479e57b6f9edb82553bbe; domain=.twitter.com; path=/; HttpOnly
Expires: Wed, 06 Jul 2011 12:46:11 GMT
Vary: Accept-Encoding
Connection: close
----------------------------------
result=<?xml version="1.0" encoding="UTF-8"?>
<hash>
<error>Could not authenticate with OAuth.</error>
<request>/1/statuses/mentions.xml</request>
</hash>
Why not take a look at my open source TTwitter library? Even though this version of the project is now depreciated (I've rolled TTwitter into a larger project to develop more social networking components) it'll still point you in the right direction :)