Getting "Could not authenticate with OAuth." from Twitter when trying to POST - twitter

I'm successfully able to get an access token through the OAuth process.
However, when I try to run a POST to the /statuses/update.json endpoint, I get a "Could not authenticate with OAuth."
I'm signing with the token I got back from authenticating with my consumer secret, I don't understand what else could be.
Twitter forums were no help either.
Any tips would be greatly appreciated.

Making authenticated calls to Twitter can be a pain.
Make sure that the parameters in your signature base string are ordered alphabetically.
Take this:
oauth_consumer_key={consumerkey}&oauth_nonce={nonce}&oauth_signature_method=HMAC-SHA1&oauth_timestamp={timestamp}&oauth_token={token}&oauth_version=1.0&status={tweet text}
fill out the values, encode it in Base64, and then put it together like this:
POST&{base64 encoded url}&{base64 encoded base string}
this will be the string you need to sign (without the brackets). (The url in this case will be https://api.twitter.com/1.1/statuses/update.json)
The signing key needs to be built like this:
{consumer secret}&{token secret}
The signature is a HMACSHA1 hash, which is then base64 encoded.
Then you need to put this in the Authorization header:
OAuth oauth_consumer_key="{consumer key}",oauth_nonce="{nonce}",oauth_signature="{signature}",oauth_signature_method="HMAC-SHA1",oauth_timestamp="{timestamp}",oauth_token="{token}",oauth_version="1.0"
And finally put status=your tweet text as the posted data in your request.
I hope this helps.

Related

OAuth2 token returned from Office 365 doesn't contain a preffered_username claim

I followed this tutorial and have gotten to the point where I am decoding the returned token, and extracting the email address (which should be stored in the preferred_username property), ie, the following code:
decoded_token = Base64.urlsafe_decode64(encoded_token)
jwt = JSON.parse(decoded_token)
email = jwt['preferred_username']
The problem is that the object returned doesn't contain this property, what I do get back is similar to below:
{
"ver":"2.0",
"iss":"https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0",
"aud":"0ab6433e-84fc-469b-8c72-41f7a0241a61",
"exp":1458142389,
"iat":1458055989,
"at_hash":"0OYaLKpTTdHNBrQNOqwQ0Q",
"sub":"AAAAAAAAAAAAAAAAAAAAAC1TrOaOmvInYrFAyrQjlFI",
"tid":"9188040d-6c67-4c5b-b112-36a304b66dad"
}
A quick glance at the spec indicates I am getting the correct object back from Office 365, as preferred_username is mentioned as a potential claim, but it isn't in the object I get back.
It's possible I'm not calling the get_token function with the correct parameters, but the documentation for the library is pretty sparse, so I can't really tell.
I have raised an issue on Github.
Is this an error on the Office 365 end, an error with the tutorial, or am I doing something wrong myself?
Answered here by Jason Johnston from Microsoft (author of the tutorial):
The Azure team deployed a breaking change to their v2 auth endpoint, which is causing the preferred_username to not be present. You need to add profile to the SCOPES array in auth_helper.rb. I'll post an update to the tutorial after the Build conference.
The SCOPES array in auth_helper.rb now looks like so:
SCOPES = [ 'openid', 'https://outlook.office.com/mail.read', 'profile' ]
I am try to reproduce this issue using normal HTTP request however I could get the preferred_username property successfully.
As far as I know, we can get this property only when we specific the openid scope in the request. To narrow down this issue, I suggest that you trying use Fiddler or Postman without Ruby.
Here is the test using web browser and Fiddler to get the id token for your reference:
Register the app in the portal using Office 365 account( which you can refer to the tutorial)
Get the auth code in a web broswer via the link below:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id={ClientID}&response_type=code&redirect_uri={RedirectURL}&response_mode=query&scope=https%3A%2F%2Foutlook.office.com%2Fmail.read%20https%3A%2F%2Foutlook.office.com%2Fmail.send%20openid&state=12345
Replace the auth code from preview request and using Fiddler to post the request to get the tokens:
POST: https://login.microsoftonline.com/common/oauth2/v2.0/token
grant_type=authorization_code&client_id={ClientID}&scope=https%3A%2F%2Foutlook.office.com%2Fmail.read%20https%3A%2F%2Foutlook.office.com%2Fmail.send%20openid&redirect_uri=http%3A%2F%2Flocalhost%3A55065%2F&client_secret={ClientSecret}&code={AuthCode}
Decode the ID token from the link below:
https://jwt.io/
Then I could get the preferred_username property from the ID token successfully.

linkedin access token generation error

When I try to generate access token using:
https://www.linkedin.com/uas/oauth2/accessToken?grant_type=authorization_code&code=xxxxxxxxxxx&redirect_uri=http%3A%2F%2Fws-100945%3A9080%2FArtisWeb%2Findex.html&client_id=xxxxx&client_secret=xxxxx
it's throwing error as:
{"error_description":"missing required parameters, includes an invalid
parameter value, parameter more than once. : Unable to retrieve access
token : appId or redirect uri does not match authorization code or
authorization code expired","error":"invalid_request"}.
Could you guide me on this issue?
The URL itself looks correct so it must be the code that is expired or reused. Make sure the code is used immediately after you receive it and use it only once.
Also make sure that you URL-encode in fact all parameter values, including client_id and client_secret if/since they may contain URL-unsafe characters like '&' and ' '.

Hacked. How can a hacker get to the individual-url (token) of my users?

How would you think a hacker is doing the following, and how would you prevent (looking for some helpfull links, keywords or assessment of the sitution)?
Their is a website where users can register and get an invitation Email. The invaitation link (https) contains the token. It looks like 'https://www.example.com/token/123456' (123456 is the token).
It seems that a day after my users clicked on this link, someone else uses the same links too.
How is this possible and how can I prevent this sort of hack?
Thanks
EDIT:
Sorry I should have given more information. I can eliminate the opinion that it is not just a try of random token variations. Why? The exact token is used a day after one of the user had use the link. The token is a hash token of more that 20 characters.
They can just run a script to try any numerical value in the token value.
it's easy. How long is your token? I would also suggest using a hash token rather than a simple numerical one to limit automatic processing, as the "hack" is scripting to try a number, gets a result - store the result, and then number = number + 1;
Edit: What evidence do you have you've been hacked? What happens in your script once someone has clicked the token link?
A simple logic to apply could be:
define a string pattern. like: secretconstant%email
hash the string and now you have the token (and save it)
create your invitation url with the token
If someone call your service with random token you can reject them because your information system don't have saved that token.
Then if you have the token you must discard it so the link will not be valid anymore.
You could check also if the email used in the registration is the same used for calculate the token.. so you may block the registration!

Withings: getting oauth_callback to.. call back?

Im working with the withings oauth implementation in hopes of retrieving stored values from scales. I can get the request token which I send back in hopes of getting the userid and the oauth_verifier passed back to my application.
What is happening is that if I pass in a full URL via the oauth_callback ( EG "http://some.site.com/myapp.php" ) the withings page displays the results on its page. But if I pass in just a page ( EG "myapp.php" ) withings will append this page name to its site and attempt to pass the parameters there (resulting in a 404). (EG "http://oauth.withings.com/account/myapp.php?oauth_params=..." ).
Other bits:
1. Code is in Perl
2. All oauth_signature values are HMAC_SHA1 signed
3. Any bits passed on the URL are url encoded using uri_escape
My questions:
1. Has anyone succeeded in getting data from withings?
2. Has anyone seen and overcome this problem with oauth_callback?
Turns out the answer is to url encode the address.. and then encode it again when you use it in the resultant signature and URL that you pass to withings.
I was just encoding it once.

Twitter oauth_callback parameter being ignored!

I'm trying to get Twitter authentication working on my ASP.NET site. When you create the app on the Twitter website, you have to specify a callback URL, which for sake of argument, I have set to http://mydomain.com
I've read the oAuth 1.0a spec, and to override this callback URL with your own custom one you have to send the oauth_callback parameter in the request_token phase (url-encoded of course).
So my request URL looks like this:
http://twitter.com/oauth/request_token?oauth_callback=http%3A%2F%2Fmydomain.com%2Ftwittercallback
Supposedly, if all goes to plan, in your response data, you are supposed to receive a new parameter of oauth_callback_confirmed=true in addition to your token and token secret parameters.
However, my response comes through as:
oauth_token=MYTOKEN&oauth_token_secret=MYTOKENSECRET
I know I haven't given you guys the greatest amount to go on, but I'm at my wits end as to why I am not receiving the oauth_callback_confirmed parameter. Without this, my application keeps defaulting back to the callback URL hard-coded on the Twitter website. Please if anyone could help me out, I will be eternally grateful!
Thanks,
A.
I've read the oAuth 1.0a spec, and to
override this callback URL with your
own custom one you have to send the
oauth_callback parameter in the
request_token phase (url-encoded of
course).
So my request URL looks like this:
http://twitter.com/oauth/request_token?oauth_callback=http%3A%2F%2Fmydomain.com%2Ftwittercallback
just because YOU read the spec doesn't mean that TWITTER read it. :P
kidding - this is essentially correct - but the way twitter likes to receive this data is a little different (and not well documented).
the way i've found to get the oauth_callback to confirm is as follows: specify the oauth_callback in the parameters of the request function, NOT within the URL.
python example (using oauth2):
''' Create our client.'''
client = oauth.Client(consumer)
''' do the request '''
resp, content = client.request(request_token_url,"POST",body=urllib.urlencode({'oauth_callback':callbackURL}))
''' note that it's called "body" in this particular OAuth function for Client but in OAuth Request object it's called "parameters." YMMV depending on programming language/ library of course. '''
this is ALSO the only way i've managed to get an oauth verifier back. supposedly one should not have to specify the callback URL every time, since we provide it in app settings...but experience seems to indicate otherwise.
finally, please be aware that at leg 3 you have to do the same thing AGAIN - this time including the oauth_verifier as well as the callback URL in the parameters.
hope this helps - can't begin to tell you how much effort i put into figuring this out.
good luck!
J
I've used this guide to set up my PC to be used as the callback location. Basically you set up your hosts file in a certain way, clear your cache and add a couple of Firefox registry values. At the end when you are debugging an oauth call the redirect comes back to your local PC.
As I said it worked for me.
<?php
// oauth-php example
$token = OAuthRequester::requestRequestToken(
$consumer_key,
$user_id,
array('oauth_callback'=> urlencode($callback_uri))
);
?>

Resources