Home/ Questions/Q 6565881
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-25T14:08:59+00:00

Good day, I am writing an iOS app that needs to authenticate with Twitter.

  • 0

Good day, I am writing an iOS app that needs to authenticate with Twitter. When I POST a request to https://api.twitter.com/oauth/request_token I get a 401 error with the message “Failed to validate oauth signature and token”.

Here is an example of a base string I generated:

POST&https%3A%2F%2Fapi.twitter.com%2Foauth%2Frequest_token&oauth_callback%3Doob%26oauth_consumer_key%3Dfy5lC1V4ojgaolKPnEsbg%26oauth_nonce%3Da55d09b40e3fc189addaf203ef7f2dc475ea2a69%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1315413303%26oauth_version%3D1.0

Can’t see anything wrong with it. I also checked my signature generation method using the example base string and consumer secret in the Twitter documentation here: https://dev.twitter.com/docs/auth/oauth
I get the same signature.

I also checked my timestamp but it is within a second of UTC epoch time. Here are the response headers I’m getting:

Response:{
    "Cache-Control" = "no-cache, no-store, must-revalidate, pre-check=0, post-check=0";
    Connection = close;
    "Content-Encoding" = gzip;
    "Content-Length" = 62;
    "Content-Type" = "text/html; charset=utf-8";
    Date = "Wed, 07 Sep 2011 16:35:05 GMT";
    Expires = "Tue, 31 Mar 1981 05:00:00 GMT";
    "Last-Modified" = "Wed, 07 Sep 2011 16:35:05 GMT";
    Pragma = "no-cache";
    Server = hi;
    "Set-Cookie" = "admobuu=10208a061552e8488e7953874e764745; domain=.m.twitter.com; path=/; expires=Tue, 19 Jan 2038 03:14:07 GMT, _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCBMnvkQyAToHaWQiJThkNjJhNDI5YjI1MDEz%250AOWQxYTcxYTYyODg3NWQ2OTkyIgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy%250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--94b10215c29c55d20de023c624296349f461f69d; domain=.twitter.com; path=/; HttpOnly";
    Status = "401 Unauthorized";
    Vary = "Accept-Encoding";
    "X-Content-Type-Options" = nosniff;
    "X-Frame-Options" = SAMEORIGIN;
    "X-Mid" = d09597bbd71f66cf5869d99b2f3cf994fbf7dfb9;
    "X-Revision" = DEV;
    "X-Runtime" = "0.00428";
    "X-Transaction" = "1315413305-15807-4243";
}

And here’s my Objective C code:

// Strings
    NSString *urlString = @TWITTER_REQUEST_TOKEN_URL;
    NSString *urlEncoded = (NSString *)CFURLCreateStringByAddingPercentEscapes(NULL, (CFStringRef)urlString, NULL, (CFStringRef)@"!*'();:@&=+$,/?%#[]", kCFStringEncodingUTF8);
    NSString *oauthCallback = @TWITTER_CALLBACK;
    NSString *oauthConsumerKey = @TWITTER_KEY;
    NSString *oauthConsumerSecret = @TWITTER_SECRET;
    NSString *timestamp = [NSString stringWithFormat:@"%d",(long)[[NSDate date] timeIntervalSince1970]];
    NSInteger randomNumber = arc4random();
    NSString *randomString = [NSString stringWithFormat:@"%d",randomNumber];
    NSString *oauthNonce = [HashService sha1DigestFromKey:timestamp andBaseString:randomString];
    NSString *oauthSignatureMethod = @"HMAC-SHA1";
    NSString *oauthVersion = @"1.0";

    // Create base string and signature
    NSMutableString *baseString = [NSMutableString stringWithFormat:@"POST&%@&",urlEncoded];
    NSString *paramString = [NSString stringWithFormat:@"oauth_callback=%@&oauth_consumer_key=%@&oauth_nonce=%@&oauth_signature_method=%@&oauth_timestamp=%@&oauth_version=%@",oauthCallback,oauthConsumerKey,oauthNonce,oauthSignatureMethod,timestamp,oauthVersion];
    NSString *paramStringEncoded = (NSString *)CFURLCreateStringByAddingPercentEscapes(NULL, (CFStringRef)paramString, NULL, (CFStringRef)@"!*'();:@&=+$,/?%#[]", kCFStringEncodingUTF8);
    [baseString appendString:paramStringEncoded];
    NSString *signingKey = [NSString stringWithFormat:@"%@&",oauthConsumerSecret];
    NSString *oauthSignature = [HashService HmacSha1FromKey:signingKey andBaseString:baseString];

    // Create request
    NSURL *url = [NSURL URLWithString:urlString];
    NSString *authHeader = [NSString stringWithFormat: @"OAuth oauth_nonce=\"%@\",oauth_callback=\"%@\",oauth_signature_method=\"%@\",oauth_timestamp=\"%@\",oauth_consumer_key=\"%@\",oauth_version=\"%@\",oauth_signature=\"%@\"",oauthNonce,oauthCallback,oauthSignatureMethod,timestamp,oauthConsumerKey,oauthVersion,oauthSignature];

    ASIFormDataRequest *request = [ASIFormDataRequest requestWithURL:url];
    [request addRequestHeader:@"Authorization" value:authHeader];
    request.requestMethod = @"POST";
    [request startSynchronous];

I just can’t get it to work. Suggestions?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Finally got it to work. When creating the Authorization header the oauth_signature needs to be URL-encoded.

    • 0