I'm attempting to authenticate users via Twitter in order to give them an access token cookie so they can make search API requests from my web front end. Or, stated in reverse: I need my users to be able to search tweets (which I'm doing right now sans authentication pre-1.1) so now I need to log them in and give them access tokens for these requests.
But try as I might to follow this: https://dev.twitter.com/docs/auth/implementing-sign-twitter, I'm getting stuck at Step 1: Getting request token. Here is my HttpPost and the Twitter 1.1 api response, in plain text (via wireshark):
POST /oauth/request_token HTTP/1.1
Authorization: OAuth oauth_callback="https%3A%2F%2Fwww.mysite.co%2Ftwitter_auth_callback",oauth_consumer_key="CONSUMERKEY",oauth_nonce="f8bef3a17dac4b4eaa09fad7f7794a18",oauth_signature="1234e59bb9abcda53d9c288e168abcdef1234cbf33",oauth_signature_method="HMAC-SHA1",oauth_timestamp="1357508339",oauth_version="1.0"
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
HTTP/1.1 401 Unauthorized
Date: Sun, 06 Jan 2013 21:38:59 GMT
Status: 401 Unauthorized
Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
Content-Type: text/html; charset=utf-8
Last-Modified: Sun, 06 Jan 2013 21:38:59 GMT
Expires: Tue, 31 Mar 1981 05:00:00 GMT
Set-Cookie: k=10.35.51.113.1357508339018529; path=/; expires=Sun, 13-Jan-13 21:38:59 GMT; domain=.twitter.com
Set-Cookie: guest_id=v1%3A135750833902835385; domain=.twitter.com; path=/; expires=Wed, 07-Jan-2015 09:38:59 GMT
Set-Cookie: _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCFZlzRE8AToHaWQiJTc0YzY4MTEyZGZmNGM3%250AODJlNTYwNzA0MjNiYjE3ZmFhIgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy%250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--46808a2fb500feb4cf99ae5157448438bedda649; domain=.twitter.com; path=/; HttpOnly
Failed to validate oauth signature and token
Which looks very similar to the post/response example on the other page. Does anything look wrong to you? Definitely could use some help after wrestling with this for a few hours.
The one thing that does jump out at me is my oauth signature. Mine lookes 16-bit encoded and the example's does not. Why are we hashing the secret in the first place? Because non https requests are allowed? And how would I go about hashing that in java? I'm assuming it's a Sha1 hash, 64-bit encoded, then URL encoded. Is that right? (Trying to avoid suing Twitter4J. Don't want to be dependent on additional libraries if I can help it.)
BTW, timestamps are identical. It's not that.