401需要授权:无法验证oauth签名和令牌

时间:2014-10-21 10:38:06

标签: perl curl twitter oauth

我已尝试使用Net::Twitter::Role::OAuthSign in with Twitter添加到我的应用中。

我过去曾成功使用过此功能,但未启用SSL功能,现在Twitter API需要这样做。我的控制器动作与概要中的示例非常相似:

sub twitter_authorize : Local {
    my($self, $c) = @_;

    my $nt = Net::Twitter->new(traits => [qw/API::RESTv1_1 OAuth/], %param);
    my $url = $nt->get_authorization_url(callback => $callbackurl);

    $c->response->cookies->{oauth} = {
        value => {
            token => $nt->request_token,
            token_secret => $nt->request_token_secret,
        },
    };

    $c->response->redirect($url);
}

但是,在$nt->get_authorization_url()调用401 Unauthorized错误时,此操作失败。

查看oauth/request_token文档,我尝试通过cURL运行请求,如下所示:

curl --request 'POST' 'https://api.twitter.com/oauth/request_token' --header 'Authorization: OAuth oauth_consumer_key="xxxx", oauth_nonce="xxxx", oauth_signature="xxxx", oauth_signature_method="HMAC-SHA1", oauth_timestamp="xxxx", oauth_callback="oob", oauth_version="1.0"' --verbose

响应如下:

* About to connect() to api.twitter.com port 443 (#0)
*   Trying 199.16.156.104... 

connected
* Connected to api.twitter.com (199.16.156.104) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using AES128-SHA
* Server certificate:
*    subject: C=US; ST=California; L=San Francisco; O=Twitter, Inc.; OU=Twitter Security; CN=api.twitter.com
*    start date: 2014-08-03 00:00:00 GMT
*    expire date: 2016-12-31 23:59:59 GMT
*    subjectAltName: api.twitter.com matched
*    issuer: C=US; O=VeriSign, Inc.; OU=VeriSign Trust Network; OU=Terms of use at https://www.verisign.com/rpa (c)10; CN=VeriSign Class 3 Secure Server CA - G3
*    SSL certificate verify ok.
> POST /oauth/request_token HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-pc-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15
> Host: api.twitter.com
> Accept: */*
> Authorization: OAuth oauth_consumer_key="xxxx", oauth_nonce="xxxx", oauth_signature="xxxx", oauth_signature_method="HMAC-SHA1", oauth_timestamp="xxxx", oauth_callback="oob", oauth_version="1.0"
> 
< HTTP/1.1 401 Authorization Required
< cache-control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
< content-length: 44
< content-security-policy-report-only: default-src https:; connect-src https:; font-src https: data:; frame-src https: http://*.twimg.com http://itunes.apple.com about: javascript:; img-src https: data:; media-src https:; object-src https:; script-src 'unsafe-inline' 'unsafe-eval' about: https:; style-src 'unsafe-inline' https:; report-uri https://twitter.com/i/csp_report?a=NVXW433SMFUWY%3D%3D%3D&ro=true;
< content-type: text/html; charset=utf-8
< date: Tue, 21 Oct 2014 10:29:57 UTC
< expires: Tue, 31 Mar 1981 05:00:00 GMT
< last-modified: Tue, 21 Oct 2014 10:29:57 GMT
< pragma: no-cache
< server: tsa_b
< set-cookie: _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCD2PQTJJAToHaWQiJTE3M2Q4OWIyZWE1Nzc1%250AZmYxMjRkYmUyZDVjOTBlYjQxIgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy%250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--b807e4ebb8d45756e9686971b951a549d0d83b61; domain=.twitter.com; path=/; secure; HttpOnly
< set-cookie: guest_id=v1%3A141388739758201626; Domain=.twitter.com; Path=/; Expires=Thu, 20-Oct-2016 10:29:57 UTC
< status: 401 Unauthorized
< strict-transport-security: max-age=631138519
< vary: Accept-Encoding
< x-connection-hash: 54a185631d5f0b3a3a9dc46fe1f40a57
< x-content-type-options: nosniff
< x-frame-options: SAMEORIGIN
< x-mid: 0258025664ce095129d0cc294100d71a2e6e66ac
< x-runtime: 0.01294
< x-transaction: 6fad295009a89877
< x-ua-compatible: IE=edge,chrome=1
< x-xss-protection: 1; mode=block
< 
* Connection #0 to host api.twitter.com left intact
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
Failed to validate oauth signature and token

奇怪的是,如果我从Authorization标头中删除oauth_callback密钥,它可以正常运行并获得令牌。但是,API文档建议此参数是必需的。我如何传递oauth_callback项目有什么问题吗?

我已经尝试将其设置为oob(这应该适用于&#34;带外&#34;访问)。我已经从API文档中复制了编码后的网址。它不适用。

由于它在没有oauth_callback的情况下有效,因此在我的机器上不是时间问题,这是一个常见的问题。我还没有尝试在没有回调的情况下发送Net :: Twitter请求(我还没有检查过这是否可能)但是我认为它也会在那里修复它。但是,我确实需要具有有效回调URL的请求,或者用户不会被重定向回应用程序以用于其余的登录流程。

1 个答案:

答案 0 :(得分:1)

亚当,

我遇到了类似的问题,经过对其他Twitter API包装器库所做的彻底调查后发现,oauth_callback需要编码两次。

进行回顾?搜索以获得更多解释/清晰度我发现以下SO答案Twitter Oauth URL encoding inconsistencies?非常简洁地解释了我遇到的问题。

这可能是您遇到过的问题吗?

相关问题
最新问题