Twitter OAuth returning "Incorrect signature". Please help

Question

I've been looking at this for the last couple of hours. I've tried googling the problem and tried several edits but to no avail. I'm sure everything here is right but I'm still getting errors. Can someone whose worked with twitter Oauth please take a look at my code and see whats wrong.

<?php


$oauth_consumer_key = "OKuMtqCnndfee3sw";   //scrambled
$oauth_consumer_secret = "Gs2hOY9drerfdsfiOF76Yeyf9aTjYzPH5Z3eMU";   // scrambled
$oauth_nonce = sha1(time());
$oauth_signature_method = "HMAC-SHA1";
$oauth_timestamp = time();

$oauth_version = "1.0";
$oauth_token = "50005779-NSp6lP5DVLoWMh34dfdsBb2FnHf9DIcpu";  // scrambled
$token_secret = "ha0tS9SyldDdfeefw";   // scrambled
$status = "testing";

$baseString = "oauth_consumer_key=" . rawurlencode($oauth_consumer_key) . "&oauth_nonce=" . rawurlencode($oauth_nonce) . "&oauth_signature_method=" . rawurlencode($oauth_signature_method) . "&oauth_timestamp=" . rawurlencode($oauth_timestamp) . "&oauth_token=" . rawurlencode($oauth_token) . "&oauth_version=" . rawurlencode($oauth_version) . "&status=" . rawurlencode($status);

$baseString = "POST&" . rawurlencode("https://api.twitter.com/1/statuses/update.json") . "&" . rawurlencode($baseString);


$signing_key = rawurlencode($oauth_consumer_secret) . "&" . rawurlencode($token_secret);

$signature = base64_encode(hash_hmac('sha1', $a, $signing_key, true));

$auth = "OAuth oauth_nonce=\"" . $oauth_nonce . "\",oauth_signature_method=\"" . $oauth_signature_method . "\",oauth_timestamp=\"" . $oauth_timestamp . "\",oauth_consumer_key=\"" . $oauth_consumer_key . "\",oauth_token=\"" . rawurlencode($oauth_token) . "\",oauth_signature=\"" . rawurlencode($signature) ."\",oauth_version=\"" . $oauth_version . "\"";

$ch = curl_init("https://api.twitter.com/1/statuses/update.json");

curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($ch, CURLOPT_HTTPHEADER, array("Expect: ", "Authorization: $auth"));
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $baseString);

$b = curl_exec($ch);
var_dump($b);

curl_close($ch);
​?>

Any help would be greatly appreciated. Thank you.

Answer 1

It looks like you're not following the OAuth Authentication Flow (unless this is just the end where the user has already authenticated). I've been working with OAuth for a bit these past few weeks and had a lot of trouble. Just got it working last night using just the OAuth PHP Library they provide on their website. You can find it here -> http://oauth.googlecode.com/svn/code/php/OAuth.php

This is what I have developed from that (full workflow):

Authenticate Page:

$oauth_signature_method = new OAuthSignatureMethod_HMAC_SHA1();
$oauth_consumer_key = new OAuthConsumer( "your_twitter_consumer_key", "your_twitter_consumer_secret" );
$oauth_token = NULL;

$request_token = OAuthRequest::from_consumer_and_token( $oauth_consumer_key, $oauth_token, 'GET', "https://api.twitter.com/oauth/request_token", array('oauth_callback' => "http://your/callback/url/")) );
$request_token->sign_request( $oauth_signature_method, $oauth_consumer_key, $oauth_token );

$curl_handle = curl_init();
curl_setopt($curl_handle, CURLOPT_URL, $request_token->to_url());
curl_setopt($curl_handle, CURLOPT_RETURNTRANSFER, TRUE);
$response = curl_exec($curl_handle);
curl_close($curl_handle);

$token = OAuthUtil::parse_parameters($response);
$_SESSION['oauth_token'] = $token['oauth_token'];
$_SESSION['oauth_token_secret'] = $token['oauth_token_secret'];

header('Location: https://api.twitter.com/oauth/authorize?oauth_token=' . $token['oauth_token']);

Callback Page:

$oauth_signature_method = new OAuthSignatureMethod_HMAC_SHA1();
$oauth_consumer_key = new OAuthConsumer( "your_twitter_consumer_key", "your_twitter_consumer_secret" );
$oauth_token = new OAuthConsumer( $_SESSION['oauth_token'], $_SESSION['oauth_token_secret'] );

$access_token = OAuthRequest::from_consumer_and_token( $oauth_consumer_key, $oauth_token, 'GET', "https://api.twitter.com/oauth/access_token", array('oauth_verifier' => $_REQUEST['oauth_verifier']) );
$access_token->sign_request( $oauth_signature_method, $oauth_consumer_key, $oauth_token );

$curl_handle = curl_init();
curl_setopt($curl_handle, CURLOPT_URL, $access_token->to_url());
curl_setopt($curl_handle, CURLOPT_RETURNTRANSFER, TRUE);
$response = curl_exec($curl_handle);
curl_close($curl_handle);

$token = OAuthUtil::parse_parameters($response);
$_SESSION['access_token'] = $token;

unset($_SESSION['oauth_token']);
unset($_SESSION['oauth_token_secret']);

// user has been verified. Token is stored in $_SESSION. Now you can make calls to the api
header('Location: http://your/completion/page');

Calling /account/verify_credentials:

$access_token = $_SESSION['access_token'];

$oauth_signature_method = new OAuthSignatureMethod_HMAC_SHA1();
$oauth_consumer_key = new OAuthConsumer( "your_twitter_consumer_key", "your_twitter_consumer_secret" );
$oauth_token = new OAuthConsumer( $access_token['oauth_token'], $access_token['oauth_token_secret'] );

$request = OAuthRequest::from_consumer_and_token( $oauth_consumer_key, $oauth_token, 'GET', 'https://api.twitter.com/account/verify_credentials.json', NULL );
$request->sign_request( $oauth_signature_method, $oauth_consumer_key, $oauth_token );

$curl_handle = curl_init();
curl_setopt($curl_handle, CURLOPT_URL, $request->to_url());
curl_setopt($curl_handle, CURLOPT_RETURNTRANSFER, TRUE);
$response = curl_exec($curl_handle);
curl_close($curl_handle);

$response = json_decode($response);
print_r($response);

I also created a test status update page with this code:

$access_token = $_SESSION['access_token'];

$oauth_signature_method = new OAuthSignatureMethod_HMAC_SHA1();
$oauth_consumer_key = new OAuthConsumer( "your_twitter_consumer_key", "your_twitter_consumer_secret" );
$oauth_token = new OAuthConsumer( $access_token['oauth_token'], $access_token['oauth_token_secret'] );

$post_fields = array(
    'status' => "This is a test status update."
);
$request = OAuthRequest::from_consumer_and_token( $oauth_consumer_key, $oauth_token, 'POST', 'https://api.twitter.com/statuses/update.json', $post_fields );
$request->sign_request( $oauth_signature_method, $oauth_consumer_key, $oauth_token );

$curl_handle = curl_init();
curl_setopt($curl_handle, CURLOPT_URL, $request->to_url());
curl_setopt($curl_handle, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt($curl_handle, CURLOPT_USERAGENT, "Twitter OAuth Test");
curl_setopt($curl_handle, CURLOPT_HTTPHEADER, array('Expect:'));

curl_setopt($curl_handle, CURLOPT_POST, TRUE);
curl_setopt($curl_handle, CURLOPT_POSTFIELDS, $post_fields);

$response = curl_exec($curl_handle);
print_r(curl_getinfo($curl_handle));
curl_close($curl_handle);

$response = json_decode($response);
print_r($response);

That's the complete Twitter OAuth Authentication. I hope this helps you or at least gets you started!