How to Sign oAuth requests

In the development of Piculet, my new hobbie project, i’ve had to implement the oAuth Authorization process. The Twitter App documentation gives you a rough sketch of how to do this, and the services spec points you off to the official oAuth Specification.

Let’s just say it’s a bit confusing. After surfing the web i’ve found some example code and a class with oAuth utility methods which i used in the implementation see external links at the end.

I advise you read and examine the code mentioned in the article here. The small  application the author provides will give you some insight on how it all works and how you can achieve the oAuth calls. Unfortunally this isn’t explained in the article itself hence this post.

Authorization process

The authorization process, according to twitter is :

The application uses oauth/request_token to obtain a request token from twitter.com.

The application directs the user to oauth/authorize on twitter.com.

After obtaining approval from the user, a prompt on twitter.com will display a 7 digit PIN.

The user is instructed to copy this PIN and return to the appliction.

The application will prompt the user to enter the PIN from step 4.

The application uses the PIN as the value for the oauth_verifier parameter in a call to

oauth/access_token which will verify the PIN and exchange a request_token for an access_token.

Twitter will return an access_token for the application to generate subsequent OAuth signatures.

Seems simple enough.

Signing oAuth Requests

When you register your application with twitter it gives you a consumer key that identifies your application and a consumer secret which will be used to generate your oAuth signature. This is where i bungled up, at first i thought the consumer key would be the signature to use, lets just say i should’ve read the oAuth Spec first.

Let’s take the request token call as an example. In order to obtain the request token for your application you will need to generate the following :

1. Signature
2. Nonce
3. Timestamp

The oAuthBase class mentioned above will help you with this. All you need to do is provide it with your consumer key and secret, the url your calling in this case that would be : http://twitter.com/oauth/requet_token and the queryString – in this case this is empty
All you need to do is call the method  GenerateSignature to generate your signature and prepare your url.
The following code generates the url to call request_token :

    OAuth.OAuthBase oAuth = new OAuth.OAuthBase();
    string queryString="";
    string tstamp=oAuth.GenerateTimeStamp();
    string sig = oAuth.GenerateSignature(new Uri(http://twitter.com/oauth/requet_token),
                                     consumerKey, consumerSecret,,null, null,"GET",tstamp ,nonce,
                                     out url, out queryString);
    queryString += "&oauth_signature=" + HttpUtility.UrlEncode(sig);
    return url+"?"+queryString;

Now all you need to do is call that url and get your request_token.

All calls from here on end can be signed in the same manner. Only difference is that after the authorization procedure you get an access token, which you will need to provide  the GenerateSignature method in order to sign your urls.

Sidenote on Using oAuthBase

I ran into a problem when trying to use the oAuthBase class with mono and monodevelop.

Problem came from the compiler not finding the HttpUtility anywhere. This is a class that is inside the System.Web namespace. I solved this by adding System.Web to the project references.

External Links

• Coding the Wheel – http://www.codingthewheel.com/archives/codingthetweet
• Twitter API – http://apiwiki.twitter.com/Authentication
• oAuth Spec – http://oauth.net/core/1.0
• Beginner’s Guide to OAuth– http://www.hueniverse.com/hueniverse/2007/10/beginners-guide.html
• oAuthBase Class – http://oauth.googlecode.com/svn/code/csharp/OAuthBase.cs