I'm trying to use The Matt Harris's oAuth php library to get user access tokens from Twitter users on my app, but I keep getting the error "Failed to validate oauth signature and token".
Specifically, I'm trying to use a slightly modified version of his OAuth flow tutorial to get their tokens and store them in my database rather than the session. https://github.com/themattharris/tmhOAuth/blob/master/examples/oauth_flow.php The error always occurs in the request token function here.
function request_token($tmhOAuth) {
$code = $tmhOAuth->request(
'POST',
$tmhOAuth->url('oauth/request_token', ''),
array(
'oauth_callback' => tmhUtilities::php_self()
)
);
if ($code == 200) {
$_SESSION['oauth'] = $tmhOAuth->extract_params($tmhOAuth->response['response']);
authorize($tmhOAuth);
} else {
outputError($tmhOAuth);
}
}
I've already checked the server time, and I know it's within 5 seconds of GMT. One of the Twitter developers said the time should be within about 5 minutes of their servers, so I should be fine. https://dev.twitter.com/discussions/1043
I've also checked that the cacert.pem file is in the same place as the rest of the files, right where CURL expects it to be, and I have the 'use_ssl' and 'curl_ssl_verifypeer' options turned off, since my site does not currently have an SSL certificate set up.
Here is the returned response object:
["response"]=> array(6) {
["headers"]=> array(16) {
["date"]=> string(29) "Sat, 25 Aug 2012 16:38:24 GMT"
["status"]=> string(16) "401 Unauthorized"
["x_frame_options"]=> string(10) "SAMEORIGIN"
["x_mid"]=> string(40) "4147a367997b7a5221cbcd8446652b1ebc00230d"
["last_modified"]=> string(29) "Sat, 25 Aug 2012 16:38:24 GMT"
["content_type"]=> string(24) "text/html; charset=utf-8"
["expires"]=> string(29) "Tue, 31 Mar 1981 05:00:00 GMT"
["cache_control"]=> string(62) "no-cache, no-store, must-revalidate, pre-check=0, post-check=0"
["x_runtime"]=> string(7) "0.01766"
["pragma"]=> string(8) "no-cache"
["x_transaction"]=> string(16) "b8ffe07df233ba05"
["set_cookie"]=> string(265) "_twitter_sess=ginormous session id; domain=.twitter.com; path=/; HttpOnly"
["vary"]=> string(15) "Accept-Encoding"
["content_encoding"]=> string(4) "gzip"
["content_length"]=> string(2) "62"
["server"]=> string(3) "tfe"
}
["code"]=> int(401)
["response"]=> string(44) "Failed to validate oauth signature and token"
["info"]=> array(23) {
["url"]=> string(42) "http://api.twitter.com/oauth/request_token"
["content_type"]=> string(24) "text/html; charset=utf-8"
["http_code"]=> int(401) ["header_size"]=> int(1030)
["request_size"]=> int(498) ["filetime"]=> int(-1)
["ssl_verify_result"]=> int(0)
["redirect_count"]=> int(0)
["total_time"]=> float(0.265656)
["namelookup_time"]=> float(0.062211)
["connect_time"]=> float(0.139025)
["pretransfer_time"]=> float(0.139028)
["size_upload"]=> float(0)
["size_download"]=> float(62)
["speed_download"]=> float(233)
["speed_upload"]=> float(0)
["download_content_length"]=> float(62)
["upload_content_length"]=> float(-1)
["starttransfer_time"]=> float(0.265504)
["redirect_time"]=> float(0)
["certinfo"]=> array(0) { }
["redirect_url"]=> string(0) ""
["request_header"]=> string(498) "POST /oauth/request_token HTTP/1.1 User-Agent: tmhOAuth 0.621-SSL - //github.com/themattharris/tmhOAuth Host: api.twitter.com Accept: */* Accept-Encoding: deflate, gzip Authorization: OAuth oauth_callback="http%3A%2F%2Fcompleteset.us%2Fsettings%2Ftwitterlink", oauth_consumer_key="consumer_key", oauth_nonce="nonce", oauth_signature="sig", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1345912704", oauth_version="1.0" "
}
["error"]=> string(0) ""
["errno"]=> int(0)
}
I have noticed that before I set 'use_ssl' to false the headers array in the response wasn't there. I'm not sure what that means or if it helps, but I figured I might as well throw it out there.
I also have the entire rest of the tmhOAuth object dumped if you need any of the other sections.