Search code examples
firebaserestoauthtwitter-oauth

Twitter OAuth request_token: Error Code 32, could not authenticate

I am trying to authenticate a user to Firebase through OAuth with Twitter in my Game Maker app (Game Maker does not support SDKs).

Doing so through a REST HTTP POST request (as per https://developer.twitter.com/en/docs/basics/authentication/api-reference/request_token) but the response is "Error 32, could not authenticate you."

I have setup my app on Firebase and Twitter's developer console and copied the API key/secret values to the Firebase console. Firebase gives me a callback_url, which I have whitelisted on the Twitter app.

I'm following the Twitter API docs for 3-legged OAuth (this is step 1, POST request_token), and have checked on endless other resources.

On the signature, I've double-checked with online encoders that my HMAC-SHA1 encoding is correct, and it is.

This is my HTTP request:

URL: https://api.twitter.com/oauth/request_token Method: POST Header:

Host : api.twitter.com,
Content-Type : application/x-www-form-urlencoded,
Authorization :

Oauth oauth_callback="https%3A%2F%2Fbitblock-blast.firebaseapp.com%2F__%2Fauth%2Fhandler", oauth_consumer_key="kEH9VascQh5rGdq6khl0oCfnL", oauth_nonce="p0B7y4w0P334qa633JzF370z89LK0N60", oauth_signature="MTIwMjc1Nzc1MTczODQ1OTUxMzQyMzgxMzIxNzYxODQxMjQyMzkyNTEyMDI3MTI0MjM1", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1571857067", oauth_version="1.0"

Body: ""

The signature for the header was generated from this dictionary:

oauth_callback      : https://bitblock-blast.firebaseapp.com/__/auth/handler,
oauth_consumer_key  : [TWITTER API KEY],
oauth_nonce     : [NONCE],
oauth_signature_method  : "HMAC-SHA1",
oauth_timestamp"    : [TIMESTAMP],
oauth_version"      : "1.0"

(all the values are filled in by the respective scripts)

This is how I'm creating the final signature string:

var parameters = map_to_http_parameter_string(header); //Convert to "key=value, key=value" format
var signature_base = string_upper(method) + "&" + percent_encode(url) + "&" + percent_encode(parameters);
var signing_key = [TWITTER_API_SECRET] + "&";

var signature = base64_encode(string_hex_to_binary(hash_hmac(signature_base, signing_key)));

Here is a step-by-step breakdown of the signature creation:

  1. Concatenated 'parameters' string: "oauth_callback=https%3A%2F%2Fbitblock-blast.firebaseapp.com%2F__%2Fauth%2Fhandler&oauth_consumer_key=[API_KEY]&oauth_nonce=5sR6w60Hz2Uvk10EdW5135O79NuV3y7b&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1571857990&oauth_version=1.0" (As you can see these were ordered and percent-encoded)

  2. Concatenated 'base signature' string: "POST&https%3A%2F%2Fapi.twitter.com%2Foauth%2Frequest_token&oauth_callback%3Dhttps%253A%252F%252Fbitblock-blast.firebaseapp.com%252F__%252Fauth%252Fhandler%26oauth_consumer_key%3D[API_key]%26oauth_nonce%3D5sR6w60Hz2Uvk10EdW5135O79NuV3y7b%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1571857990%26oauth_version%3D1.0"

  3. Signing key "[TWITTER_API_SECRET]&" (access secret left empty)

  4. Run HMAC-SHA1 on (base signature, signing key), encode to base64 (the hex-to-binary part is necessary as HMAC-SHA1 in Game Maker generates a hex ASCII string)

Finally, I add that signature to the header's Authentication value and send my HTTP request.

The response should be an OAuth token, instead I keep getting Error 32, could not authenticate you.

I've checked everything to see what I am doing wrong but can't find out.

Solution

  • Okay I found out it was a dumb typo: I wrote "Oauth oauth_callback..." instead of "OAuth oauth_callback..." in the Authorization header.