401 需要授权：无法验证 oauth 签名和令牌

Question

我尝试使用Net::Twitter::Role::OAuth 将Sign in with Twitter 添加到我的应用程序中。

我过去曾成功使用过它，但没有启用 SSL，这显然是 Twitter API 现在所要求的。我有一个与概要中的示例非常相似的控制器操作：

sub twitter_authorize : Local {
    my($self, $c) = @_;

    my $nt = Net::Twitter->new(traits => [qw/API::RESTv1_1 OAuth/], %param);
    my $url = $nt->get_authorization_url(callback => $callbackurl);

    $c->response->cookies->{oauth} = {
        value => {
            token => $nt->request_token,
            token_secret => $nt->request_token_secret,
        },
    };

    $c->response->redirect($url);
}

但是，这在 $nt->get_authorization_url() 调用中失败并出现 401 Unauthorized 错误。

查看oauth/request_token文档，我尝试通过cURL运行请求，如下：

curl --request 'POST' 'https://api.twitter.com/oauth/request_token' --header 'Authorization: OAuth oauth_consumer_key="xxxx", oauth_nonce="xxxx", oauth_signature="xxxx", oauth_signature_method="HMAC-SHA1", oauth_timestamp="xxxx", oauth_callback="oob", oauth_version="1.0"' --verbose

响应如下：

* About to connect() to api.twitter.com port 443 (#0)
*   Trying 199.16.156.104... 

connected
* Connected to api.twitter.com (199.16.156.104) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using AES128-SHA
* Server certificate:
*    subject: C=US; ST=California; L=San Francisco; O=Twitter, Inc.; OU=Twitter Security; CN=api.twitter.com
*    start date: 2014-08-03 00:00:00 GMT
*    expire date: 2016-12-31 23:59:59 GMT
*    subjectAltName: api.twitter.com matched
*    issuer: C=US; O=VeriSign, Inc.; OU=VeriSign Trust Network; OU=Terms of use at https://www.verisign.com/rpa (c)10; CN=VeriSign Class 3 Secure Server CA - G3
*    SSL certificate verify ok.
> POST /oauth/request_token HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-pc-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15
> Host: api.twitter.com
> Accept: */*
> Authorization: OAuth oauth_consumer_key="xxxx", oauth_nonce="xxxx", oauth_signature="xxxx", oauth_signature_method="HMAC-SHA1", oauth_timestamp="xxxx", oauth_callback="oob", oauth_version="1.0"
> 
< HTTP/1.1 401 Authorization Required
< cache-control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
< content-length: 44
< content-security-policy-report-only: default-src https:; connect-src https:; font-src https: data:; frame-src https: http://*.twimg.com http://itunes.apple.com about: javascript:; img-src https: data:; media-src https:; object-src https:; script-src 'unsafe-inline' 'unsafe-eval' about: https:; style-src 'unsafe-inline' https:; report-uri https://twitter.com/i/csp_report?a=NVXW433SMFUWY%3D%3D%3D&ro=true;
< content-type: text/html; charset=utf-8
< date: Tue, 21 Oct 2014 10:29:57 UTC
< expires: Tue, 31 Mar 1981 05:00:00 GMT
< last-modified: Tue, 21 Oct 2014 10:29:57 GMT
< pragma: no-cache
< server: tsa_b
< set-cookie: _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCD2PQTJJAToHaWQiJTE3M2Q4OWIyZWE1Nzc1%250AZmYxMjRkYmUyZDVjOTBlYjQxIgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy%250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--b807e4ebb8d45756e9686971b951a549d0d83b61; domain=.twitter.com; path=/; secure; HttpOnly
< set-cookie: guest_id=v1%3A141388739758201626; Domain=.twitter.com; Path=/; Expires=Thu, 20-Oct-2016 10:29:57 UTC
< status: 401 Unauthorized
< strict-transport-security: max-age=631138519
< vary: Accept-Encoding
< x-connection-hash: 54a185631d5f0b3a3a9dc46fe1f40a57
< x-content-type-options: nosniff
< x-frame-options: SAMEORIGIN
< x-mid: 0258025664ce095129d0cc294100d71a2e6e66ac
< x-runtime: 0.01294
< x-transaction: 6fad295009a89877
< x-ua-compatible: IE=edge,chrome=1
< x-xss-protection: 1; mode=block
< 
* Connection #0 to host api.twitter.com left intact
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
Failed to validate oauth signature and token

奇怪的是，如果我从 Authorization 标头中删除 oauth_callback 键，它可以正常工作并且我得到了令牌。但是，API 文档建议此参数是必需的。我传递 oauth_callback 项目的方式有问题吗？

我尝试将其设置为oob（它应该适用于“带外”访问）。我已经从 API 文档中复制了编码的 URL。两者都不起作用。

因为它在没有oauth_callback 的情况下也能正常工作，所以这不是我的机器上的时间问题，因为这是一个普遍报告的问题。我没有尝试在没有回调的情况下发送 Net::Twitter 请求（我还没有检查这是否可能），但我认为这也会解决它。但是，我确实需要请求具有有效的回调 URL，否则在登录流程的其余部分将不会将用户重定向回应用程序。

Answer 1

亚当，

我遇到了类似的问题，在彻底调查其他 Twitter API 包装器库在做什么之后，我发现 oauth_callback 需要编码两次。

关于做回顾展？搜索以获得更多解释/清晰度我找到了以下 SO 答案Twitter Oauth URL encoding inconsistencies?，它非常简洁地解释了我遇到的问题。

这可能是您遇到的问题吗？