Implement OAuth in Java

Question

I made an an attempt to implement OAuth for my programming idea in Java, but I failed miserably. I don't know why, but my code doesn't work. Every time I run my program, an IOException is thrown with the reason "java.io.IOException: Server returned HTTP response code: 401" (401 means Unauthorized). I had a close look at the docs, but I really don't understand why it doesn't work. My OAuth provider I wanted to use is twitter, where I've registered my app, too.
Thanks in advance
phineas

OAuth docs
Twitter API wiki
Class Base64Coder

import java.io.InputStreamReader;
import java.io.BufferedReader; 
import java.io.OutputStream;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URL;
import java.net.URLEncoder;
import java.net.URLConnection;
import java.net.MalformedURLException;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import java.security.NoSuchAlgorithmException;
import java.security.InvalidKeyException;

public class Request {
    public static String read(String url) {
        StringBuffer buffer = new StringBuffer();
        try {
        /** 
         * get the time - note: value below zero 
         * the millisecond value is used for oauth_nonce later on
         */
            int millis = (int) System.currentTimeMillis() * -1;
            int time = (int) millis / 1000;

            /**
             * Listing of all parameters necessary to retrieve a token
             * (sorted lexicographically as demanded)
             */
             String[][] data = {
                {"oauth_callback", "SOME_URL"},
                {"oauth_consumer_key", "MY_CONSUMER_KEY"},
                {"oauth_nonce",  String.valueOf(millis)},
                {"oauth_signature", ""},
                {"oauth_signature_method", "HMAC-SHA1"},
                {"oauth_timestamp", String.valueOf(time)},
                {"oauth_version", "1.0"}
            };

            /**
             * Generation of the signature base string
             */
            String signature_base_string = 
                "POST&"+URLEncoder.encode(url, "UTF-8")+"&";
            for(int i = 0; i < data.length; i++) {
                // ignore the empty oauth_signature field
                if(i != 3) {
                signature_base_string +=
                    URLEncoder.encode(data[i][0], "UTF-8") + "%3D" +
                    URLEncoder.encode(data[i][1], "UTF-8") + "%26";
                }
            }
            // cut the last appended %26 
            signature_base_string = signature_base_string.substring(0,
                signature_base_string.length()-3);

            /**
             * Sign the request
             */
            Mac m = Mac.getInstance("HmacSHA1");
            m.init(new SecretKeySpec("CONSUMER_SECRET".getBytes(), "HmacSHA1"));
            m.update(signature_base_string.getBytes());
            byte[] res = m.doFinal();
            String sig = String.valueOf(Base64Coder.encode(res));
            data[3][1] = sig;

           /**
            * Create the header for the request
            */
           String header = "OAuth ";
           for(String[] item : data) {
                header += item[0]+"=\""+item[1]+"\", ";
           }
           // cut off last appended comma
           header = header.substring(0, header.length()-2);

           System.out.println("Signature Base String: "+signature_base_string);
           System.out.println("Authorization Header: "+header);
           System.out.println("Signature: "+sig);

           String charset = "UTF-8";
           URLConnection connection = new URL(url).openConnection();
           connection.setDoInput(true);
           connection.setDoOutput(true);
           connection.setRequestProperty("Accept-Charset", charset);
           connection.setRequestProperty("Content-Type", "application/x-www-form-urlencoded;charset=" + charset);
           connection.setRequestProperty("Authorization", header);
           connection.setRequestProperty("User-Agent", "XXXX");
           OutputStream output = connection.getOutputStream();
           output.write(header.getBytes(charset));

           BufferedReader reader = new BufferedReader(new InputStreamReader(connection.getInputStream()));

           String read;
           while((read = reader.readLine()) != null) {
               buffer.append(read);
           }
        }
        catch(Exception e) {
            e.printStackTrace();
        }

       return buffer.toString();
   }

   public static void main(String[] args) {
       System.out.println(Request.read("http://api.twitter.com/oauth/request_token"));
   }
}

Answer 1

Try remove the parameter "oauth_callback". It worked for me. The application I was working on is a web application.

Answer 2

I know this is an old question but it seems it takes a bit of digging around to finally get a proper answer. This seems to be one of the top links in google too. Pages at dev.twitter.com lead to almost nowhere also. So here it goes. Look here for a code that properly handles it. It uses HttpCore, but it can be achieved with standard libraries.

Making the story short.

1. URLEncoder library in 1.6 (most likely then in Android too) doesn't conform to the RFC standard Twitter API requires. The code here seems to be countering the problem partially. Take a look at the source I linked to find the method handling it appropriately.
2. While creating the base string parameter you are encoding each key value pair. It conforms to the guide at the twitter page. It is easier to append the encoded url and the whole created parameter string (key/value pairs)
3. While creating the signature you are creating it against a keyspec object with the CONSUMER_KEY appended with "&" sign in request token method of the Twitter API.

4. As far as for this code. For request token it doesn't seem to be important at all.

   connection.setRequestProperty("Accept-Charset", charset);  
   connection.setRequestProperty("Content-Type", "application/x-www-formurlencoded;charset="+ charset);  
   connection.setRequestProperty("User-Agent", "XXXX");  
   

   This one though, does connection.setRequestMethod(method);