I made an an attempt to implement OAuth for my programming idea in Java, but I failed miserably. I don't know why, but my code doesn't work. Every time I run my program, an IOException is thrown with the reason "java.io.IOException: Server returned HTTP response code: 401" (401 means Unauthorized).
I had a close look at the docs, but I really don't understand why it doesn't work.
My OAuth provider I wanted to use is twitter, where I've registered my app, too.
Thanks in advance
OAuth docs
Twitter API wiki
Class Base64Coder
import java.io.InputStreamReader;
import java.io.BufferedReader;
import java.io.OutputStream;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URL;
import java.net.URLEncoder;
import java.net.URLConnection;
import java.net.MalformedURLException;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import java.security.NoSuchAlgorithmException;
import java.security.InvalidKeyException;
public class Request {
public static String read(String url) {
StringBuffer buffer = new StringBuffer();
try {
* get the time - note: value below zero
* the millisecond value is used for oauth_nonce later on
int millis = (int) System.currentTimeMillis() * -1;
int time = (int) millis / 1000;
* Listing of all parameters necessary to retrieve a token
* (sorted lexicographically as demanded)
String[][] data = {
{"oauth_callback", "SOME_URL"},
{"oauth_consumer_key", "MY_CONSUMER_KEY"},
{"oauth_nonce", String.valueOf(millis)},
{"oauth_signature", ""},
{"oauth_signature_method", "HMAC-SHA1"},
{"oauth_timestamp", String.valueOf(time)},
{"oauth_version", "1.0"}
* Generation of the signature base string
String signature_base_string =
"POST&"+URLEncoder.encode(url, "UTF-8")+"&";
for(int i = 0; i < data.length; i++) {
// ignore the empty oauth_signature field
if(i != 3) {
signature_base_string +=
URLEncoder.encode(data[i][0], "UTF-8") + "%3D" +
URLEncoder.encode(data[i][1], "UTF-8") + "%26";
// cut the last appended %26
signature_base_string = signature_base_string.substring(0,
* Sign the request
Mac m = Mac.getInstance("HmacSHA1");
m.init(new SecretKeySpec("CONSUMER_SECRET".getBytes(), "HmacSHA1"));
byte[] res = m.doFinal();
String sig = String.valueOf(Base64Coder.encode(res));
data[3][1] = sig;
* Create the header for the request
String header = "OAuth ";
for(String[] item : data) {
header += item[0]+"=\""+item[1]+"\", ";
// cut off last appended comma
header = header.substring(0, header.length()-2);
System.out.println("Signature Base String: "+signature_base_string);
System.out.println("Authorization Header: "+header);
System.out.println("Signature: "+sig);
String charset = "UTF-8";
URLConnection connection = new URL(url).openConnection();
connection.setRequestProperty("Accept-Charset", charset);
connection.setRequestProperty("Content-Type", "application/x-www-form-urlencoded;charset=" + charset);
connection.setRequestProperty("Authorization", header);
connection.setRequestProperty("User-Agent", "XXXX");
OutputStream output = connection.getOutputStream();
BufferedReader reader = new BufferedReader(new InputStreamReader(connection.getInputStream()));
String read;
while((read = reader.readLine()) != null) {
catch(Exception e) {
return buffer.toString();
public static void main(String[] args) {
I know this is an old question but it seems it takes a bit of digging around to finally get a proper answer. This seems to be one of the top links in google too. Pages at dev.twitter.com lead to almost nowhere also. So here it goes. Look here for a code that properly handles it. It uses
, but it can be achieved with standard libraries.Making the story short.
As far as for this code. For request token it doesn't seem to be important at all.
This one though, does
Try remove the parameter "oauth_callback". It worked for me. The application I was working on is a web application.