i'm using the Cognito authorization code to get my access tokens from AWS Cognito. So this is my current workflow:
No session data, forward user to hosted UI.
On login, return to PHP Application with the authorization code.
Use authorization code to get the tokens.
Validate the tokens using the jwk tokens.
So step 4 is where i'm stuck, as when validating the tokens, JWT is starting that i'm trying to decode the access_token before it is valid:
Cannot handle token prior to 2022-05-26T13:45:17+0000
I have dumped out the code which displays this error to get the iat time and the time that it is being compared against:
dd($payload->iat, ($timestamp + static::$leeway));
This outputs:
1653576011 1653576009
So there is a 0000000002 difference...
Now I can fix this by changing leeway to 10, but this doesn't seem the correct thing to do... any ideas?
Below is the code:
private function validateTokens($accessToken): bool
{
$domain = implode('.', [ 'cognito-idp', $this->region, 'amazonaws.com' ]);
$jwks = file_get_contents("https://$domain/{$this->pool_id}/.well-known/jwks.json");
$jwks = collect(json_decode($jwks, true, 512, JSON_THROW_ON_ERROR)['keys']);
$jwks = $jwks->keyBy('kid')->map(static function ($current) {
return (new JWKConverter())->toPEM($current);
})->toArray();
$jwt = new JWT();
$jwt::$leeway = 10;
$decoded = $jwt::decode($accessToken['access_token'], $jwks, ['RS256']);
dd($decoded);
I've been trying to get my PHP application to create a successful token request since finally managing to get it working with Postman as per the docs here
Apparently the API is using OAuth 2.0 which is why I expect to send up grant_type, client_id, client_secret and expires_in (if I don't specify one of these fields then the API will successfully tell me it is missing).
Now the problem I am having is with this OAuth 1.0 Authorization Header that I am having to generate, which Postman seems to have no issues doing so, however trying to do it in PHP I am just getting an error returned from the API about a signature mismatch:
array:6 [
"errorId" => "ERROR-fde4f0f1-9d5c-43fd-80eb-056cbf2c3259"
"httpStatus" => 401
"errorCode" => 401300
"message" => "Signature mismatch. Authorization signature or client credential is wrong."
"error" => "invalid_client"
"error_description" => "errorCode: '401300'. Signature mismatch. Authorization signature or client credential is wrong."
]
I've tried various debugging, a lot of which gives me different errors then I keep landing back on this one so the signature must be the problem.
I created the following class here to handle generating a header, getting some guidance from the class in the guzzle/oauth-subscriber package.
Here is an example of the request headers being generated:
array:2 [
"Content-Type" => "application/x-www-form-urlencoded"
"Authorization" => "OAuth oauth_consumer_key="XXXXXXXXXXXX",oauth_signature_method="HMAC-SHA256",oauth_timestamp="1583629976",oauth_nonce="Br2HsCVzsaEe3KswBhtCzsSxjUDWgX56",oauth_version="1.0",oauth_signature="G7%2B5f2v2Kdx3rp%2B28DcuJRBvhi9H7fHC1mFLqJIgmMc%3D""
]
And the request body:
array:4 [
"grant_type" => "client_credentials"
"client_id" => "XXXXXXXXXXXX"
"client_secret" => "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
"expires_in" => 87000
]
Sensitive details replaced but consumer_key is correct and thats the same value as client_id and the same goes for consumer_secret and client_secret
No matter how I try and alter the signUsingHmac() method to change the signature, it doesn't work and it all looks fine to me D:
Anyone got any ideas?
If I can get this working nicely I will pull it out into package to make the auth for this API in PHP a lot less painful.
EDIT:
I tried forming the signature exactly like shown in the docs here but to unfortunately it still hasn't worked, this is what my $baseString looked like when passing into the hash method:
POST&https%3A%2F%2Faccount.api.here.com%2Foauth2%2Ftoken&grant_type%3Dclient_credentials%26oauth_consumer_key%3DXXbXbXbXbXbXbXb%26oauth_nonce%3DrZNNSZGOOIHFFtLboCjdAheCmKJmOYSp%26oauth_signature_method%3DHMAC-SHA256%26oauth_timestamp%3D1583640503%26oauth_version%3D1.0
I've also created a new gist here with my updates to create this $baseString
Cheers,
Matt
I created a gist that works.
Some suggestion:
all values need to be urlenconde()
the string that you need to use
for signign the request needs to include: method (uppercase) & URL
(urlecode) & list of parameters (url encoded)
the signing key is your consumer key secret (urlencode) followed by &. This because usually your signing key needs to me consumer secret & secret token. In this case we don't have secret token
For the list of parameters for your signature base string you need to include all oauth_ parameter and your grant_type because you need to include also the body parameter. The sorting of these keys is crucial
some code PHP code:
$keyId = getenv('HERE_API_KEY_ID');
$keySecret = getenv('HERE_API_KEY_SECRET');
$httpBody = [
"grant_type" => "client_credentials"
];
$httpMethod = "POST";
$httpUrl = 'https://account.api.here.com/oauth2/token';
$oauthNonce = mt_rand();
$oauthTimestamp = time();
$oauthSignatureMethod= "HMAC-SHA256";
$oauthVersion = "1.0";
$baseString = $httpMethod."&". urlencode($httpUrl);
$oauth1Param = [
'oauth_consumer_key' => $keyId,
'oauth_signature_method' => $oauthSignatureMethod,
'oauth_timestamp' => $oauthTimestamp,
'oauth_nonce' => $oauthNonce,
'oauth_version' => $oauthVersion
];
$paramString =
"grant_type=client_credentials&".
"oauth_consumer_key=". urlencode($oauth1Param['oauth_consumer_key']).
"&oauth_nonce=". urlencode($oauth1Param['oauth_nonce']).
"&oauth_signature_method=". urlencode($oauth1Param['oauth_signature_method']).
"&oauth_timestamp=". urlencode($oauth1Param['oauth_timestamp']).
// "&oauth_token=".
"&oauth_version=". urlencode($oauth1Param['oauth_version'])
;
echo $paramString.PHP_EOL;
$baseString = $baseString . "&" . urlencode($paramString);
echo $baseString . PHP_EOL;
$signingKey= urlencode($keySecret) . "&";
$signature = urlencode(
base64_encode(
hash_hmac(
'sha256',
$baseString,
$signingKey,
true
)
)
);
$oauth1Param['oauth_signature'] = $signature;
echo "RUNTIME SIGNATURE : " . $signature .PHP_EOL;
I create a GIST that works, the only thing that you need to change is $keyId and $keySecret.
https://gist.github.com/roberto-butti/736c38c796ede70c719f6a21a752c971
This documentation was very useful: https://developer.twitter.com/en/docs/basics/authentication/oauth-1-0a/creating-a-signature
It seems the access_id and access_key both are getting passed in the request body, "grant_type" => "client_credentials" only needs to be in the body, while access_id and access_key should be passed in header. you can try first that in postman, if it does work out, please revert
In order to use the HTTP V1 API (not the legacy API) with PHP, the REST interface has to be used.
https://firebase.google.com/docs/cloud-messaging/send-message#top_of_page
I am wondering how to get the Auth 2.0 access token?
https://firebase.google.com/docs/cloud-messaging/auth-server
As there is no Google API Client Library for PHP (see examples in the link above), how can the Auth 2.0 token be received with REST calls (no need to show PHP code)?
The related question: once received this short living token, how to refresh this token? What is the workflow?
Thanks a lot!
There actually is a kind of "Google Api Client Library" for PHP, even two of them:
https://github.com/google/google-api-php-client
and
https://github.com/GoogleCloudPlatform/google-cloud-php
The one provides access to APIs that the other doesn't, so it's worth looking which one provides what - you will perhaps need to use both of them.
In the README of the https://github.com/google/google-api-php-client repository, you can find a description on how to obtain the OAuth access and refresh tokens.
Both libraries work with Guzzle underneath and provide a way to decorate your own Guzzle HTTP client with an authorization middleware so that you don't have to.
So, if one of the libraries doesn't provide support for an API you want to access, you can apply the code from the following snippet and access the API in question yourself (from Google Api PHP Client - "Making HTTP requests directly"):
// create the Google client
$client = new Google_Client();
/**
* Set your method for authentication. Depending on the API, This could be
* directly with an access token, API key, or (recommended) using
* Application Default Credentials.
*/
$client->useApplicationDefaultCredentials();
// returns a Guzzle HTTP Client
$httpClient = $client->authorize();
Shameless plug: I am maintaining a separate Admin SDK for accessing Firebase related APIs at https://github.com/kreait/firebase-php , and it has a FCM component, which is documented here: https://firebase-php.readthedocs.io/en/stable/cloud-messaging.html
If you want to get the access token manually, without external libraries, you can use this code. It creates a JWT token using your private key, and requests a bearer token.
function base64UrlEncode($text)
{
return str_replace(
['+', '/', '='],
['-', '_', ''],
base64_encode($text)
);
}
// Read service account details
$authConfigString = file_get_contents("path_to_your_private_key_file_downloaded_from_firebase_console.json");
// Parse service account details
$authConfig = json_decode($authConfigString);
// Read private key from service account details
$secret = openssl_get_privatekey($authConfig->private_key);
// Create the token header
$header = json_encode([
'typ' => 'JWT',
'alg' => 'RS256'
]);
// Get seconds since 1 January 1970
$time = time();
$payload = json_encode([
"iss" => $authConfig->client_email,
"scope" => "https://www.googleapis.com/auth/firebase.messaging",
"aud" => "https://oauth2.googleapis.com/token",
"exp" => $time + 3600,
"iat" => $time
]);
// Encode Header
$base64UrlHeader = base64UrlEncode($header);
// Encode Payload
$base64UrlPayload = base64UrlEncode($payload);
// Create Signature Hash
$result = openssl_sign($base64UrlHeader . "." . $base64UrlPayload, $signature, $secret, OPENSSL_ALGO_SHA256);
// Encode Signature to Base64Url String
$base64UrlSignature = base64UrlEncode($signature);
// Create JWT
$jwt = $base64UrlHeader . "." . $base64UrlPayload . "." . $base64UrlSignature;
//-----Request token------
$options = array('http' => array(
'method' => 'POST',
'content' => 'grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion='.$jwt,
'header' =>
"Content-Type: application/x-www-form-urlencoded"
));
$context = stream_context_create($options);
$responseText = file_get_contents("https://oauth2.googleapis.com/token", false, $context);
$response = json_decode($responseText);
The response has 3 fields: access_token, expires_in, and token_type.
Accessing the Coinbase API used to be really simple: all you needed was an API key. Now you need something called a "nonce" and a "signature". I pass my new API "Secret", the nonce, and the Key in my request, but it returns an "invalid_key" error. What gives?
EDIT March 12th: Added a tutorial on interacting with the API via OAuth.
The fact that the API used to be so simple -- only needing a Key -- means it was pretty insecure. So they beefed up the security a week-ish ago. Here's the blog post:
http://blog.coinbase.com/post/75936737678/more-security-and-granular-control-with-the-new-api
Everyone now gets an API "Secret" in addition to an API Key. Whenever you make a request to the API, you have to include three parameters:
Your API Key.
A "nonce", which is a unique number that you use to identify something. In this case, every single request you make needs to have a new number, and each request's nonce has to be bigger than the one before it.
Your API "Signature". This is NOT your API "Secret".
The Signature is your nonce followed immediately by the full URL to which you're posting your request, parameters and all. This URL also contains the nonce, so the whole thing all together would look something like this:
12345https://coinbase.com/api/v1/buttons?nonce=12345&name=Socks&price=9.95
Then you take that whole thing and encode it as a "SHA256" hash. If you don't know what that means, don't panic -- you can do it in one line using a function PHP already has built in.
At any rate, I was having some trouble figuring all this out, so I spent a little while on it and put together this script, which makes GETing and POSTing to the API really easy. I'd love to hear people's thoughts!
<?php
function coinbaseRequest($what,$getOrPost,$parameters){
//Obviously, your API Key and Secret go here.
$apikey = "blahblahblah";
$apisecret = "blahblahblahblah";
$nonce = file_get_contents("nonce.txt") + 1;
file_put_contents("nonce.txt", $nonce, LOCK_EX);
$url = "https://coinbase.com/api/v1/" . $what . "?nonce=" . $nonce;
if($parameters != ""){
$parameters = http_build_query(json_decode($parameters), true);
}
//Here I go, hashing the Signature! Thanks, PHP, for making this easy!
$signature = hash_hmac("sha256", $nonce . $url . $parameters, $apisecret);
$ch = curl_init();
curl_setopt_array($ch, array(
CURLOPT_URL => $url,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_HTTPHEADER => array(
"ACCESS_KEY: " . $apikey,
"ACCESS_NONCE: " . $nonce,
"ACCESS_SIGNATURE: " . $signature
)));
if($getOrPost == "post"){
curl_setopt_array($ch, array(
CURLOPT_POSTFIELDS => $parameters,
CURLOPT_POST => true,
));
}
$results = curl_exec($ch);
curl_close($ch);
echo $results;
}
//This is a POST example.
coinbaseRequest("buttons", "post", '{
"button": {
"name": "test",
"price_string": "1.23",
"price_currency_iso": "USD",
"variable_price": true
}
}');
//This is a GET example.
coinbaseRequest("account/balance", "get", false);
?>
Notes:
I tried using (microtime(true)*100) for my nonces. The problem is it makes a decimal number, and the last few digits kept getting dropped or rounded off so it didn't work. Then I thought, "Screw this", made a blank nonce.txt file, and wrote 1 in it, and to get nonces I just got the contents of that file, added 1, and replaced the file with the new number. It served a second purpose as a counter showing how many total requests I've made.
But then someone pointed out to me PHP's "uniqid" function, which generates an ID based on the current microtime. So you can also try this:
$nonce = hexdec(uniqid());
This has the advantage of not accessing an external file. I actually really like being able to see how many requests I've made, and so will probably stick with the (bad) nonce.txt method.
The coinbaseRequest() function has three parameters. The first is the directory to which you're making your request -- that is, whatever's supposed to come after "https://coinbase.com/api/v1/". The second parameter is "get" or "post", depending on whether it's a GET or a POST request. (Make sense?)
The third parameter is all the queries you're passing in your request. This should be formatted as JSON, unless it's a GET request that doesn't take any parameters (besides the Key, Nonce, and Signature which the function includes for you), in which case you should leave this as false.
EDIT, March 3rd:
I made a little function for taking whatever's returned by coinbaseRequest and turning it into a button:
function makebutt($data){
$data = json_decode($data,true);
$buttoncode = $data["button"]["code"];
return ("<a class=\"coinbase-button\" data-code=\"" . $buttoncode . "\" href=\"https://coinbase.com/checkouts/" . $buttoncode . "\">Pay With Bitcoin</a><script src=\"https://coinbase.com/assets/button.js\" type=\"text/javascript\"></script>");
}
YE GREAT OAUTH TUTORIAL
<?php
/*OAuth is great. It's also complicated. Or rather, it LOOKS complicated.
This whole script is just one big long function. It's a really, really ugly
function. I broke down everything "Barney-style" to demonstrate all the steps
in the process, and because there are some things you have to decide -- how to
record the user data, for instance.
Let's get this train wreck a rollin'.*/
function oauthRequest($apiPath,$getOrPost,$parameters){
/*You get this info from https://coinbase.com/oauth/applications*/
$clientId = "#####";
$clientSecret = "#####";
$callbackUrl = "http://www.blah.com/oauth.php";
function curling($url,$getpost,$params){
if($params != ""){
$params = http_build_query(json_decode($params), true);
}
if($getpost == "get"){
$ispost = false;
$url .= $params;
}
$ch = curl_init();
curl_setopt_array($ch, array(
CURLOPT_URL => $url,
CURLOPT_RETURNTRANSFER => true
));
if($getpost == "post"){
curl_setopt_array($ch, array(
CURLOPT_POST => $ispost,
CURLOPT_POSTFIELDS => $params
));
}
$results = curl_exec($ch);
curl_close($ch);
return $results;
}
/*There are two people involved here: the Client (you), and the User (the
person accessing your app or site).
You'll need 3 pieces of data for each user before your app can access their
Coinbase account: a User Code, an Access Token, and a Refresh Token.
For the purposes of this demonstration, I'm recording all of the user data in
a .txt file on my server. THIS IS PROBABLY A BAD IDEA in real life because .txt
files aren't secure at all, and this text file will only store the data for one
user (it gets overwritten every time). This is the kind of stuff you'd put in an
SQL database if you have one, or maybe in the user's cookies.*/
if(!file_exists("userdata.txt") || file_get_contents("userdata.txt") == ""){
file_put_contents("userdata.txt",json_encode(array(
"userCode" => "",
"accessToken" => "",
"refreshToken" => ""
)), LOCK_EX);
}
$userData = json_decode(file_get_contents("userdata.txt"), true);
/*Okay. So. First thing we're going to do is see if we have a User Code for
this user. These are big alphanumeric strings that are 64 characters long. If
we have one, it'll either be in the URL of this page (the $_GET array), or
it'll be in that userdata.txt file.*/
if(array_key_exists("code",$_GET) && $_GET["code"] != ""){
$userCode = $_GET["code"];
}else if(array_key_exists("userCode",$userData) && $userData["userCode"] != ""){
$userCode = $userData["userCode"];
}else{
/*If we don't have a User Code, then this next snippet of code will fire. It'll
return the link for a special user-specific Coinbase page to which the user
will need to go to authorize your app to access their Coinbase account (by
signing into Coinbase and clicking a green "Authorize" button).
After authorizing your app, they'll be automatically taken to the Redirect URL
you specified, with their User Code added to the end of the URL. So if your
Redirect URL is www.blah.com/oauth.php, they'll go to www.blah.com/oauth.php?
code=123451234512345 .
This User Code never expires, and so theoretically the user should only need to
go to the authorization link once. However, if you don't make a way of getting
the User Code in the future (my fancy "userdata.txt" in this case) or they de-
authorized your app from within their Coinbase account, then they'll need to go
to the link again and re-authorize your app from the beginning.
I have it set up so my Redirect URL and the rest of my OAuth script are all on
the same page: www.blah.com/oauth.php . So the user will just start back at the
beginning of this script, and THIS time the script will see the User Code in
the URL (the $_GET array), and so will skip this next bit.
Whew. You with me so far?*/
return ("https:/*coinbase.com/oauth/authorize?" . http_build_query(array(
"response_type" => "code",
"client_id" => $clientId,
"redirect_uri" => $callbackUrl
)));
die;
}
/*Here I am, recording the User Code for future use in userdata.txt*/
$userData["userCode"] = $userCode;
file_put_contents("userdata.txt",json_encode($userData),LOCK_EX);
/*Alright, we've got the User Code. Now we need the Access Token -- another 64-
character string. The difference is that the Access Token expires every 2 hours
(7200 seconds). Let's see if we already have one in the userdata.txt file.*/
if(array_key_exists("accessToken",$userData) && $userData["accessToken"] != ""){
$accessToken = $userData["accessToken"];
$refreshToken = $userData["refreshToken"];
}else{
/*If we're here, it's because we don't have an Access Token for this user. We
get one by making this POST request:*/
$authorization = json_decode(curling(
"https:/*coinbase.com/oauth/token" . "?" . http_build_query(array(
"grant_type" => "authorization_code",
"code" => $userCode,
"redirect_uri" => $callbackUrl,
"client_id" => $clientId,
"client_secret" => $clientSecret
)), "post", ""), true);
if(array_key_exists("error",$authorization)){
/*If something goes wrong here, I'm going to clean out userdata.txt and ask the
user to try again.*/
file_put_contents("userdata.txt","",LOCK_EX);
die("Something went wrong. Please refresh the page and try again.");
}
$accessToken = $authorization["access_token"];
$refreshToken = $authorization["refresh_token"];
}
/*The Refresh Token is what you use to get a new Access Token once the current
Access Token has expired. The Refresh Token never expires, but can only be used
once. Anytime you get an Access Token, you'll also be given a Refresh Token.
If you don't have the Refresh Token and a working Access Token for the user,
they'll need to re-authorize your app all over again.
I'm backing up the Access Token and Refresh Token to userdata.txt*/
$userData["accessToken"] = $accessToken;
$userData["refreshToken"] = $refreshToken;
file_put_contents("userdata.txt",json_encode($userData),LOCK_EX);
/*Alright! At this point, we should have the three bits of user data we need:
the User Code, the Access Token, and the Refresh Token. So now lets try
actually making an API request.
This whole script is really just one big function called "oauthRequest". You
pass three parameters to the function: the path of the API request (everything
after https:/*coinbase.com/api/v1/), whether this API query is a GET or a POST,
and any parameters that go along with that GET or POST request. These params
first come into play here.
Let's make the API request:*/
$results = curling("https:/*coinbase.com/api/v1/" . $apiPath . "?" . http_build_query(array(
"access_token" => $accessToken
)), $getOrPost, $parameters);
/*Now we're going to make sure the request actually worked, and didn't get
rejected because the Access Token was expired. If it WAS expired, the
results should be blank. (It'll return a 401 if you want to get fancy.)*/
$resultsArray = json_decode($results);
if(count($resultsArray) < 1){
/*Looks like it did expire, so now we make a POST request using the Refresh
token, which will return a new Access Token AND a new Refresh Token.*/
$reAuthorization = json_decode(curling(
"https:/*coinbase.com/oauth/token?" . http_build_query(array(
"grant_type" => "refresh_token",
"code" => $userCode,
"refresh_token" => $refreshToken
)), "post", ""), true);
$accessToken = $reAuthorization["access_token"];
$refreshToken = $reAuthorization["refresh_token"];
/*Let's back those up to userdata.txt...*/
$userData["accessToken"] = $accessToken;
$userData["refreshToken"] = $refreshToken;
file_put_contents("userdata.txt",json_encode($userData),LOCK_EX);
/*...and try the API request all over again:*/
$results = curling("https:/*coinbase.com/api/v1/" . $apiPath . "?" . http_build_query(array(
"access_token" => $accessToken
)), $getOrPost, $parameters);
/*If it doesn't work THIS time, I'm going to clean out userdata.txt and ask
the user to try again. One of the codes probably got all mungled up.*/
$resultsArray = json_decode($results);
if(array_key_exists("error",$resultsArray)){
file_put_contents("userdata.txt","",LOCK_EX);
die("Something went wrong. Please refresh the page and try again.");
}
}
/*If, however, everything went right, then this function will return the JSON
string with the data from the API! Hooray!*/
return $results;
}
/*Here are 4 different example requests you can make.*/
/*
echo oauthRequest("account/generate_receive_address","post","");
echo oauthRequest("buttons","post",'{
"button": {
"name": "test",
"type": "buy_now",
"price_string": ".01",
"price_currency_iso": "USD"
}
}');
echo oauthRequest("prices/buy","get",'{
"qty": 1,
"currency": "USD"
}');
echo oauthRequest("account/balance","get","");
*/
?>
It's not working because Coinbase recently implemented the OAuth2 protocol. This ensures the personal information of your user is transmitted securely. I referred to this implementation several months ago when writing my own OAuth class on another project:
I am doing the login using twitter in my zend framework application. But after authenticating from twitter it showing the following error :
Message:Could not retrieve a valid Token response from Token URL: /oauth/access_token?oauth_consumer_key=xxxxxxxxxxxxxxx&oauth_nonce=xxxxxxxxxxxxxxxxxxxx&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1352270857&oauth_token=xxxxxxxxxxxxx&oauth_version=1.0
&oauth_verifier=xxxxxxxxxxxxxxxxxxxxx&oauth_signature=wv5gdop77NA9BeZI7ilQcEFsqGH8CeR4%3D Invalid / expired Token
Following is my code :
public function twittercallbackAction() {
$path = realpath(APPLICATION_PATH . '/../library/');
set_include_path($path);
$config = array(
"callbackUrl" => "http://" . $_SERVER['HTTP_HOST'] . "/register/twittercallback",
"siteUrl" => "http://twitter.com/oauth",
"consumerKey" => "xxxxxxxxxxxxxx",
"consumerSecret" => "xxxxxxxxxxxxxxxxxxxx"
);
$consumer = new Zend_Oauth_Consumer($config);
if (!empty($_GET) && isset($_SESSION['TWITTER_REQUEST_TOKEN'])) {
$token = $consumer->getAccessToken($_GET, unserialize($_SESSION['TWITTER_REQUEST_TOKEN']));
// Now that we have an Access Token, we can discard the Request Token
// get users timeline
// $_SESSION['TWITTER_REQUEST_TOKEN'] = null;
} else {
// Mistaken request? Some malfeasant trying something?
exit('Invalid callback request. Oops. Sorry.');
}
}
I am searching this issue on google but not getting any solution.
How can I deal with this issue.
Thanks
Finally I solved it myself.... :-)
The problem was twitter updated their api url:
From
http://twitter.com/statuses/user_timeline.json?
To
https://api.twitter.com/1/statuses/user_timeline.json?
and it gets fixed.
I tested your code, which I assume you got from http://framework.zend.com/manual/1.12/en/zend.oauth.introduction.html, and it works properly. Here are a few things to check:
Is your consumer app key/secret valid?
Does your server have the correct date/time set?
What's your code for generating your request token?