Tumblr OAuth image post gives me 401/"Invalid OAuth credentials"

I've got an iOS app thats posts images to several services, including twitter and I'm trying to extend that support to tumblr. I've adapted some open source code for the OAuth 1.0a header logic and its working well enough to be successful for twitter + twitpic and for tumblr's authentication. However image posts to tumblr are failing with status 401 and string response "Invalid OAuth credentials"

To simplify, my only multipart sections are the post type and the image data.

So my simple POST is to http://www.tumblr.com/api/write, the signature base string is (roughly, as I’ve redacted my consumer key and token, and linebreaks added for readability):

POST&http%3A%2F%2Fwww.t开发者_如何学运维umblr.com%2Fapi%2Fwrite&
oauth_consumer_key%3Dxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx%26
oauth_nonce%3D71edd7a1224463a7e1723bb7b568060b4d69deb6%26
oauth_signature_method%3DHMAC-SHA1%26
oauth_timestamp%3D1297678418%26
oauth_token%3Dxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx%26
oauth_version%3D1.0%26
type%3Dphoto

my oauth header is (again, linebreaks added here for readability):

Authorization: OAuth realm="http://www.tumblr.com/",
oauth_consumer_key="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
oauth_signature_method="HMAC-SHA1",
oauth_timestamp="1296445530",
oauth_nonce="71edd7a1224463a7e1723bb7b568060b4d69deb6",
oauth_version="1.0",
oauth_token="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
oauth_signature="fWuli4eO3qVehfdeFzZN%2FDNYpFk%3D"

the only other headers I’m adding are Content-Type (multipart/form-data) & Content-Length, and the message body is just:

--my_sorta_unique_boundary_string
Content-Disposition: form-data; name="type"

photo
--my_sorta_unique_boundary_string
Content-Disposition: form-data; name="data"
Content-Type: image/jpg
Content-Transfer-Encoding: binary

... (image data) ...
--my_sorta_unique_boundary_string--

Can anyone tell me if I’ve done something wrong with my signature base string or auth header, or if there's some trick for getting tumblr oauth posts to work?

Having exactly the same problem with my OAuth implementation in Silverlight - I've implemented the rest of the API without an issue, and this method works if you don't use OAuth and just send email/password headers as well.

Arvin's post just showed me the issue though, he's including the other non-file fields in his OAuth. I just did the same to my post, so they were in the multi-part form body but also being added to the OAuth sig - and now I'm uploading photo posts without a problem!

I just made a dump of the base string that my app is generating when posting a photo entry to Tumblr. Linebreaks added to lessen the obscurity. Hope it helps.

POST&http%3A%2F%2Fwww.tumblr.com%2Fapi%2Fwrite&
caption%3D%253Cp%253Etesting%253C%252Fp%253E%26
click-through-url%3D%26
format%3Dhtml%26
generator%3D%253C%2520href%253D%2522http%253A%252F%252Fsudocode.net%252Fprojects%252Fpicasa-2-tumblr%2522%253EPicasa2Tumblr%253C%252Fa%253E%26
group%3Darvn.tumblr.com%26
oauth_consumer_key%3Dxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx%26
oauth_nonce%3Db0f187f5d0781b3d6aea0f192e116524%26
oauth_signature_method%3DHMAC-SHA1%26
oauth_timestamp%3D1296560370%26
oauth_token%3DwkR9Jjtnp0tMPHp3aqcxvRd401cUeVX7PzxUrc0Y8SZZRoLHgs%26
oauth_version%3D1.0%26
private%3D0%26
slug%3D%26
state%3Ddraft%26
tags%3D%26
type%3Dphoto

One thing, you didn't notify Tumblr that you're going to post a photo using the type parameter.

I had the same problem. It was because my I was including a blank Tumblr secret.

This is where you get it: http://www.tumblr.com/oauth/apps -> "Show secret key"

Also, I'm using the xAuth stuff with their https://www.tumblr.com/oauth/access_token url.

I hope this helps. I'm on Rails with the Devise gem.

Had the same problem: it seems like the OAuth library I used (GTM OAuth) was not using the POST Data fields for the signature. After I've added the fields type and caption additionally as a query string, the OAuth library used them and I was able to upload a photo/post/whatever.

Seems like every post body field (except for the binary data) needs to be part of the OAuth signature.