c# - Not clear the Twitter login workflow

Question

Well, seems that if I want to sign in with Twitter I need to provide "signature". So I can get access_token and access_token_secret.

But creating signature means I need to provide access_token_secret (using it as signing key), which I can't have it if I previously request it.

So what's up? I always get The remote server returned an error: (401) Unauthorized., even using the access_token_secret generate by the Application Interface.

Should I create signature key in some other way? This is my actual code on C# .NET:

var requestedURL = "https://api.twitter.com/oauth/request_token";

var authorizationParameters = new List<KeyValuePair<string, string>>() { 
        new KeyValuePair<string, string>("oauth_callback",SocialEngine.twitter_aggrega_redirect_uri),
        new KeyValuePair<string, string>("oauth_consumer_key",oauth_consumer_key),
        new KeyValuePair<string, string>("oauth_nonce",oauth_nonce),
        new KeyValuePair<string, string>("oauth_signature_method",oauth_signature_method),
        new KeyValuePair<string, string>("oauth_timestamp",oauth_timestamp),
        new KeyValuePair<string, string>("oauth_version",oauth_version)
};

var allParameters = authorizationParameters.OrderBy(tmp => tmp.Key);

var baseString = string.Join("&", allParameters.Select(p => string.Format("{0}={1}", p.Key, Uri.EscapeDataString(p.Value))));
baseString = string.Concat("POST&", Uri.EscapeDataString(requestedURL), "&", Uri.EscapeDataString(baseString));

var compositeKey = string.Concat(Uri.EscapeDataString(oauth_consumer_secret), "&", Uri.EscapeDataString(oauth_access_token_secret));
using (System.Security.Cryptography.HMACSHA1 hasher = new System.Security.Cryptography.HMACSHA1(System.Text.ASCIIEncoding.ASCII.GetBytes(compositeKey)))
{
    oauth_signature = Convert.ToBase64String(hasher.ComputeHash(System.Text.ASCIIEncoding.ASCII.GetBytes(baseString)));
}

oauth_header += "OAuth ";
oauth_header += "oauth_callback=" + """ + Uri.EscapeDataString(SocialEngine.twitter_aggrega_redirect_uri) + "",";
oauth_header += "oauth_consumer_key=" + """ + Uri.EscapeDataString(oauth_consumer_key) + "",";
oauth_header += "oauth_nonce=" + """ + Uri.EscapeDataString(oauth_nonce) + "",";
oauth_header += "oauth_signature=" + """ + Uri.EscapeDataString(oauth_signature) + "",";
oauth_header += "oauth_signature_method=" + """ + Uri.EscapeDataString(oauth_signature_method) + "",";
oauth_header += "oauth_timestamp=" + """ + Uri.EscapeDataString(oauth_timestamp) + "",";
oauth_header += "oauth_version=" + """ + Uri.EscapeDataString(oauth_version) + """;

HttpWebRequest request = WebRequest.Create(requestedURL) as HttpWebRequest;
request.Headers.Add("Authorization", oauth_header);
request.Method = "POST";

Answer 1

When creating the signature for a request token you only use the oauth_consumer_secret appended with an ampersand (&) to create the signing key.