Menu
In the section 6.1.1. Consumer Obtains a Request Token of the OAuth Spec says that you must send a request that contains the following paramter:
oauth_signature:
The signature as defined in Signing Requests.
But how can you sign the request if the oauth_signature itself is part of it? I mean, "what" do you sign? All the fields except the oauth_signature or what?
For example, in the The OAuth 1.0 Protocol they provide the following example of obtaining the temporary credentials:
POST /initiate HTTP/1.1
Host: photos.example.net
Authorization: OAuth realm="Photos",
oauth_consumer_key="dpf43f3p2l4k3l03",
oauth_signature_method="HMAC-SHA1",
oauth_timestamp="137131200",
oauth_nonce="wIjqoS",
oauth_callback="http%3A%2F%2Fprinter.example.com%2Fready",
oauth_signature="74KNZJeDHnMBp0EMJ9ZHt%2FXKycU%3D"
But how did they get the oauth_signature field? What was it that they signed?
Sorry, new to crypto - so dummy explanation would be appreciated.
826
oauth_signature. The signature base string: a consistent, reproducible concatenation of several of the HTTP request elements into a single string. The string is used as an input to the signature method.
The oauth_consumer_key identifies which application is making the request. Obtain this value from the settings page for your Twitter app in the developer portal.
Creating the signature base string To encode the HTTP method, base URL, and parameter string into a single string: Convert the HTTP Method to uppercase and set the output string equal to this value. Append the '&' character to the output string. Percent encode the URL and append it to the output string.
The "signature base string" is being signed. It captures the "essence" of this particular request, so that that cannot be messed with. (Note that it does not include everything, especially not the request body).
In the example you linked to, read on for an example base string:
For example, the HTTP request:
POST /request?b5=%3D%253D&a3=a&c%40=&a2=r%20b HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Authorization: OAuth realm="Example",
oauth_consumer_key="9djdj82h48djs9d2",
oauth_token="kkk9d7dh3k39sjv7",
oauth_signature_method="HMAC-SHA1",
oauth_timestamp="137131201",
oauth_nonce="7d8f3e4a",
oauth_signature="bYT5CMsGcbgUdFHObYMEfcx6bsw%3D"
is represented by the following signature base string (line breaks are for display purposes only):
POST&http%3A%2F%2Fexample.com%2Frequest&a2%3Dr%2520b%26a3%3D2%2520q
%26a3%3Da%26b5%3D%253D%25253D%26c%2540%3D%26c2%3D%26oauth_consumer_
key%3D9djdj82h48djs9d2%26oauth_nonce%3D7d8f3e4a%26oauth_signature_m
ethod%3DHMAC-SHA1%26oauth_timestamp%3D137131201%26oauth_token%3Dkkk
9d7dh3k39sjv7
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
