Time to put the previously discussed concepts into action. The following explanation is designed as an interactive walkthrough with customizable inputs. Next to each set of inputs you will find an expand [+] icon allowing you to change the example and see how such changes affect the intermediate and final results. To expand the forms, click on the [+] icons which will open the form or click again to collapse. Making changes to the pre-filled values will immediately change the walkthrough content. You can also adjust the default values the example starts with by choosing from one of the pre-configured use cases. This post cannot be viewed in a feed reader.
Hi! First of all, congratulations for your excellent articles about OAuth!
I’m writing just to notify that using Mac OS X Leopard, under Safari it seems that, in this page, changing signature method to RSA-SHA1 the ‘oauth_signature’ doesn’t change – it remains equal to HMAC-SHA1 – instead using Firefox2 and 3, the following message appears: “No installed provider supports this key: sun.security.rsa.RSAPrivateCrtKeyImpl”.
Hope this is useful!
Best regards,
Simone Tripodi
I have read all articles about OAuth, I’m a beginner and I miss usage examples. I read everything but cant realize how get answers, how redirect user, how use the forms :S
Dont u think this last parts are missing?
Simone: Thanks for the feedback. The RSA examples don’t work on a Mac due to Apple’s poor Java distribution. I am looking for a Javascript replacement but it is not available yet.
Rubia: The guides assume a certain level of understanding of both HTTP and API development. The best place to ask questions is the OAuth mailing list (oauth@googlegroups.com).
This is one of the best pieces of writing about real world crypto that I’ve seen on the web.
I tried the above to log in to my twitter account (using the two-legged variant of OAuth). I got back a 401 with the explanation “Invalid / expired token”
I presume that the token referred to in the error is the “oauth_token”. Naturally I don’t have one of those since I’m not taking part in twitter’s limited OAuth beta.
Do you, or anybody on this forum, know whether twitter is going to support two-legged authentication? I hope so since I don’t like sending passwords in the clear.
This has been resolved here:
http://groups.google.com/group/oauth/browse_thread/thread/61591fd26e441674
This is a very useful tool, has helped me verify oauth signing.
I believe there is an error in your process. When I use a consumer key that has a colon in it, the consumer key is shown correctly encoded in the section that shows the encoded oauth_ parameters. The error is when showing the signature base string.
Example:
orkut.com:9998800008898 => orkut.com%3A9998800008898 (correct in the encoded parameter lists)
orkut.com:9998800008898 => orkut.com%253A9998800008898 (incorrect in the signature base string)
Cheers
On further review, there is no error with the colon, it must be url encoded twice.
Cheers
Excellent tutorial! I built a package from the “bottom up” using your example instead of from the “top down” like the OAuth.php class does.
http://blog.benjaminhill.info/archives/67
Thank you! Works like a charm.
When I’m doing a token request I don’t have a token secret yet so in that case what do I have to use as a key?
Don’t confuse token secret and key. When you are getting a request token you simply leave the token parameter out (this example isn’t for that case). You should still have some consumer key provided by the service provider.
It says “The HMAC-SHA1 signature method uses the two secrets — Consumer Secret and Token Secret — as the HMAC-SHA1 algorithm key”, I understand that I should concatenate the 2 secrets. But in a token request I don’t have a token secret yet, that’s what I was asking.
What should I use as the key? The consumer secret or the consumer key?
Nothing. An empty string as detailed in the spec.
Still isn’t working for me, but thanks anyway.
My question is regarding how a client request is “supposed” to be formated once an access token is received.
I’m trying to create an api secured with oauth much like flickr’s. As is flickr’s …I’d like for my requests to contain the method as var. Eg. http://www.domain.com/services/rest/?method=domain.users.getUser&user_id=1
I’m currently using “MPOAuthConnection” to test “my server’s” api and oauth.
http://code.google.com/p/mpoauthconnection/wiki/MPOAuthClient
I can successfully get an access token from my server but then I enter the above URL into the “method” field of the client and hit the “Perform Method” button…to which I just get an oAuth error response: “Can’t verify request, missing oauth_consumer_key or oauth_token”
…looking at the network request it looks like it is broken perhaps by the querystring being inserted before the “?”: http://www.domain.com/index.php/services/rest/method=domain.users.getUser&id=1?oauth_consumer_key=bd4755d1f742d206d9252ce9d33925c504a8df833&oauth_nonce=27F02790-36B4-4EC0-88C4-11CD4C81AE1B&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1251056077&oauth_token=99d4e4fe2269b564bcb4babaa5b5275b04a91996f&oauth_version=1.0&oauth_signature=gLbyamMuQ45V%2Bc0U0hW%2Fyr1g0HQ%3D
Regardless of the client…I’m confused as to what the above request should look like if done properly by the client and I was to sniff the network activity?
Unfortunately, I’m a little lost as to how to make this happen.
Can anyone clarify?
I am unable to provide that level of support here. You should post your questions to the OAuth mailing list oauth@googlegroups.com.
Hi Eran,
What is OAuth WRAP? Is it an extension to the OAuth spec or is it a whole new spec by itself?
Suneel
It is a completely different protocol drawing ideas and inspiration from OAuth. Other than that it has nothing to do with it, and is not compatible in any way. It was just a poor choice of name.
Great tutorials! Thank you very much, these were really helpful, especially the description on how to sign a request.
I noticed a small thing though, in the specs on the Authorization Header it says:
“Parameters are separated by a comma character (ASCII code 44) and OPTIONAL linear whitespace per [RFC2617].”
the commas are missing in your example.
[http://oauth.net/core/1.0a#rfc.section.5.4.1]
Thanks for noticing. It is now fix.
This has been great, but it is a bit confusing — it’s not a signature for a Request Token, because it contains a oauth_token, and it isn’t a signature for a Access Token, because it is missing the required oauth_verifier. Can you split these out and generate two signatures depending on the step of the process? It helps writting test cases since we can copy and paste your inputs and results — however your Authorization HTTP header can’t be used in a test case since it does not conform to either a Request Token or the POST parameters for an Access Token.
I’m not sure you are aware, but the page does not display correctly in Google Chrome.
Sorry for these criticisms, but overall the interactive article has been great!
Cheers,
Clay
This is planned for the new guide.
[...] a good page at Hueniverse into which you can plug your various values and check your generated values. Plus other information [...]
[...] a search to better understand the OAuth spec, I came across this terrific tutorial on OAuth by Eran Hammer-Lahav on Hueniverse. It is hands-down the most useful tutorial I have found [...]