Time to put the previously discussed concepts into action. The following explanation is designed as an interactive walkthrough with customizable inputs. Next to each set of inputs you will find an expand [+] icon allowing you to change the example and see how such changes affect the intermediate and final results. To expand the forms, click on the [+] icons which will open the form or click again to collapse. Making changes to the pre-filled values will immediately change the walkthrough content. You can also adjust the default values the example starts with by choosing from one of the pre-configured use cases. This post cannot be viewed in a feed reader.
Hi! First of all, congratulations for your excellent articles about OAuth!
I’m writing just to notify that using Mac OS X Leopard, under Safari it seems that, in this page, changing signature method to RSA-SHA1 the ‘oauth_signature’ doesn’t change – it remains equal to HMAC-SHA1 – instead using Firefox2 and 3, the following message appears: “No installed provider supports this key: sun.security.rsa.RSAPrivateCrtKeyImpl”.
Hope this is useful!
Best regards,
Simone Tripodi
I have read all articles about OAuth, I’m a beginner and I miss usage examples. I read everything but cant realize how get answers, how redirect user, how use the forms :S
Dont u think this last parts are missing?
Simone: Thanks for the feedback. The RSA examples don’t work on a Mac due to Apple’s poor Java distribution. I am looking for a Javascript replacement but it is not available yet.
Rubia: The guides assume a certain level of understanding of both HTTP and API development. The best place to ask questions is the OAuth mailing list (oauth@googlegroups.com).
This is one of the best pieces of writing about real world crypto that I’ve seen on the web.
I tried the above to log in to my twitter account (using the two-legged variant of OAuth). I got back a 401 with the explanation “Invalid / expired token”
I presume that the token referred to in the error is the “oauth_token”. Naturally I don’t have one of those since I’m not taking part in twitter’s limited OAuth beta.
Do you, or anybody on this forum, know whether twitter is going to support two-legged authentication? I hope so since I don’t like sending passwords in the clear.
This has been resolved here:
http://groups.google.com/group/oauth/browse_thread/thread/61591fd26e441674
This is a very useful tool, has helped me verify oauth signing.
I believe there is an error in your process. When I use a consumer key that has a colon in it, the consumer key is shown correctly encoded in the section that shows the encoded oauth_ parameters. The error is when showing the signature base string.
Example:
orkut.com:9998800008898 => orkut.com%3A9998800008898 (correct in the encoded parameter lists)
orkut.com:9998800008898 => orkut.com%253A9998800008898 (incorrect in the signature base string)
Cheers
On further review, there is no error with the colon, it must be url encoded twice.
Cheers
Excellent tutorial! I built a package from the “bottom up” using your example instead of from the “top down” like the OAuth.php class does.
http://blog.benjaminhill.info/archives/67
Thank you! Works like a charm.
When I’m doing a token request I don’t have a token secret yet so in that case what do I have to use as a key?
Don’t confuse token secret and key. When you are getting a request token you simply leave the token parameter out (this example isn’t for that case). You should still have some consumer key provided by the service provider.
It says “The HMAC-SHA1 signature method uses the two secrets — Consumer Secret and Token Secret — as the HMAC-SHA1 algorithm key”, I understand that I should concatenate the 2 secrets. But in a token request I don’t have a token secret yet, that’s what I was asking.
What should I use as the key? The consumer secret or the consumer key?
Nothing. An empty string as detailed in the spec.
Still isn’t working for me, but thanks anyway.
My question is regarding how a client request is “supposed” to be formated once an access token is received.
I’m trying to create an api secured with oauth much like flickr’s. As is flickr’s …I’d like for my requests to contain the method as var. Eg. http://www.domain.com/services/rest/?method=domain.users.getUser&user_id=1
I’m currently using “MPOAuthConnection” to test “my server’s” api and oauth.
http://code.google.com/p/mpoauthconnection/wiki/MPOAuthClient
I can successfully get an access token from my server but then I enter the above URL into the “method” field of the client and hit the “Perform Method” button…to which I just get an oAuth error response: “Can’t verify request, missing oauth_consumer_key or oauth_token”
…looking at the network request it looks like it is broken perhaps by the querystring being inserted before the “?”: http://www.domain.com/index.php/services/rest/method=domain.users.getUser&id=1?oauth_consumer_key=bd4755d1f742d206d9252ce9d33925c504a8df833&oauth_nonce=27F02790-36B4-4EC0-88C4-11CD4C81AE1B&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1251056077&oauth_token=99d4e4fe2269b564bcb4babaa5b5275b04a91996f&oauth_version=1.0&oauth_signature=gLbyamMuQ45V%2Bc0U0hW%2Fyr1g0HQ%3D
Regardless of the client…I’m confused as to what the above request should look like if done properly by the client and I was to sniff the network activity?
Unfortunately, I’m a little lost as to how to make this happen.
Can anyone clarify?
I am unable to provide that level of support here. You should post your questions to the OAuth mailing list oauth@googlegroups.com.
Hi Eran,
What is OAuth WRAP? Is it an extension to the OAuth spec or is it a whole new spec by itself?
Suneel
It is a completely different protocol drawing ideas and inspiration from OAuth. Other than that it has nothing to do with it, and is not compatible in any way. It was just a poor choice of name.
Great tutorials! Thank you very much, these were really helpful, especially the description on how to sign a request.
I noticed a small thing though, in the specs on the Authorization Header it says:
“Parameters are separated by a comma character (ASCII code 44) and OPTIONAL linear whitespace per [RFC2617].”
the commas are missing in your example.
[http://oauth.net/core/1.0a#rfc.section.5.4.1]
Thanks for noticing. It is now fix.
This has been great, but it is a bit confusing — it’s not a signature for a Request Token, because it contains a oauth_token, and it isn’t a signature for a Access Token, because it is missing the required oauth_verifier. Can you split these out and generate two signatures depending on the step of the process? It helps writting test cases since we can copy and paste your inputs and results — however your Authorization HTTP header can’t be used in a test case since it does not conform to either a Request Token or the POST parameters for an Access Token.
I’m not sure you are aware, but the page does not display correctly in Google Chrome.
Sorry for these criticisms, but overall the interactive article has been great!
Cheers,
Clay
This is planned for the new guide.
[...] a good page at Hueniverse into which you can plug your various values and check your generated values. Plus other information [...]
[...] a search to better understand the OAuth spec, I came across this terrific tutorial on OAuth by Eran Hammer-Lahav on Hueniverse. It is hands-down the most useful tutorial I have found [...]
Thanks for a guide which does not omit implementation details like an actual HTTP request header…this level of detail is lacking in most technical tutorials (of any sort) and is a requirement for me to properly understand the concepts presented.
One question – does OAuth provide a mechanism whereby the service provider response is signed in any way, or is this left to the domain of HTTPS if necessary?
OAuth 1.0 does not include a way for the server to sign responses. It wasn’t part of the requirements. For OAuth 2.0 we are still considering it but so far it has not been requested.
I see commas ,,, separating the Authorization header, are relevan the spaces or line breaks after the comma?
That’s just how HTTP headers are. The header format is [name="value", white-space]. If you put a new line in there, make sure the next line starts with a white-space to signify it is continued from previous line.
With regards of the building of the signature base string, i see that in the concatenation, first goes the POST or GET berb, and ampersand, and the parameters.
In the sample I ser here, thisampersand fter the GET verb is not encoded, sjourd be?
No. The separators in the signature base string are not encoded (only the separators in the sub-components like the parameters list).
Looking to my code I see the signing of the base string the same at what is explained here, but getting an invalid signature all the time. When looking to Google Oauth playground test page, is the that a scope= parameter is added to the base strin, where in this tutorial that scope parameter is not.
What I would like to se s the signing process for the request_token request. Regards, Carlos
This tutorial is generic and not specific to Google. You should contact Google for help with their API. However, you can still add custom parameters and manually add a scope parameter to the request. Just click on the [+] next to the parameters list and add more.
[...] http://hueniverse.com/2008/10/beginners-guide-to-oauth-part-iv-signing-requests/ [...]
Created desktop app that accesses api and needs oauth to search. Now I understand the diff components but when attempting to get request token I get the (401) unauthorized error. When I used a third party oauth app I was able to take it all the way through where i received a pin to use. Still not sure how to use pin but any help will be appreciated.
I don’t know which web service API you are trying to use, but either way, I am unable to help with individual requests for help with making authenticated calls. I suggest you ask this on the right develops mailing list or group.
It’s not often one finds such a thorough implementation example for oauth. You ought to be proud! I’m giving you 3 thumbs up and a big thank you!