The following explanation is designed as an interactive walkthrough with customizable inputs. Next to each set of inputs you will find an expand [+] icon allowing you to change the example and see how such changes affect the intermediate and final results. To expand the forms, click on the [+] icons which will open the form or click again to collapse. Making changes to the pre-filled values will immediately change the walkthrough content. You can also adjust the default values the example starts with by choosing from one of the pre-configured use cases.
thanks for taking the time to write this article. i had to read some of twiters oauth stuff to get to a point where i understood this article, but that just shows how concise it was. thank you.
Many thanks.
I believe this will help me on something i’m currently working on.
fantastic – I appreciated that you took the time to explain concepts like hashing and utf-8 encoding along the way. Excellent article!
Great article. Thanks for writing this. A good level of detail; not too lite, not too deep.
Is the base string correct?
GET&http%3A%2F%
The & after the method is not URL encoded yet the rest of the string is????
Yes, it is correct. Each encoded part is concatenated together using an unencoded &.
One of the best articles I have seen yet and for someone who knew nothing about OAuth, this was an excellent primer. Would you have any articles on SAML and federation? It has me at my wits end.
Nooooo.
Putting this guide in a PDF document for a download and print would be great. Please if you have the time do it
Great guide!
Print? you mean on PAPER?!
“OAuth does not allow any other parameter to use the ‘oauth_’ prefix.” – this contradicts the last bullet of Appendix A of the RFC, I believe.
Thanks for this great resource!
Right.
“The Signature Base String includes the request absolute URL, tying the signature to a specific endpoint. The URL used in the Signature Base String MUST include the scheme, authority, and path, and MUST exclude the query and fragment as defined by [RFC3986] section 3.”
But on this page if one adds a query string in the Request Path the parameters are not excluded.
Not sure what you mean.
Just add a query string in the Request Path. The content of the added query string is used to calculate the Signature Base string. This shouldn’t happen, as specified in the paragraph 9.1.2. “Construct Request URL” at http://oauth.net/core/1.0/ (and also http://oauth.net/core/1.0a/).
Hi Eran,
did my last explanation help you further?
Thank you.
Best regards,
Mauro