Beginner’s Guide to OAuth – Part IV: Signing Requests

Time to put the previously discussed concepts into action. The following explanation is designed as an interactive walkthrough with customizable inputs. Next to each set of inputs you will find an expand [+] icon allowing you to change the example and see how such changes affect the intermediate and final results. To expand the forms, click on the [+] icons which will open the form or click again to collapse. Making changes to the pre-filled values will immediately change the walkthrough content. You can also adjust the default values the example starts with by choosing from one of the pre-configured use cases. This post cannot be viewed in a feed reader.

[iframe 550 5000]

43 thoughts on “Beginner’s Guide to OAuth – Part IV: Signing Requests

  1. Hi! First of all, congratulations for your excellent articles about OAuth!
    I’m writing just to notify that using Mac OS X Leopard, under Safari it seems that, in this page, changing signature method to RSA-SHA1 the ‘oauth_signature’ doesn’t change – it remains equal to HMAC-SHA1 – instead using Firefox2 and 3, the following message appears: “No installed provider supports this key:”.
    Hope this is useful!
    Best regards,
    Simone Tripodi

  2. I have read all articles about OAuth, I’m a beginner and I miss usage examples. I read everything but cant realize how get answers, how redirect user, how use the forms :S
    Dont u think this last parts are missing?

  3. Simone: Thanks for the feedback. The RSA examples don’t work on a Mac due to Apple’s poor Java distribution. I am looking for a Javascript replacement but it is not available yet.
    Rubia: The guides assume a certain level of understanding of both HTTP and API development. The best place to ask questions is the OAuth mailing list (

  4. This is one of the best pieces of writing about real world crypto that I’ve seen on the web.
    I tried the above to log in to my twitter account (using the two-legged variant of OAuth). I got back a 401 with the explanation “Invalid / expired token”
    I presume that the token referred to in the error is the “oauth_token”. Naturally I don’t have one of those since I’m not taking part in twitter’s limited OAuth beta.
    Do you, or anybody on this forum, know whether twitter is going to support two-legged authentication? I hope so since I don’t like sending passwords in the clear.

  5. This is a very useful tool, has helped me verify oauth signing.
    I believe there is an error in your process. When I use a consumer key that has a colon in it, the consumer key is shown correctly encoded in the section that shows the encoded oauth_ parameters. The error is when showing the signature base string.
    Example: => (correct in the encoded parameter lists) => (incorrect in the signature base string)

  6. Don’t confuse token secret and key. When you are getting a request token you simply leave the token parameter out (this example isn’t for that case). You should still have some consumer key provided by the service provider.

  7. It says “The HMAC-SHA1 signature method uses the two secrets — Consumer Secret and Token Secret — as the HMAC-SHA1 algorithm key”, I understand that I should concatenate the 2 secrets. But in a token request I don’t have a token secret yet, that’s what I was asking.
    What should I use as the key? The consumer secret or the consumer key?

  8. My question is regarding how a client request is “supposed” to be formated once an access token is received.
    I’m trying to create an api secured with oauth much like flickr’s. As is flickr’s …I’d like for my requests to contain the method as var. Eg.
    I’m currently using “MPOAuthConnection” to test “my server’s” api and oauth.
    I can successfully get an access token from my server but then I enter the above URL into the “method” field of the client and hit the “Perform Method” button…to which I just get an oAuth error response: “Can’t verify request, missing oauth_consumer_key or oauth_token”
    …looking at the network request it looks like it is broken perhaps by the querystring being inserted before the “?”:
    Regardless of the client…I’m confused as to what the above request should look like if done properly by the client and I was to sniff the network activity?
    Unfortunately, I’m a little lost as to how to make this happen.
    Can anyone clarify?

  9. Hi Eran,

    What is OAuth WRAP? Is it an extension to the OAuth spec or is it a whole new spec by itself?


    • It is a completely different protocol drawing ideas and inspiration from OAuth. Other than that it has nothing to do with it, and is not compatible in any way. It was just a poor choice of name.

  10. Great tutorials! Thank you very much, these were really helpful, especially the description on how to sign a request.

    I noticed a small thing though, in the specs on the Authorization Header it says:
    “Parameters are separated by a comma character (ASCII code 44) and OPTIONAL linear whitespace per [RFC2617].”

    the commas are missing in your example.

  11. This has been great, but it is a bit confusing — it’s not a signature for a Request Token, because it contains a oauth_token, and it isn’t a signature for a Access Token, because it is missing the required oauth_verifier. Can you split these out and generate two signatures depending on the step of the process? It helps writting test cases since we can copy and paste your inputs and results — however your Authorization HTTP header can’t be used in a test case since it does not conform to either a Request Token or the POST parameters for an Access Token.

    I’m not sure you are aware, but the page does not display correctly in Google Chrome.

    Sorry for these criticisms, but overall the interactive article has been great!


  12. Thanks for a guide which does not omit implementation details like an actual HTTP request header…this level of detail is lacking in most technical tutorials (of any sort) and is a requirement for me to properly understand the concepts presented.

    One question – does OAuth provide a mechanism whereby the service provider response is signed in any way, or is this left to the domain of HTTPS if necessary?

    • OAuth 1.0 does not include a way for the server to sign responses. It wasn’t part of the requirements. For OAuth 2.0 we are still considering it but so far it has not been requested.

    • That’s just how HTTP headers are. The header format is [name=”value”, white-space]. If you put a new line in there, make sure the next line starts with a white-space to signify it is continued from previous line.

  13. With regards of the building of the signature base string, i see that in the concatenation, first goes the POST or GET berb, and ampersand, and the parameters.
    In the sample I ser here, thisampersand fter the GET verb is not encoded, sjourd be?

  14. Looking to my code I see the signing of the base string the same at what is explained here, but getting an invalid signature all the time. When looking to Google Oauth playground test page, is the that a scope= parameter is added to the base strin, where in this tutorial that scope parameter is not.
    What I would like to se s the signing process for the request_token request. Regards, Carlos

    • This tutorial is generic and not specific to Google. You should contact Google for help with their API. However, you can still add custom parameters and manually add a scope parameter to the request. Just click on the [+] next to the parameters list and add more.

  15. Created desktop app that accesses api and needs oauth to search. Now I understand the diff components but when attempting to get request token I get the (401) unauthorized error. When I used a third party oauth app I was able to take it all the way through where i received a pin to use. Still not sure how to use pin but any help will be appreciated.

    • I don’t know which web service API you are trying to use, but either way, I am unable to help with individual requests for help with making authenticated calls. I suggest you ask this on the right develops mailing list or group.

  16. It’s not often one finds such a thorough implementation example for oauth. You ought to be proud! I’m giving you 3 thumbs up and a big thank you!

  17. Firstly, let me say this interactive demo is a great resource. I have however found a small implementation problem. Since this is practically the reference implementation, it would be nice to get it fixed!

    If I choose to encode a POST request where some parameters are included in the query string, and some as part of the POST body, your implementation incorrectly includes the query parameters in the “Base String URI” (as defined in section of RFC 5849). This is also mentioned in section 9.1.2 of the OAuth Core 1.0A specification.

    The correct behaviour is to exclude them from the Base String URI (step 3 of section and instead include them among the normalized request parameters at step 5.


    • The tool doesn’t have any understanding of the request URI. You have to do the URI parsing yourself, and enter any query parameters in the right place, not in the query. This is not a bug but just how the tool is designed. It deals with raw data (request URI path, parameters, etc.).

  18. Hi Eran,

    I’ve read your introduction (and some other pages regaring oauth) and I understand the concepts. I do have some difficulties matching it to existing services. Afaik i have to sign up for an api key if i want to use twitter, google maps,…Then i get eg. an Api Key of a2d3bddw2sdf. Is this api key the consumer secret? Or is it the consumer key? If it is the key, what is the secret? Or vice versa?

  19. Great articles. I couldn’t have fixed my issues without your clear and methodical explainations.

    If anyone is reading this and having problems with the c# OAuthBase class be please be aware that there appears to be a problem with this class.

    This class skips the step where it UrlEncodes the parameters seperately (It combines then escapes). So in the case where you have reseved chanracters in parameters these should end up double excaped in you base signature string.

    I spent a long time identifying this problem as I assumes this class would be correct as it appears that it is the same class used within the google .NET library.

    I really hope this helps and without this article I would have spent no end of time and hair loss trying to discover the problem. Great Post!!

    You need to add to the Generate Signature Base method (@L267)

    //Url Encode any parameters that may contain reserved characters – DH
    foreach (QueryParameter parameter in parameters)
    parameter.Value = this.UrlEncode(parameter.Value);

    and change the property to allow setting.

  20. I wasted THREE days trying to just understand the communications/authentication protocol while looking at all sorts of websites and documents but didn’t get anywhere until I came up on this page!

    Simply AMAZING!

    All my kudos to you, I can’t possibly thank you enough for saving so much time for me with your very simple to understand AND INTERACTIVE tool with those exact explanations. Most other pages sent me on a wild-goose chase (I was creating LabVIEW drivers for Oauth, majority of other pages are specific to languages rather than protocol). YOU should be the official authority on all documentation related to Oauth (not sure if you already are).

    My LabVIEW drivers for Oauth now work very well, I even tested them to automate stuff with some sites!:-)

    Thank you again, you’ve done an excellent job!

  21. This is an excellent, detailed post on how to construct an OAuth Request. I’m in the middle of trying to implement OAuth on both the client (Android) and server side (Google App Engine). The most difficult part is signing the Request. Do you know of any Java libraries that handle signing in HMAC-SHA1?

Comments are closed.