Postman's oauth 1.0 generates only 6 characters nonce, with which the rest API I am connecting to requires a 16 character nonce. How can I achieve this.
Related
I'm using Postman 5.1.3. I'm trying to connect to an OAuth 1.0a endpoint using Postman's OAuth screen. How do I view the raw signature that Postman is using to construct its hashed "oauth_signature" param? I'm filling in a value for
consumer_key
consumer_secret
signature_method
timestamp
nonce
version
I'm leaving the HTTP method as "GET" and clicking "Send". Everything goes through fine, but I'm not able to reproduce the behavior in Java, which is why I'm seeking a way to view the raw signature Postman uses when building its request.
To generate the signature, postman follow the RFC, there is no point for them to display the steps to generate that, so it is unavailable on display.
RFC is 5849 section 3.4 for signature stuff. It is quite explicit.
I'm attempting to connect to an oAuth 1.0 authenticated endpoint but the signature that Postman creates does not match the signature we expect in our code. As far as I can see all the parameters that I have added are correct (Url, consumer_key, consumer_secret, nonce, timestamp, HMAC-SHA1) but Postman just seems to generate a different signature with these details. Does anyone know how Postman creates the signature?
I'm busy with implementing reverse authentication on iOS. I'm making it on the base of this example and twitter documentation.
I'm trying to figure out whether the consumer secret is mandatory to perform STEP 1 from the docs (obtaining a special request token). The docs say:
As an example, consider a request with the following values signed with the consumer key JP3PyvG67rXRsnayOJOcQ and consmer secret ydC2yUbFaScbSlykO0PmrMjXFeLraSi3Q2HfTOlGxQM.
Seems like the secret is needed. But then it lists the parameters for the request:
oauth_consumer_key JP3PyvG67rXRsnayOJOcQ
oauth_nonce 1B7D865D-9E15-4ADD-8165-EF90D7A7D3D2
oauth_signature_method HMAC-SHA1
oauth_timestamp 1322697052
oauth_version 1.0
x_auth_mode reverse_auth
and there's no secret. and also no oath_signature. It then confirms my suspicion by the following:
These parameters should result in a signature base string that looks like this:
POST&https%3A%2F%2Fapi.twitter.com%2Foauth%2Frequest_token&
oauth_consumer_key%3DJP3PyvG67rXRsnayOJOcQ%26
oauth_nonce%3D1B7D865D-9E15-4ADD-8165-EF90D7A7D3D2%26
oauth_signature_method%3DHMAC-SHA1%26
oauth_timestamp%3D1322697052%26
oauth_version%3D1.0%26
x_auth_mode%3Dreverse_auth
again, no secret and no oath_signature parameter. Then i look at the example app i have taken from the GitHub and see that it actually makes use of the secret. It makes some magic, mixes the secret with different strings, encrypts it and makes it into oauth_signature parameter which goes into the authorization header for its request. The complete authorisation header looks like this:
OAuth oauth_timestamp="1405695110", oauth_nonce="0C38A128-42B1-41D1-B31D-EBEBE8971470", oauth_version="1.0", oauth_consumer_key="u97hVQZtAcRbLWHv5CkONbaJ8", oauth_signature_method="HMAC-SHA1", oauth_signature="iuaqaN1MvFHyKMa95LFWXCxUfDM%3D"
The only difference between this and Twitter doc's example is that here is oauth_signature parameter (made from the secret) present. And the example works all right. I tried removing the secret when making the signature and received an error from Twitter.
So I am confused. The docs don't clearly state that the secret is required whereas the example uses it as its important part. So is it mandatory? And if not can you please explain how do I build a request without the secret?
I try to build an Windows 8 app where I'll integrate Twitter. So there is no callback URL.
After long search I've made it to obtain user token and secret. Now I try to get users timeline. But I always get 401 Unauthorized or in the response "Could not authenticate you" with error 32. I've used the OAuth Tool to generate Authorization header and Signature base string to compare it with the values I send. They looks pretty similar to me, except the nonce.
GET&https%3A%2F%2Fapi.twitter.com%2F1.1%2Fstatuses%2Fhome_timeline.json&oauth_consumer_key%3DGszx6r0cSieo3OwyH3SA%26oauth_nonce%3D4387f13969df533a0b0a294d9884506b%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1371117616%26oauth_token%3D1470508532-5JPWuH66asacc45qGkKKYuP50QEPOA55VrXfV9o%26oauth_version%3D1.0
GET&https%3A%2F%2Fapi.twitter.com%2F1.1%2Fstatuses%2Fhome_timeline.json&oauth_consumer_key%3DGszx6r0cSieo3OwyH3SA%26oauth_nonce%3D190930700%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1371117905%26oauth_token%3D1470508532-5JPWuH66asacc45qGkKKYuP50QEPOA55VrXfV9o%26oauth_version%3D1.0
Authorization: OAuth oauth_consumer_key="Gszx6r0cSieo3OwyH3SA", oauth_nonce="4387f13969df533a0b0a294d9884506b", oauth_signature="QQOO4aUJx9%2FNKYidvuPx%2Fv7YzNg%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1371117616", oauth_token="1470508532-5JPWuH66asacc45qGkKKYuP50QEPOA55VrXfV9o", oauth_version="1.0"
Authorization: OAuth oauth_consumer_key="Gszx6r0cSieo3OwyH3SA", oauth_nonce="701369537", oauth_signature="VKjaVFHL%2FgtCRCASW5qdQtE%2BiJA%3D", oauth_signature_method="HMAC-SHA1",oauth_timestamp="1371118662", oauth_token="1470508532-5JPWuH66asacc45qGkKKYuP50QEPOA55VrXfV9o", oauth_version="1.0"
First codes are from OAuth Tool, second are my codes.
Thanks Marlowe
Problem was one single character to much. After I've found them, it's working. By the way: nonce works also with the small version I've used in the example.
Very quick question for FreshBooks OAuth. When requesting a Request Token you need to provide (among others) the oauth_signature method.
Is the signature the consumer key and the consumer secret separated by an ampersand? e.g.
_consumer_key_%26_consumer_secret_
where _consumer_key_ is the consumer key. _consumer_secret_ is the consumer secret and %26 is a url encoded ampersand.
Simple answer is I was using the request headers instead of the Authorization header.