10. Signing an OAuth request is easier
than you think.
Take that signature base string,
then sign it using HMAC-SHA1
and the proper signing key
11. The proper signing key is a pain
point.
The access token step, and any
resource requests on a user’s behalf
utilizes OAuth tokens and secrets to
create a composite signing key.
12. Two-legged OAuth requests are
requests that don’t require a user or
oauth_token.
Asking for a request token is
actually a two-legged OAuth
request.
13. The algorithm for determining
what your “signing key” is
url_encode( consumer_secret )
+
"&" +
url_encode(
oauth_token_secret || nil )
14. The algorithm for determining
what your “signing key” is
With an oauth_token_secret
signing_key = “abcd&efgh”
Without an oauth_token_secret
signing_key = “abcd&”
20. Advice
• Learn how to specify HTTP headers explicitly in your
OAuth implementation
• Master the core components of your OAuth libraries.
Follow the code path through so you understand the proper
places to introduce different behavior.
24. the OAuth Dancer
• Nearly complete solution for testing REST-based API
requests with OAuth 1.0A authentication.
• Examine the signature base string, authorization headers,
and oodles more debug information about requests.
• Supports xAuth and two-legged OAuth.
• Out-of-band (PIN) support coming soon.
• Under perpetual development. OAuth 2.0 support on the
way.
• Very useful for creating comparative examples, testing
internal OAuth implementations, and more.
http://bit.ly/oauth-dancer