delphioauthhmacsha1

OAuth 1.0 Generate Signature vs Postman Generate Signature

I am writing a tool for the API of the Woocommerce plugin, which is one of the WordPress plugins. This tool uses the OAuth 1.0 system for authentication. When I set my request and send it via Postman, I can get my answer without any problem. My problem starts in the test application I wrote myself. When I create a signature with the same values ​​found in Postman, I find a different value from the Postman tool.

There are a number of base strings specified in the document. I encrypt this value with the specified key and create a signature. This signature is the same as the signature on the document. So, I can understand from here that my test tool is running smoothly. (https://oauth.net/core/1.0a/#RFC2045 - Appendix A.5.2. Calculating Signature Value )

When I add the values ​​I get from Postman with the same tool to my test tool, I find different results. What came to my mind here was that the Postman tool added another parameter.

My Postman values ​​are:

enter image description here

I can operate with these values ​​without any problems. I add the same values ​​to the test application and get output;

enter image description here

Postman: tcBdkwXJL9Ad5RZFTQ36Vh34mYM=

My Test App: UJ2it9opCslL0Jjy7/T/C7Dw8rc=

I am developing the related test application with delphi. If you need the codes, I have shared them below.

procedure TForm1.Button1Click(Sender: TObject);
var
 p1, p2, full: string;
begin
 p1 := cmbReqType.Text;

 p2 :=  TNetEncoding.URL.Encode(edit1.Text);
 p3 := 'oauth_consumer_key=' + oauth_consumer_key.Text
        + '&oauth_signature_method='+oauth_signature_method.Text
        + '&oauth_timestamp='+oauth_timestamp.Text +
        '&oauth_nonce=' + oauth_nonce.Text +
        '&oauth_version='+ oauth_version.Text;

 xp3 := p3;
 p3 := TNetEncoding.URL.Encode(p3);
 full := p1 + '&' + p2 + '&' + p3;
 Memo1.Lines.Text := System.UTF8Encode(Trim(full));

 HMAC_SHA1 := THashSHA1.Create;
 Edit2.text := TNetEncoding.Base64.EncodeBytesToString(HMAC_SHA1.GetHMACAsBytes(TEncoding.UTF8.GetBytes(Trim(memo1.text)), TEncoding.UTF8.GetBytes(Trim(secret_key.Text))));

 if Trim(Edit2.Text) = 'tcBdkwXJL9Ad5RZFTQ36Vh34mYM=' then
 begin
   ShowMessage('correct.');
 end else
     begin
       ShowMessage('not correct.');
     end;
end;

P.S: Forget the ugliness in the code. I coded it trivially :)

P.S: I leave similar topics below. Most do not respond to an answer.

1- How do I view the raw signature Postman uses when it makes its OAuth requests?

2- How does Postman Rest Client create Oauth Signature ? Unable to resolve Oauth_Signature in android

...

Thanks in advance for your help on this.

Solution

  • When building the Signature Base String, OAuth1 requires that parameters be sorted by name. In your case, it means that oauth_nonce must come just after oauth_consumer_key.

    Additionally, when computing the HMAC, the key must include both the Consumer Secret and the Token Secret, separated by an &, even if the token is empty. Since you have no token, you must append an & to your secret.