[oauth] SignatureBaseString in the 3 requests

Tue, 12 May 2009 09:40:01 -0700 

Hi to everybody.
I would like to know if I have well understood what the specifications
says.
I have understood that the SignatureBaseString must be inserted in
each request that the Consumer make to the Service Provider.
These requests are 3:

1) for a Request Token
2) for an Access Token
3) to access at the protected resources

In the specifications there is only an example of the calculation of
the SignatureBaseString, related to the third request, in order to
access at the protected resources ("Appendix A.5.1.  Generating
Signature Base String").
Now I write the SignatureBaseString for each request, where I ignore
the encoding for greater clarity.
I ask you a feedback if I am being wrong.

1) Request for a Request Token
SignatureBaseString =  GET&http://photos.example.net/
request_token&oauth_consumer_key&oauth_token&oauth_nonce&oauth_timestamp&oauth_signature_method&oauth_version

2) Request for an Access Token
SignatureBaseString =
GET&http://photos.example.net/
access_token&oauth_consumer_key&oauth_token&oauth_nonce&oauth_timestamp&oauth_signature_method&oauth_version

3) Request for access to the protected resources
SignatureBaseString =
GET&http://photos.example.net/
photos&file&oauth_consumer_key&oauth_token&oauth_nonce&oauth_timestamp&oauth_signature_method&oauth_version&size

is it correct?

The differences are in the URL of the Service Provider and in the last
request there are also the "file" and the "size" parameters.
Obviosly the values of the parameters "oauth_token", "oauth_nonce",
"oauth_timestamp" are different in the various requests.

After that the consumer compute the SignatureBaseString:
- in the case of RSA-SHA1: the consumer signs the SignatureBaseString
with his private key and assigns this value at the oauth_signature
parameter.
- in the case of HMAC-SHA1: the consumer computes HMAC-SHA1
(SignatureBaseString), using the key  K=ConsumerSecret&TokenSecret,
and assigns this value at the oauth_signature parameter.

is it correct?

Thanks


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"OAuth" group.
To post to this group, send email to oauth@googlegroups.com
To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/oauth?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to