Just go to: http://www.hueniverse.com/hueniverse/2008/10/beginners-gui-1.html
and try it out. The example in the spec shows both HMAC-SHA1 and PLAINTEXT (over HTTPS). PLAINTEXT does not use the signature base string, but if you use HMAC-SHA1 there instead, you will need it. EHL > -----Original Message----- > From: oauth@googlegroups.com [mailto:oa...@googlegroups.com] On Behalf > Of Simone > Sent: Tuesday, May 12, 2009 9:40 AM > To: OAuth > Subject: [oauth] SignatureBaseString in the 3 requests > > > Hi to everybody. > I would like to know if I have well understood what the specifications > says. > I have understood that the SignatureBaseString must be inserted in > each request that the Consumer make to the Service Provider. > These requests are 3: > > 1) for a Request Token > 2) for an Access Token > 3) to access at the protected resources > > In the specifications there is only an example of the calculation of > the SignatureBaseString, related to the third request, in order to > access at the protected resources ("Appendix A.5.1. Generating > Signature Base String"). > Now I write the SignatureBaseString for each request, where I ignore > the encoding for greater clarity. > I ask you a feedback if I am being wrong. > > 1) Request for a Request Token > SignatureBaseString = GET&http://photos.example.net/ > request_token&oauth_consumer_key&oauth_token&oauth_nonce&oauth_timestam > p&oauth_signature_method&oauth_version > > 2) Request for an Access Token > SignatureBaseString = > GET&http://photos.example.net/ > access_token&oauth_consumer_key&oauth_token&oauth_nonce&oauth_timestamp > &oauth_signature_method&oauth_version > > 3) Request for access to the protected resources > SignatureBaseString = > GET&http://photos.example.net/ > photos&file&oauth_consumer_key&oauth_token&oauth_nonce&oauth_timestamp& > oauth_signature_method&oauth_version&size > > is it correct? > > The differences are in the URL of the Service Provider and in the last > request there are also the "file" and the "size" parameters. > Obviosly the values of the parameters "oauth_token", "oauth_nonce", > "oauth_timestamp" are different in the various requests. > > After that the consumer compute the SignatureBaseString: > - in the case of RSA-SHA1: the consumer signs the SignatureBaseString > with his private key and assigns this value at the oauth_signature > parameter. > - in the case of HMAC-SHA1: the consumer computes HMAC-SHA1 > (SignatureBaseString), using the key K=ConsumerSecret&TokenSecret, > and assigns this value at the oauth_signature parameter. > > is it correct? > > Thanks > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---