How is the oauth_signature created?

I’m trying to replicate the oauth_signature that postman generates from java, with the OAuth 1.0 authentication method and the HMAC-SHA256 signature method, but it always generates different results even though I use the same data, so I’m thinking something is missing. wrong in the order I encode the key, so can someone explain to me step by step how the postman generates the oauth signature? How is the base chain assembled? What is the encoding order?

Instead of looking how Postman does it, I would recommend viewing the general OAuth 1.0 flow.

For example.

Basics of OAuth 1.0 (opengenus.org)

Then check your API to ensure that it follows that standard.

OAuth 1 is much more constrained that OAuth 2.0 which has a lot more options to consider.

It’s one thing to understand the principals of Oauth, quite another to understand what Postman is encoding into the base string that forms the basis for signature generation. Without knowing this fundamental, it is impossible to translate a successful Postman API call into an equivalent call from another code base. As so many others have pointed out in various posts, Postman generates a different signature to what is produced by code that follows the Oauth spec, which points to an unknown factor used in the Postman signature construction. All we need to know is, what are the factors involved?

I have just had the same problem and everything looked correct and seemed to be following the specification but then I realised that URLEncode() in C# encodes to lowercase and the OAuth1 specification requires the encoded characters to be uppercase so I used Uri.EscapeDataString() instead and then everything worked.

So https:// becomes https%3A%2F%2F instead of https%3a%2f%2f for example.

Hopefully this helps others in the same situation.

It would certainly be useful if Postman provided some additional details such as the signature base string it generates as it would have helped to debug it much faster.