OAuth 1.0 header construction for Token Based Authentication (TBA)

ilsemaj · September 10, 2021, 12:55am

My question:
This isn’t a problem with Postman but Postman’s OAuth 1.0 authentication works when I’m attempting to communicate with Netsuite API. I’m having a hard time trying to reproduce the successful results using NodeJS so I’m interested in how Postman constructs the header in the requests when I’m using OAuth 1.0 for TBA.

Details:
Postman takes in 4 variables, namely CONSUMER_KEY, CONSUMER_SECRET, ACCESS_TOKEN, TOKEN_SECRET. It then constructs the header.Authorization dynamically to something like this:

OAuth realm="<realm>",oauth_consumer_key="<key>",oauth_token="<token>",oauth_signature_method="HMAC-SHA256",oauth_timestamp="1631228049",oauth_nonce="h6AMUL3EAof",oauth_version="1.0",oauth_signature="<generated_signature>"

On the other hand, I’m using an OAuth 1.0 library https://github.com/ddo/oauth-1.0a to generate the header when I’m doing this in NodeJS. When I override the dynamic variables (nonce, timestamp) to a static value from Postman, my oauth_signature came out different. Is there something in Postman that’s doing differently than a regular OAuth 1.0 library when constructing the header?

ilsemaj · September 14, 2021, 4:20pm

Answering my own question here, Postman does a lowercase on the URL so if you have anything in your URL that’s not originally lowercased, it will be transformed before encryption. Hence I was getting a different signature.

twb2077 · January 4, 2022, 4:55pm

Can you provide me your NodeJS sample? I am having the same exact issue but I don’t know what is used for the signature and how Postman comes up with it.

nithin270 · August 21, 2022, 7:47am

Could you please provide the nodejs sample code