I was provided a sample Postman collection from NetSuite for their REST web services. I am able to authentication and use the sample calls. I need to know what Postman uses, exactly, to create the oauth_signature. I tried the realm, consumer key, token key, nonce, and timestamp in my own integration but the signature comes out differently (when I have the same nonce and timestamp hardcoded in Postman and my integration). Help will be GREATLY appreciated since my forehead is quite flat from the banging against the wall.
did you find an answer to this question? I also need help creating oauth_signature.
No. I figured some of it out but now Iâm having trouble when using a POST.
Your not going to get much of a response if you donât include sample requests and screenshots of what you have so far. (Anonymised where necessary). Showing where its different.
Without seeing your requests, I suspect its due to the base 64 encoding and conversion of some of the elements.
I would also consider using the pre-request script to generate this instead of the built in authentication.
You have much more control of the request and its easier to troubleshoot as you can console log all of the relevant variables to see where the differences are.
This is an example of using OAuth2. But it will be the same principle.
pm.test("Check for collectionVariables", function () {
let vars = ['clientId', 'clientSecret', 'tenantId', 'username', 'password', 'scope'];
vars.forEach(function (item, index, array) {
console.log(item, index);
pm.expect(pm.collectionVariables.get(item), item + " variable not set").to.not.be.undefined;
pm.expect(pm.collectionVariables.get(item), item + " variable not set").to.not.be.empty;
});
if (!pm.collectionVariables.get("bearerToken") || Date.now() > new Date(pm.collectionVariables.get("bearerTokenExpiresOn") * 1000)) {
pm.sendRequest({
url: 'https://login.microsoftonline.com/' + pm.collectionVariables.get("tenantId") + '/oauth2/v2.0/token',
method: 'POST',
header: 'Content-Type: application/x-www-form-urlencoded',
body: {
mode: 'urlencoded',
urlencoded: [
{ key: "client_id", value: pm.collectionVariables.get("clientId"), disabled: false },
{ key: "scope", value: pm.collectionVariables.get("scope"), disabled: false },
{ key: "username", value: pm.collectionVariables.get("username"), disabled: false },
{ key: "password", value: pm.collectionVariables.get("password"), disabled: false },
{ key: "client_secret", value: pm.collectionVariables.get("clientSecret"), disabled: false },
{ key: "grant_type", value: "password", disabled: false },
]
}
}, function (err, res) {
if (err) {
console.log(err);
} else {
pm.test("Status code is 200", () => {
pm.expect(res).to.have.status(200);
});
let resJson = res.json();
pm.collectionVariables.set("bearerTokenExpiresOn", resJson.expires_in);
pm.collectionVariables.set("bearerToken", resJson.id_token);
}
});
}
});
Any luck with this? Iâm attempting to do the same thing it would be great to know if youâve had success
I did get things figured out. There were a few overlapping issues. Iâm using Qvera Interface Engine and thereâs a âfeatureâ (aka BUG) in which query string parameters are NOT added to the URL which led to the signature not being correct. Another thing to be mindful of, the parameter list (both OAuth and any additional query string parameters) need to be in alpha order before getting hashed. QIE uses Java/JavaScript âishâ. Iâve included the function I use to create the signature, if that helps.
function getOauthSig(reqmeth, requrl, reqparams, nonce, timestamp) {
var map = new java.util.TreeMap();
var params = StringUtils.splitByWholeSeparatorPreserveAllTokens(reqparams, â&â);
var params2Encode = ââ;
for (var i = 0; i < params.length; i++) {
var item = StringUtils.splitByWholeSeparatorPreserveAllTokens(params[i], â=â);
map.put(item[0],item[1]);
}
map.put(âoauth_consumer_keyâ,qie.getVariable(ânsConsumerKeyâ));
map.put(âoauth_nonceâ,nonce);
map.put(âoauth_signature_methodâ,âHMAC-SHA256â);
map.put(âoauth_timestampâ,timestamp);
map.put(âoauth_tokenâ,qie.getVariable(ânsTokenIdâ));
map.put(âoauth_versionâ,â1.0â);
var keys = map.keySet().toArray();
// qie.debug('map = â + map);
for (i = 0; i < keys.length; i++) {
params2Encode += keys[i] + â=â + map.get(keys[i]);
if (i != keys.length-1) {
params2Encode += â&â;
}
}
// qie.debug('params2Encode = â + params2Encode);
var valueToEncode = new java.lang.String(
reqmeth + â&â +
qie.urlEncode(requrl) + â&â +
qie.urlEncode(params2Encode));
// qie.debug(âvalueToEncode=â + valueToEncode);
var key = new java.lang.String(qie.getVariable(ânsConsumerSecretâ) + â&â + qie.getVariable(ânsTokenSecretâ));
//qie.debug(âkey=â + key);
var secret_key = new javax.crypto.spec.SecretKeySpec(key.getBytes(), âHmacSHA256â);
var sha256_HMAC = javax.crypto.Mac.getInstance(âHmacSHA256â);
sha256_HMAC.init(secret_key);
var hash = sha256_HMAC.doFinal(valueToEncode.getBytes());
var result = qie.urlEncode(new java.lang.String(java.util.Base64.getEncoder().encode(hash)));
//qie.debug(âresult=â + result);
return result;
}