I was provided a sample Postman collection from NetSuite for their REST web services. I am able to authentication and use the sample calls. I need to know what Postman uses, exactly, to create the oauth_signature. I tried the realm, consumer key, token key, nonce, and timestamp in my own integration but the signature comes out differently (when I have the same nonce and timestamp hardcoded in Postman and my integration). Help will be GREATLY appreciated since my forehead is quite flat from the banging against the wall.
1 Like
did you find an answer to this question? I also need help creating oauth_signature.
No. I figured some of it out but now I’m having trouble when using a POST.
Your not going to get much of a response if you don’t include sample requests and screenshots of what you have so far. (Anonymised where necessary). Showing where its different.
Without seeing your requests, I suspect its due to the base 64 encoding and conversion of some of the elements.
I would also consider using the pre-request script to generate this instead of the built in authentication.
You have much more control of the request and its easier to troubleshoot as you can console log all of the relevant variables to see where the differences are.
This is an example of using OAuth2. But it will be the same principle.
pm.test("Check for collectionVariables", function () {
let vars = ['clientId', 'clientSecret', 'tenantId', 'username', 'password', 'scope'];
vars.forEach(function (item, index, array) {
console.log(item, index);
pm.expect(pm.collectionVariables.get(item), item + " variable not set").to.not.be.undefined;
pm.expect(pm.collectionVariables.get(item), item + " variable not set").to.not.be.empty;
});
if (!pm.collectionVariables.get("bearerToken") || Date.now() > new Date(pm.collectionVariables.get("bearerTokenExpiresOn") * 1000)) {
pm.sendRequest({
url: 'https://login.microsoftonline.com/' + pm.collectionVariables.get("tenantId") + '/oauth2/v2.0/token',
method: 'POST',
header: 'Content-Type: application/x-www-form-urlencoded',
body: {
mode: 'urlencoded',
urlencoded: [
{ key: "client_id", value: pm.collectionVariables.get("clientId"), disabled: false },
{ key: "scope", value: pm.collectionVariables.get("scope"), disabled: false },
{ key: "username", value: pm.collectionVariables.get("username"), disabled: false },
{ key: "password", value: pm.collectionVariables.get("password"), disabled: false },
{ key: "client_secret", value: pm.collectionVariables.get("clientSecret"), disabled: false },
{ key: "grant_type", value: "password", disabled: false },
]
}
}, function (err, res) {
if (err) {
console.log(err);
} else {
pm.test("Status code is 200", () => {
pm.expect(res).to.have.status(200);
});
let resJson = res.json();
pm.collectionVariables.set("bearerTokenExpiresOn", resJson.expires_in);
pm.collectionVariables.set("bearerToken", resJson.id_token);
}
});
}
});
Any luck with this? I’m attempting to do the same thing it would be great to know if you’ve had success
I did get things figured out. There were a few overlapping issues. I’m using Qvera Interface Engine and there’s a “feature” (aka BUG) in which query string parameters are NOT added to the URL which led to the signature not being correct. Another thing to be mindful of, the parameter list (both OAuth and any additional query string parameters) need to be in alpha order before getting hashed. QIE uses Java/JavaScript “ish”. I’ve included the function I use to create the signature, if that helps.
function getOauthSig(reqmeth, requrl, reqparams, nonce, timestamp) {
var map = new java.util.TreeMap();
var params = StringUtils.splitByWholeSeparatorPreserveAllTokens(reqparams, ‘&’);
var params2Encode = ‘’;
for (var i = 0; i < params.length; i++) {
var item = StringUtils.splitByWholeSeparatorPreserveAllTokens(params[i], ‘=’);
map.put(item[0],item[1]);
}
map.put(‘oauth_consumer_key’,qie.getVariable(‘nsConsumerKey’));
map.put(‘oauth_nonce’,nonce);
map.put(‘oauth_signature_method’,‘HMAC-SHA256’);
map.put(‘oauth_timestamp’,timestamp);
map.put(‘oauth_token’,qie.getVariable(‘nsTokenId’));
map.put(‘oauth_version’,‘1.0’);
var keys = map.keySet().toArray();
// qie.debug('map = ’ + map);
for (i = 0; i < keys.length; i++) {
params2Encode += keys[i] + ‘=’ + map.get(keys[i]);
if (i != keys.length-1) {
params2Encode += ‘&’;
}
}
// qie.debug('params2Encode = ’ + params2Encode);
var valueToEncode = new java.lang.String(
reqmeth + ‘&’ +
qie.urlEncode(requrl) + ‘&’ +
qie.urlEncode(params2Encode));
// qie.debug(‘valueToEncode=’ + valueToEncode);
var key = new java.lang.String(qie.getVariable(‘nsConsumerSecret’) + ‘&’ + qie.getVariable(‘nsTokenSecret’));
//qie.debug(‘key=’ + key);
var secret_key = new javax.crypto.spec.SecretKeySpec(key.getBytes(), “HmacSHA256”);
var sha256_HMAC = javax.crypto.Mac.getInstance(“HmacSHA256”);
sha256_HMAC.init(secret_key);
var hash = sha256_HMAC.doFinal(valueToEncode.getBytes());
var result = qie.urlEncode(new java.lang.String(java.util.Base64.getEncoder().encode(hash)));
//qie.debug(‘result=’ + result);
return result;
}