OAuth 1.0 Signature Generation

Help Hub
,
1

I was provided a sample Postman collection from NetSuite for their REST web services. I am able to authentication and use the sample calls. I need to know what Postman uses, exactly, to create the oauth_signature. I tried the realm, consumer key, token key, nonce, and timestamp in my own integration but the signature comes out differently (when I have the same nonce and timestamp hardcoded in Postman and my integration). Help will be GREATLY appreciated since my forehead is quite flat from the banging against the wall.

2

did you find an answer to this question? I also need help creating oauth_signature.

3

No. I figured some of it out but now Iā€™m having trouble when using a POST.

4

Your not going to get much of a response if you donā€™t include sample requests and screenshots of what you have so far. (Anonymised where necessary). Showing where its different.

Without seeing your requests, I suspect its due to the base 64 encoding and conversion of some of the elements.

I would also consider using the pre-request script to generate this instead of the built in authentication.

You have much more control of the request and its easier to troubleshoot as you can console log all of the relevant variables to see where the differences are.

This is an example of using OAuth2. But it will be the same principle.

pm.test("Check for collectionVariables", function () {
    let vars = ['clientId', 'clientSecret', 'tenantId', 'username', 'password', 'scope'];
    vars.forEach(function (item, index, array) {
        console.log(item, index);
        pm.expect(pm.collectionVariables.get(item), item + " variable not set").to.not.be.undefined;
        pm.expect(pm.collectionVariables.get(item), item + " variable not set").to.not.be.empty; 
    });

    if (!pm.collectionVariables.get("bearerToken") || Date.now() > new Date(pm.collectionVariables.get("bearerTokenExpiresOn") * 1000)) {
        pm.sendRequest({
            url: 'https://login.microsoftonline.com/' + pm.collectionVariables.get("tenantId") + '/oauth2/v2.0/token',
            method: 'POST',
            header: 'Content-Type: application/x-www-form-urlencoded',
            body: {
                mode: 'urlencoded',
                urlencoded: [
                    { key: "client_id", value: pm.collectionVariables.get("clientId"), disabled: false },
                    { key: "scope", value: pm.collectionVariables.get("scope"), disabled: false },
                    { key: "username", value: pm.collectionVariables.get("username"), disabled: false },
                    { key: "password", value: pm.collectionVariables.get("password"), disabled: false },                    
                    { key: "client_secret", value: pm.collectionVariables.get("clientSecret"), disabled: false },
                    { key: "grant_type", value: "password", disabled: false },
                ]
            }
        }, function (err, res) {
            if (err) {
                console.log(err);
            } else {
                pm.test("Status code is 200", () => {
                    pm.expect(res).to.have.status(200);
                });
                let resJson = res.json();
                pm.collectionVariables.set("bearerTokenExpiresOn", resJson.expires_in);
                pm.collectionVariables.set("bearerToken", resJson.id_token);
            }
        });
    }
});
5

Any luck with this? Iā€™m attempting to do the same thing it would be great to know if youā€™ve had success

6

I did get things figured out. There were a few overlapping issues. Iā€™m using Qvera Interface Engine and thereā€™s a ā€œfeatureā€ (aka BUG) in which query string parameters are NOT added to the URL which led to the signature not being correct. Another thing to be mindful of, the parameter list (both OAuth and any additional query string parameters) need to be in alpha order before getting hashed. QIE uses Java/JavaScript ā€œishā€. Iā€™ve included the function I use to create the signature, if that helps.

function getOauthSig(reqmeth, requrl, reqparams, nonce, timestamp) {

var map = new java.util.TreeMap();
var params = StringUtils.splitByWholeSeparatorPreserveAllTokens(reqparams, ā€˜&ā€™);
var params2Encode = ā€˜ā€™;

for (var i = 0; i < params.length; i++) {
var item = StringUtils.splitByWholeSeparatorPreserveAllTokens(params[i], ā€˜=ā€™);
map.put(item[0],item[1]);
}
map.put(ā€˜oauth_consumer_keyā€™,qie.getVariable(ā€˜nsConsumerKeyā€™));
map.put(ā€˜oauth_nonceā€™,nonce);
map.put(ā€˜oauth_signature_methodā€™,ā€˜HMAC-SHA256ā€™);
map.put(ā€˜oauth_timestampā€™,timestamp);
map.put(ā€˜oauth_tokenā€™,qie.getVariable(ā€˜nsTokenIdā€™));
map.put(ā€˜oauth_versionā€™,ā€˜1.0ā€™);

var keys = map.keySet().toArray();
// qie.debug('map = ā€™ + map);

for (i = 0; i < keys.length; i++) {
params2Encode += keys[i] + ā€˜=ā€™ + map.get(keys[i]);
if (i != keys.length-1) {
params2Encode += ā€˜&ā€™;
}
}
// qie.debug('params2Encode = ā€™ + params2Encode);

var valueToEncode = new java.lang.String(
reqmeth + ā€˜&ā€™ +
qie.urlEncode(requrl) + ā€˜&ā€™ +
qie.urlEncode(params2Encode));

// qie.debug(ā€˜valueToEncode=ā€™ + valueToEncode);

var key = new java.lang.String(qie.getVariable(ā€˜nsConsumerSecretā€™) + ā€˜&ā€™ + qie.getVariable(ā€˜nsTokenSecretā€™));
//qie.debug(ā€˜key=ā€™ + key);

var secret_key = new javax.crypto.spec.SecretKeySpec(key.getBytes(), ā€œHmacSHA256ā€);
var sha256_HMAC = javax.crypto.Mac.getInstance(ā€œHmacSHA256ā€);

sha256_HMAC.init(secret_key);

var hash = sha256_HMAC.doFinal(valueToEncode.getBytes());

var result = qie.urlEncode(new java.lang.String(java.util.Base64.getEncoder().encode(hash)));
//qie.debug(ā€˜result=ā€™ + result);

return result;
}