I am trying to call an api with OAuth 1.0 authentication. I am seeing that Postman is generating a completely different signature even though i am using the same details to hash the signature. I believe the issue is with how postman generates the signature base url. Details are below
URL: https://localhost:4567/fun
consumerkey: a
consumersecret: b
token: 123
tokensecret: abc
signature base string: GET&https%3A%2F%2Flocalhost%3A4567%2Ffun&oauth_consumer_key%3Da%26oauth_nonce%3D3%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D123%26oauth_token%3D123%26oauth_version%3D1.0
signature generated: 9GMRODNu5WWnQPMoPrJWqsT4nVI%3D
But Postman generated a completely different signature for the same details
postman signature: XAhLtCyO4m8BHcIPuCNTV4czKfM%3D
Postman Request Code:
GET /fun? HTTP/1.1
Host: localhost:4567
Authorization: OAuth oauth_consumer_key=“a”,oauth_token=“123”,oauth_signature_method=“HMAC-SHA1”,oauth_timestamp=“123”,oauth_nonce=“3”,oauth_version=“1.0”,oauth_signature=“XAhLtCyO4m8BHcIPuCNTV4czKfM%3D”
Please help me with the postman format for the signature base string?
It seems impossible to solve this riddle. The question has been asked hundreds of times in various forums but no answers are forthcoming. You’d think somebody that worked on the oauth implementation for Postman would come forward with some clues, but no. Radio silence.
Now I am in a position where the signature generated by my code is exactly the same as the one I get if I run the same set of parameters through the extremely useful tool at http://lti.tools/oauth/. But still the Postman-generated signature is different.
The only thing I can conclude is that Postman is encoding some other element into the base string, or using a different algorithm for HMAC-SHA256, or doing some other funky thing with encoding one of the components of the base string. It’s extremely frustrating because Postman has a working oath 1.0 implementation that is compatible with Netsuite (and probably other APIs) and all I need to do is reproduce it. But the recipe is completely hidden as far as I can tell.
Thank you for your patience,
I’m a PM working in the API Client team in Postman.
I checked your request, and I was able to verify this issue.
This is because Postman adds a random nonce when the nonce field is left empty.
Please try adding a custom timestamp and a custom nonce (like in http://lti.tools/oauth/) to get a similar signature - i have verified this and it works.
You can add a custom nonce in the advanced configuration section in Postman’s OAuth1 Authorization settings.
Let me know if this solves your issue
2 Likes
