I am trying to call an api with OAuth 1.0 authentication. I am seeing that Postman is generating a completely different signature even though i am using the same details to hash the signature. I believe the issue is with how postman generates the signature base url. Details are below URL: https://localhost:4567/fun consumerkey: a consumersecret: b token: 123 tokensecret: abc
signature base string: GET&https%3A%2F%2Flocalhost%3A4567%2Ffun&oauth_consumer_key%3Da%26oauth_nonce%3D3%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D123%26oauth_token%3D123%26oauth_version%3D1.0
It seems impossible to solve this riddle. The question has been asked hundreds of times in various forums but no answers are forthcoming. You’d think somebody that worked on the oauth implementation for Postman would come forward with some clues, but no. Radio silence.
Now I am in a position where the signature generated by my code is exactly the same as the one I get if I run the same set of parameters through the extremely useful tool at http://lti.tools/oauth/. But still the Postman-generated signature is different.
The only thing I can conclude is that Postman is encoding some other element into the base string, or using a different algorithm for HMAC-SHA256, or doing some other funky thing with encoding one of the components of the base string. It’s extremely frustrating because Postman has a working oath 1.0 implementation that is compatible with Netsuite (and probably other APIs) and all I need to do is reproduce it. But the recipe is completely hidden as far as I can tell.
Thank you for your patience,
I’m a PM working in the API Client team in Postman.
I checked your request, and I was able to verify this issue.
This is because Postman adds a random nonce when the nonce field is left empty.
Please try adding a custom timestamp and a custom nonce (like in http://lti.tools/oauth/) to get a similar signature - i have verified this and it works.
You can add a custom nonce in the advanced configuration section in Postman’s OAuth1 Authorization settings.
I am having the exact same issue. However, I have gone a bit farther with this.
Postman works. Connects to the API and returns my tokens as expected. So I would like to see the details on the parameters list and other information so I can validate my code.
The signature created by my code matches http://lti.tools/oauth/ precisely, 100% of the time. But this signature does NOT match Postman, even when Postman’s nonce and timestamp are copied into http://lti.tools/oauth/. This is rejected by my API with a 401 error saying “signature invalid”
This has to be due to the parameters list being different as http://lti.tools/oauth/ should be fully OAuth 1.0 compliant. I have been fighting this for several weeks and have no other options except to ask here.
Postman WORKS…every time. The concern is getting my code to replicate Postman’s success. I struggled until I found http://lti.tools/oauth/. I walked through the entire process, validating my parameter string (which was already correct) and creating my base string. I found some inconsistency in the library that was doing the HMAC SHA1 hashing and found a better alternative. My signature now matches the tools site above 100% of the time.
So, I have tried your method mentioned previously, and got a positive response from Etrade via Postman’s interface with a signature of U%2BFPUOnjSzKGg7eGHE4pow35X7w%3D (used actual timestamp value and a nonce=1234567890) . The tool above gives the signature as F9iCLJd6NOy+rEU/IheVeEt6QyM= (not URL encoded) for the exact same values. Again, they do not match.
So, I have three versions that I am trying to validate. Postman works. The other two do not but they match. Hence, I can only assume that there is something in the way the parameter string, the base string and/or the signing key are created that is different. I do not have an Access Token nor an Access Secret at this point (I am trying to obtain those from the API). So these values are blank in Postman.
This process is connecting to E-Trade’s API. Their documentation has issues as many have pointed out. I was hoping that I could trial and error my way to success. I was thrilled when Postman connected and obtained the Access Token and Access Secret. But that is as far as I have gotten. I cannot for the life of me replicate Postman’s success.
Well, it was not working for me yet. The issue was to REPLICATE Postman’s signature as I knew it worked. But there are no details on how Postman created its signature. I removed the oauth_callback details from Postman and was able to get a matching signature from all three platforms. At that point, it was just trial and error until I was able to matched Postman’s signature.
The difference turned out to be that the oauth_callback needs to be included in the parameter list before creating the signature. The link to the oauth authentication toolset above does not include the oauth_callback. This appears to be an Etrade specific item. The parameter string should be
