OAuth / TestCases

OAuth / TestCases

Here are test cases for OAuth algorithms.

To discuss this page, please use the Test Cases thread in the Google Group OAuth.

There are several interactive tools that implement OAuth algorithms:

  • Netflix web page to compute signatures (by JR Conlin)
  • Googlecode web page to compute signatures (by John Kristian)
  • Mashery Windows application (by Rob Richards) 

Parameter Encoding (section 5.1)

 In this table, U+xxxx means the character whose Unicode code point is xxxx (in hexadecimal notation).

parameter name or value encoded
abcABC123 abcABC123
-._~ -._~
% %25
+ %2B
&=* %26%3D%2A
U+000A (LF) %0A
U+0020 (space) %20
U+007F %7F
U+0080 %C2%80
U+3001 %E3%80%81

Authorization Header (section 5.4.1)

Normalize Request Parameters (section 9.1.1)

In this table, parameters are shown as a document of MIME type application/x-www-form-urlencoded that conforms to HTML 4.01 section 17.13.4.1. Note that ‘+’ represents a space, in the parameters column (as in a URL query string).

parameters normalized
name name=
a=b a=b
a=b&c=d a=b&c=d
a=x!y&a=x+y a=x%20y&a=x%21y
x!y=a&x=a x=a&x%21y=a

Concatenate Request Elements (section 9.1.2)

In this table, parameters are shown as a document of MIME type application/x-www-form-urlencoded that conforms to HTML 4.01 section 17.13.4.1, with some white space inserted for legibility.

HMAC-SHA1 (section 9.2)

Consumer Secret Token Secret Base String Signature
cs   bs egQqG5AJep5sJ7anhXju1unge2I=
cs ts bs VZVjXceV7JgPq/dOTnNmEfO0Fv8=
kd94hf93k423kf44 pfkkdhi9sl3r4s00 GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file%3Dvacation.jpg%26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce%3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk%26oauth_version%3D1.0%26size%3Doriginal tR3+Ty81lMeYAr/Fid0kMTYa/WM=

RSA-SHA1 (section 9.3) 

Consumer Key: dpf43f3p2l4k3l03
Private Key (PKCS#8 and Base64-encoded):
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBALRiMLAh9iimur8V A7qVvdqxevEuUkW4K+2KdMXmnQbG9Aa7k7eBjK1S+0LYmVjPKlJGNXHDGuy5Fw/d 7rjVJ0BLB+ubPK8iA/Tw3hLQgXMRRGRXXCn8ikfuQfjUS1uZSatdLB81mydBETlJ hI6GH4twrbDJCR2Bwy/XWXgqgGRzAgMBAAECgYBYWVtleUzavkbrPjy0T5FMou8H X9u2AC2ry8vD/l7cqedtwMPp9k7TubgNFo+NGvKsl2ynyprOZR1xjQ7WgrgVB+mm uScOM/5HVceFuGRDhYTCObE+y1kxRloNYXnx3ei1zbeYLPCHdhxRYW7T0qcynNmw rn05/KO2RLjgQNalsQJBANeA3Q4Nugqy4QBUCEC09SqylT2K9FrrItqL2QKc9v0Z zO2uwllCbg0dwpVuYPYXYvikNHHg+aCWF+VXsb9rpPsCQQDWR9TT4ORdzoj+Nccn qkMsDmzt0EfNaAOwHOmVJ2RVBspPcxt5iN4HI7HNeG6U5YsFBb+/GZbgfBT3kpNG WPTpAkBI+gFhjfJvRw38n3g/+UeAkwMI2TJQS4n8+hid0uus3/zOjDySH3XHCUno cn1xOJAyZODBo47E+67R4jV1/gzbAkEAklJaspRPXP877NssM5nAZMU0/O/NGCZ+ 3jPgDUno6WbJn5cqm8MqWhW1xGkImgRk+fkDBquiq4gPiT898jusgQJAd5Zrr6Q8 AO/0isr/3aa6O6NLQxISLKcPDk2NOccAfS/xOtfOz4sJYM3+Bs4Io9+dZGSDCA54 Lw03eHTNQghS0A==

Certificate:
-----BEGIN CERTIFICATE----- MIIBpjCCAQ+gAwIBAgIBATANBgkqhkiG9w0BAQUFADAZMRcwFQYDVQQDDA5UZXN0 IFByaW5jaXBhbDAeFw03MDAxMDEwODAwMDBaFw0zODEyMzEwODAwMDBaMBkxFzAV BgNVBAMMDlRlc3QgUHJpbmNpcGFsMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB gQC0YjCwIfYoprq/FQO6lb3asXrxLlJFuCvtinTF5p0GxvQGu5O3gYytUvtC2JlY zypSRjVxwxrsuRcP3e641SdASwfrmzyvIgP08N4S0IFzEURkV1wp/IpH7kH41Etb mUmrXSwfNZsnQRE5SYSOhh+LcK2wyQkdgcMv11l4KoBkcwIDAQABMA0GCSqGSIb3 DQEBBQUAA4GBAGZLPEuJ5SiJ2ryq+CmEGOXfvlTtEL2nuGtr9PewxkgnOjZpUy+d 4TvuXJbNQc8f4AMWL/tO9w0Fk80rWKp9ea8/df4qMq5qlFWlx6yOLQxumNOmECKb WpkUQDIDJEoFUzKMVuJf4KO/FJ345+BNLGgbJ6WujreoM1X/gYfdnJ/J -----END CERTIFICATE-----

HTTP URL: http://photos.example.net/photos
Parameters oauth_signature_method=RSA-SHA1, oauth_version=1.0, oauth_consumer_key=dpf43f3p2l4k3l03, oauth_timestamp=1196666512, oauth_nonce=13917289812797014437, file=vacaction.jpg, size=original
Base String:
GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file%3Dvacaction.jpg%26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce%3D13917289812797014437%26oauth_signature_method%3DRSA-SHA1%26oauth_timestamp%3D1196666512%26oauth_version%3D1.0%26size%3Doriginal

Signature:
jvTp/wX1TYtByB1m+Pbyo0lnCOLIsyGCH7wke8AUs3BpnwZJtAuEJkvQL2/9n4s5wUmUl4aCI4BwpraNx4RtEXMe5qg5T1LVTGliMRpKasKsW//e+RinhejgCuzoH26dyF8iY2ZZ/5D1ilgeijhV/vBka5twt399mXwaYdCwFYE=

Complete signed URL:
http://photos.example.net/photos?oauth_signature_method=RSA-SHA1&oauth_version=1.0&oauth_consumer_key=dpf43f3p2l4k3l03&oauth_timestamp=1196666512&oauth_nonce=13917289812797014437&file=vacaction.jpg&size=original&oauth_signature=jvTp%2FwX1TYtByB1m%2BPbyo0lnCOLIsyGCH7wke8AUs3BpnwZJtAuEJkvQL2%2F9n4s5wUmUl4aCI4BwpraNx4RtEXMe5qg5T1LVTGliMRpKasKsW%2F%2Fe%2BRinhejgCuzoH26dyF8iY2ZZ%2F5D1ilgeijhV%2FvBka5twt399mXwaYdCwFYE%3D

1 Note that HTTP does not allow empty absolute paths, so the URL ‘http://example.com‘ is equivalent to ‘http://example.com/‘ and should be treated as such for the purposes of OAuth signing (rfc2616, section 3.2.1)

Leave a Reply

Leave a Reply