OAuth 1.0 Generate Authorization header

I have a static service uri
(https://some_service.com/api/v4/media/)
with a dynamically updated resource id
(A4C18068-64B3-4F03-A911EBEAD71D5FDD)
https://some_service.com/api/v4/media/A4C18068-64B3-4F03-A911EBEAD71D5FDD/

I also have: oauth_consumer_key, oauth_consumer_secret, oauth_token, oauth_token_secret.

I am looking for a solution to generate an Authorization header (with OAuth 1.0 policy) and pass it to an Proxy endpoint service.

Here is the header sample I expect to have:
OAuth oauth_consumer_key="AAFB4C3B-0000-0000-AF13C2B5F81A286A",oauth_token="D3AC61A7-0000-0000-ADA39A41DB5A0C93",oauth_signature_method="HMAC-SHA1",oauth_timestamp="1562768908",oauth_nonce="1042935",oauth_version="1.0",oauth_signature="XKGhKRgqVOtK8sIkCzWpDcn2bys="

The postman application generates a correct header and the whole service call works fine:

here is my apigee project with OAuth 1.0 policy I am desperately trying to configure :

here is the Authorization header that is currently hard-coded:

The solution works fine with this hard-coded header. But because the proxy endpoint service url is dynamically updated, I need to dynamically sign it with the OAuth 1.0 policy.

Thanks in advance.

Solved Solved
0 17 6,368
1 ACCEPTED SOLUTION

Thank you! I have already solved the issue using js:

8915-js.png

View solution in original post

17 REPLIES 17

I think you're barking up the wrong tree.

The OAuthV1.0a policy in Apigee Edge is designed to allow you to implement an OAuthV1.0a-protected enpdoint in Apigee Edge. In particular, the GenerateAccessToken operation is designed to generate an access token in exchange for a request token, that Apigee Edge has previously generated. To use it, you would need to first generate the request token, and then the verifier, and then you could use the GenerateAccessToken step to redeem the verifier for an access token.

The OAuthV1.0a policy is not designed to allow you to generate a token that would then be usable to invoke another external OAuthV1.0a-protected endpoint, which is your use case, I think.

I can understand the confusion, because I have just now re-examined the documentation page for the OAuthv1.0a policy and in my opinion, the doc is not clear on this point.

If I wanted to do what you described - generate an OAuthV1.0a token within Apigee Edge for use with an external site - I'd probably rely on a JavaScript callout, or maybe even a hosted target, to do the signing and header injection.

Here's an API Proxy that shows how to compute an OAuthV1.0a signature in a JS callout within Apigee Edge. It uses the sjcl.js library within the callout to compute the hmac.

apiproxy-oauthv10-client.zip

Thank you! I have already solved the issue using js:

8915-js.png

nice! Simple and easy.

@Vadim Kirikov -

We have the same requirement where our backend supports only OAuth 1.0 I am trying to generate the Oauth signature and having issues with it.

I am trying to implement it using the above snippet .

Method : POST

Signature : HMAC-SHA1

I have consumer key, consumer secret , OAuth Token , Token Secret. If possible,could you please share the Crypto JS file you have used for generating the signature.

Look at the comment I appended to my answer - there is a working example of a proxy that generates an OAuth 1.0a signature.

Thanks @Dino-at-Google . I will try it out .

@Dino-at-Google

I have tried it out and was able to generate the signature. But if i use that signature in the request header , i see Invalid OAuth signature error from backend . But if try it out using the postman, i am getting a success response.

sorry that it's not working. OAuth v1.0a is known for being a little tricky to implement. you need to take care to make sure each of the parameters in the signature use the value you expect. (version, nonce, timestamp, signature_method, etc.) Check them all.

@Dino-at-Google ,

There was no issue with the proxy. Whatever signature method generated was valid. Backend team had some configuration issues due to which , it was failing. It is working perfectly 🙂

Glad to hear it!

I tried using this but I am getting error like CryptoToJS is undefined

Can you be more specific about "tried using this"?   What specifically are you using?  And can you provide lots of detail about HOW you are using it?  Where do you see the error?  Remember, we cannot see your screen. 

I have tried the way they mentioned the screenshot i have consumer key,consumer secret, signature method,access token and token secret how can I get oauth signature,oauth timestamp,oauth nonce in apigee 

Can you please provide me the logic for oauth signature 

Screenshot_2023-04-29-23-29-52-611_com.android.chrome.jpg

 this is the method o have tried but error is CryptoToJS not defined 

I tried the same way but I am getting error like CryptoToJS is undefined