oAuth HMAC-SHA1 Signature Support

Question

I am investigating tools for our org for automated testing of our RESTful SOA using oAuth.  We stopped a POC with another tool.  We ran across an issue with their support of the tools ability to sign the oAuth request using HMAC-SHA1 signature.  I am in the process of reviewing soapUI as the tool we would use for our testing.  However, after reviewing soapUI doc I don't see the directions on how to sign the requests. Any help please?

smartbear_suppo · Answer

Hi again,I found this image: http://oauth.net/core/diagram.pngThere seem to be two types of oAuth tokens, Request and Access, should soapUI provide an option for which to send? (and the corresponding parameters) Or could soapUI automatically handle Request -&gt; Access Token processing somehow!? What is good enough to get you started?regards!/Oleeviware.com

irose · Answer

Hi There,Appreciate your response.  Please use these examples for OAuth v1 protocol:1. Create Request TokenURL:http://SERVER_NAME/OAuth/api/v1/requestTokenDescription:validate return code, oauth_token, and oauth_token_secret received from service call Sample Payload:POST /OAuth/api/v1/requestToken HTTP/1.1Authorization: OAuth oauth_callback="http%3A%2F%2Fclient.example.net%3Fcb%3Dx%26t1%3D8",oauth_signature="RPOEnCcsgeApemXKEdkmL2STfek%3D",oauth_version="1.0",oauth_nonce="20fc8192-3018-4640-851f-53afb87bb57b",oauth_consumer_key="Ow91XrHaMa96EXywhFAzx9ugDZSyqgRa99EjeQpHzIb2gUgyij0dXI9",oauth_signature_method="HMAC-SHA1",oauth_token="",oauth_timestamp="1291832574"Host: SERVER_NAMESample Response:HTTP/1.1 200 OKDate: Mon, 13 Dec 2010 21:56:51 GMTContent-Type: application/x-www-form-urlencodedServer: Jetty(7.0.2.v20100331)Content-Length: 172oauth_callback_confirmed=true&amp;oauth_token=fLgHIOJczx9d9JRC0SSMa9jXQinjZJRa9BnpOjoHtyy9NxOMMWbMIb2&amp;oauth_token_secret=40mjSR07fq9c2MgAKGcft2UqjZHb87Oa9GQWqzBXZLy9BHusta8vJV92. Authorize Request TokenPOST URL:http://SERVER_NAME/OAuth/api/authorize? ... xOMMWbMIb2Description:validate return code, and response redirect is callback URL, including oauth_token, and oauth_verifier in URL Sample Response:http://client.example.net/?cb=x&amp;t1=8&amp;oa ... nbISA608O23. Create an Access TokenDescription: validate return code, oauth_token, and oauth_verifier received from service call URL: http://SERVER_NAME/OAuth/api/v1/accessTokenSample Payload:POST /OAuth/api/v1/accessToken  HTTP/1.1Authorization: OAuth oauth_callback="http%3A%2F%2Fclient.example.net%3Fcb%3Dx%26t1%3D8",oauth_signature="RPOEnCcsgeApemXKEdkmL2STfek%3D",oauth_version="1.0",oauth_nonce="20fc8192-3018-4640-851f-53afb87bb57b",oauth_consumer_key="Ow91XrHaMa96EXywhFAzx9ugDZSyqgRa99EjeQpHzIb2gUgyij0dXI9",oauth_signature_method="HMAC-SHA1",oauth_token="fLgHIOJczx9d9JRC0SSMa9jXQinjZJRa9BnpOjoHtyy9NxOMMWbMIb2",oauth_verifier="WjsqQqJKWj2pdSOyq0tXI9dbfGSYPzda9n0ZAFem7ft2wnbISA608O2",oauth_timestamp="1291832574"Host: SERVER_NAMESample Response:HTTP/1.1 200 OKDate: Mon, 13 Dec 2010 22:03:14 GMTContent-Type: application/x-www-form-urlencodedServer: Jetty(7.0.2.v20100331)Content-Length: 142oauth_token=zKlsBOrjcR9CHcUiGJRMa9ZbojLIu6da9I6BV5srjnV9hYONZseQ0y9&amp;oauth_token_secret=ohvGokQKwb29NhBWVKtRq9PmCqQIu6da9ZswIFi9JDy9yLgbsMVxAb24. Gain info / access to another service, e.g. access to customer's library of pictures hosted by another service, in many cases, external, so services need not share user's private credentials-- '3rd party' service call, which may be another service within our network or a partner site, leveraging the OAuth passed creds (e.g. verifier).It's a bit more complex, such as there are oauth parameters in the Authorization header which require the 'person' calling the service to provide unique oauth_timestamp and oauth_nonce values to prevent against service attack (I believe); and for security, be able to sign these service requests e.g. oauth_signature_method="HMAC-SHA1".  Each parameter in the Authorization header, such as oauth_timestamp, must be able to be programatically updated between service calls, and these parameters must also have the ability to change from the return values of the service calls, e.g. recv'd, oauth_token must be able to be used in subsequent service calls.Any questions, please give me a shout.  Appreciate your help!!!

jasper175 · Answer

Hi,I don't know much about signatures - but in both the Free Version &amp; Pro has "Security Configurations" tab at the project level.I added a new Outgoing WS-Security Configuration and they have a "Signature" setting with the an Algorithm named: "http://www.w3.org/2000/09/xmldsig#hmac-sha1" along with other settings possible.If you download the free version - create a project and test it out.In the API itself there is a tab called "Aut" where you apply the created Outgoing WSS.  You can also set Incoming.Hope that helps,Rob

irose · Answer

Hi Rob,I appreciate the help.  I looked at all of those bits prior to posting and it seems to come down to soapUI does not support oAuth Authorization, which is a huge let down.  The product looks amazing, and I just downloaded soapUIPro to make sure.  I've emailed eviware because my firm would be willing to buy licenses, but haven't heard back yet.  Think, in essence, in the Aut tab, short for Authorization header of the request, must allow alternate fields beyond the user, password and domain fields.  oAuth Authorization fields:Authorization: OAuth oauth_callback=”CALLBACK_VALUE”, oauth_version="VERSION_NUMBER",oauth_nonce="DYNAMIC_NONCE_VALUE", oauth_timestamp="TIMESTAMP_DYMANIC_VALUE",oauth_signature_method="HMAC-SHA1",oauth_token="DYNAMIC_VALUE",oauth_consumer_key="READ_FROM_TEST_DATABASE",oauth_signature= "READ_FROM_TEST_DATABASE"These fields cannot be additional HEADER properties of the request, and must be appended to the Authorization HEADER.  Additionally, some of the properties must be variables, some generated by return values from other requests, some generated by code, e.g. time stamp , and values should be shared between multiple requests.  I am still hopeful that this feature is 'soon to be release', or I can use the tool another way (with code), or ....  It seems the industry is moving toward oAuth as the standard in authentication for published web services.

olensmar_1 · Answer

Hi!hmm.. do you know of some good and easy-to-follow examples of how to use oAuth from a client (ie from soapUI)? Please let me know so I could write up a blog-entry on how to do this with soapUI (if possible).Thanks in advance!regards,/Oleeviware.com

Forum Discussion

oAuth HMAC-SHA1 Signature Support

7 Replies

Recent Discussions

Vulnerable jetty files

RunTestCase input and return proeprties of the same name

Import API Definition in Ready API

Related Content

Need to generate hmac-sha1 signature to send it part of REST request header. Any help??

ERROR:groovy.lang.MissingMethodException: No signature of method

The signature or decryption was invalid