Forum Discussion

irose's avatar
irose
New Contributor
14 years ago

oAuth HMAC-SHA1 Signature Support

I am investigating tools for our org for automated testing of our RESTful SOA using oAuth. We stopped a POC with another tool. We ran across an issue with their support of the tools ability to sign the oAuth request using HMAC-SHA1 signature. I am in the process of reviewing soapUI as the tool we would use for our testing. However, after reviewing soapUI doc I don't see the directions on how to sign the requests. Any help please?

7 Replies

Sort By
  • SmartBear_Suppo's avatar
    SmartBear_Suppo
    SmartBear Alumni (Retired)
    14 years ago
    Hi again,

    I found this image: http://oauth.net/core/diagram.png

    There seem to be two types of oAuth tokens, Request and Access, should soapUI provide an option for which to send? (and the corresponding parameters) Or could soapUI automatically handle Request -> Access Token processing somehow!? What is good enough to get you started?

    regards!

    /Ole
    eviware.com
  • irose's avatar
    irose
    New Contributor
    14 years ago
    Hi There,

    Appreciate your response. Please use these examples for OAuth v1 protocol:
    1. Create Request Token
    URL:
    http://SERVER_NAME/OAuth/api/v1/requestToken

    Description:
    validate return code, oauth_token, and oauth_token_secret received from service call

    Sample Payload:
    POST /OAuth/api/v1/requestToken HTTP/1.1
    Authorization: OAuth oauth_callback="http%3A%2F%2Fclient.example.net%3Fcb%3Dx%26t1%3D8",oauth_signature="RPOEnCcsgeApemXKEdkmL2STfek%3D",oauth_version="1.0",oauth_nonce="20fc8192-3018-4640-851f-53afb87bb57b",oauth_consumer_key="Ow91XrHaMa96EXywhFAzx9ugDZSyqgRa99EjeQpHzIb2gUgyij0dXI9",oauth_signature_method="HMAC-SHA1",oauth_token="",oauth_timestamp="1291832574"
    Host: SERVER_NAME

    Sample Response:
    HTTP/1.1 200 OK
    Date: Mon, 13 Dec 2010 21:56:51 GMT
    Content-Type: application/x-www-form-urlencoded
    Server: Jetty(7.0.2.v20100331)
    Content-Length: 172

    oauth_callback_confirmed=true&oauth_token=fLgHIOJczx9d9JRC0SSMa9jXQinjZJRa9BnpOjoHtyy9NxOMMWbMIb2&oauth_token_secret=40mjSR07fq9c2MgAKGcft2UqjZHb87Oa9GQWqzBXZLy9BHusta8vJV9


    2. Authorize Request Token
    POST URL:
    http://SERVER_NAME/OAuth/api/authorize? ... xOMMWbMIb2

    Description:
    validate return code, and response redirect is callback URL, including oauth_token, and oauth_verifier in URL

    Sample Response:
    http://client.example.net/?cb=x&t1=8&oa ... nbISA608O2


    3. Create an Access Token
    Description: validate return code, oauth_token, and oauth_verifier received from service call

    URL: http://SERVER_NAME/OAuth/api/v1/accessToken

    Sample Payload:
    POST /OAuth/api/v1/accessToken HTTP/1.1
    Authorization: OAuth oauth_callback="http%3A%2F%2Fclient.example.net%3Fcb%3Dx%26t1%3D8",oauth_signature="RPOEnCcsgeApemXKEdkmL2STfek%3D",oauth_version="1.0",oauth_nonce="20fc8192-3018-4640-851f-53afb87bb57b",oauth_consumer_key="Ow91XrHaMa96EXywhFAzx9ugDZSyqgRa99EjeQpHzIb2gUgyij0dXI9",oauth_signature_method="HMAC-SHA1",oauth_token="fLgHIOJczx9d9JRC0SSMa9jXQinjZJRa9BnpOjoHtyy9NxOMMWbMIb2",oauth_verifier="WjsqQqJKWj2pdSOyq0tXI9dbfGSYPzda9n0ZAFem7ft2wnbISA608O2",oauth_timestamp="1291832574"
    Host: SERVER_NAME


    Sample Response:
    HTTP/1.1 200 OK
    Date: Mon, 13 Dec 2010 22:03:14 GMT
    Content-Type: application/x-www-form-urlencoded
    Server: Jetty(7.0.2.v20100331)
    Content-Length: 142

    oauth_token=zKlsBOrjcR9CHcUiGJRMa9ZbojLIu6da9I6BV5srjnV9hYONZseQ0y9&oauth_token_secret=ohvGokQKwb29NhBWVKtRq9PmCqQIu6da9ZswIFi9JDy9yLgbsMVxAb2


    4. Gain info / access to another service, e.g. access to customer's library of pictures hosted by another service, in many cases, external, so services need not share user's private credentials
    -- '3rd party' service call, which may be another service within our network or a partner site, leveraging the OAuth passed creds (e.g. verifier).

    It's a bit more complex, such as there are oauth parameters in the Authorization header which require the 'person' calling the service to provide unique oauth_timestamp and oauth_nonce values to prevent against service attack (I believe); and for security, be able to sign these service requests e.g. oauth_signature_method="HMAC-SHA1". Each parameter in the Authorization header, such as oauth_timestamp, must be able to be programatically updated between service calls, and these parameters must also have the ability to change from the return values of the service calls, e.g. recv'd, oauth_token must be able to be used in subsequent service calls.

    Any questions, please give me a shout. Appreciate your help!!!
  • Jasper175's avatar
    Jasper175
    Frequent Contributor
    14 years ago
    Hi,

    I don't know much about signatures - but in both the Free Version & Pro has "Security Configurations" tab at the project level.
    I added a new Outgoing WS-Security Configuration and they have a "Signature" setting with the an Algorithm named: "http://www.w3.org/2000/09/xmldsig#hmac-sha1" along with other settings possible.

    If you download the free version - create a project and test it out.
    In the API itself there is a tab called "Aut" where you apply the created Outgoing WSS. You can also set Incoming.

    Hope that helps,
    Rob
  • irose's avatar
    irose
    New Contributor
    14 years ago
    Hi Rob,

    I appreciate the help. I looked at all of those bits prior to posting and it seems to come down to soapUI does not support oAuth Authorization, which is a huge let down. The product looks amazing, and I just downloaded soapUIPro to make sure. I've emailed eviware because my firm would be willing to buy licenses, but haven't heard back yet. Think, in essence, in the Aut tab, short for Authorization header of the request, must allow alternate fields beyond the user, password and domain fields. oAuth Authorization fields:
    Authorization: OAuth oauth_callback=”CALLBACK_VALUE”,
    oauth_version="VERSION_NUMBER",
    oauth_nonce="DYNAMIC_NONCE_VALUE",
    oauth_timestamp="TIMESTAMP_DYMANIC_VALUE",
    oauth_signature_method="HMAC-SHA1",
    oauth_token="DYNAMIC_VALUE",
    oauth_consumer_key="READ_FROM_TEST_DATABASE",
    oauth_signature= "READ_FROM_TEST_DATABASE"
    These fields cannot be additional HEADER properties of the request, and must be appended to the Authorization HEADER. Additionally, some of the properties must be variables, some generated by return values from other requests, some generated by code, e.g. time stamp , and values should be shared between multiple requests. I am still hopeful that this feature is 'soon to be release', or I can use the tool another way (with code), or .... It seems the industry is moving toward oAuth as the standard in authentication for published web services.
  • olensmar_1's avatar
    olensmar_1
    Contributor
    14 years ago
    Hi!

    hmm.. do you know of some good and easy-to-follow examples of how to use oAuth from a client (ie from soapUI)? Please let me know so I could write up a blog-entry on how to do this with soapUI (if possible).

    Thanks in advance!

    regards,

    /Ole
    eviware.com
  • mcgintym's avatar
    mcgintym
    Occasional Contributor
    12 years ago
    Has there been a blog antry to see how to do this in SOAP UI I am working with Pro and have this issue currently I need a way to handle this kind of situation for our webservice testing.
  • LeonardLindsay's avatar
    LeonardLindsay
    12 years ago
    Thank you all very much for the posts!
    These helped me and turned out to be really useful for future.