oAuth HMAC-SHA1 Signature Support
I am investigating tools for our org for automated testing of our RESTful SOA using oAuth. We stopped a POC with another tool. We ran across an issue with their support of the tools ability to sign ...
Forum Discussion
Hi Rob,
I appreciate the help. I looked at all of those bits prior to posting and it seems to come down to soapUI does not support oAuth Authorization, which is a huge let down. The product looks amazing, and I just downloaded soapUIPro to make sure. I've emailed eviware because my firm would be willing to buy licenses, but haven't heard back yet. Think, in essence, in the Aut tab, short for Authorization header of the request, must allow alternate fields beyond the user, password and domain fields. oAuth Authorization fields:
Authorization: OAuth oauth_callback=”CALLBACK_VALUE”,
oauth_version="VERSION_NUMBER",
oauth_nonce="DYNAMIC_NONCE_VALUE",
oauth_timestamp="TIMESTAMP_DYMANIC_VALUE",
oauth_signature_method="HMAC-SHA1",
oauth_token="DYNAMIC_VALUE",
oauth_consumer_key="READ_FROM_TEST_DATABASE",
oauth_signature= "READ_FROM_TEST_DATABASE"
These fields cannot be additional HEADER properties of the request, and must be appended to the Authorization HEADER. Additionally, some of the properties must be variables, some generated by return values from other requests, some generated by code, e.g. time stamp , and values should be shared between multiple requests. I am still hopeful that this feature is 'soon to be release', or I can use the tool another way (with code), or .... It seems the industry is moving toward oAuth as the standard in authentication for published web services.
I appreciate the help. I looked at all of those bits prior to posting and it seems to come down to soapUI does not support oAuth Authorization, which is a huge let down. The product looks amazing, and I just downloaded soapUIPro to make sure. I've emailed eviware because my firm would be willing to buy licenses, but haven't heard back yet. Think, in essence, in the Aut tab, short for Authorization header of the request, must allow alternate fields beyond the user, password and domain fields. oAuth Authorization fields:
Authorization: OAuth oauth_callback=”CALLBACK_VALUE”,
oauth_version="VERSION_NUMBER",
oauth_nonce="DYNAMIC_NONCE_VALUE",
oauth_timestamp="TIMESTAMP_DYMANIC_VALUE",
oauth_signature_method="HMAC-SHA1",
oauth_token="DYNAMIC_VALUE",
oauth_consumer_key="READ_FROM_TEST_DATABASE",
oauth_signature= "READ_FROM_TEST_DATABASE"
These fields cannot be additional HEADER properties of the request, and must be appended to the Authorization HEADER. Additionally, some of the properties must be variables, some generated by return values from other requests, some generated by code, e.g. time stamp , and values should be shared between multiple requests. I am still hopeful that this feature is 'soon to be release', or I can use the tool another way (with code), or .... It seems the industry is moving toward oAuth as the standard in authentication for published web services.