This wiki is no longer active and is left here for historical purposes. Please visit oauth.net for up-to-date information.
View
 

TestCases

This version was saved 9 years ago View current version     Page history
Saved by Chris Messina
on February 4, 2009 at 9:35:10 pm
 

Here are test cases for OAuth algorithms.

To discuss this page, please use the Test Cases thread in the Google Group OAuth.

JR Conlin from Netflix has provided a tool that provides a third party page to prove your OAuth HMAC-SHA1 signature generation, and allows you to set the nonce and timestamp in order to validate that your signature matches the signature.

Rob Richards from Mashery offers a Windows-based tool for testing.

Parameter Encoding (section 5.1)

 

In this table, U+xxxx means the character whose Unicode code point is xxxx (in hexadecimal notation).

 

parameter name or value encoded
abcABC123 abcABC123
-._~ -._~
% %25
+ %2B
&=* %26%3D%2A
U+000A (LF) %0A
U+0020 (space) %20
U+007F %7F
U+0080 %C2%80
U+3001 %E3%80%81

 

Authorization Header (section 5.4.1)

 

 

Normalize Request Parameters (section 9.1.1)

 

In this table, parameters are shown as a document of MIME type application/x-www-form-urlencoded that conforms to HTML 4.01 section 17.13.4.1. Note that '+' represents a space, in the parameters column (as in a URL query string).

 

parameters normalized
name name=
a=b a=b
a=b&c=d a=b&c=d
a=x!y&a=x+y a=x%20y&a=x%21y
x!y=a&x=a x=a&x%21y=a

 

Concatenate Request Elements (section 9.1.2)

 

In this table, parameters are shown as a document of MIME type application/x-www-form-urlencoded that conforms to HTML 4.01 section 17.13.4.1, with some white space inserted for legibility.

 

HTTP request method HTTP URL parameters Base String
GET http://example.com/ n=v GET&http%3A%2F%2Fexample.com%2F&n%3Dv
GET http://example.com 1 n=v GET&http%3A%2F%2Fexample.com%2F&n%3Dv
POST https://photos.example.net/request_token oauth_version=1.0&oauth_consumer_key=dpf43f3p2l4k3l03 &oauth_timestamp=1191242090&oauth_nonce=hsu94j3884jdopsl &oauth_signature_method=PLAINTEXT&oauth_signature=ignored POST&https%3A%2F%2Fphotos.example.net%2Frequest_token&oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce%3Dhsu94j3884jdopsl%26oauth_signature_method%3DPLAINTEXT%26oauth_timestamp%3D1191242090%26oauth_version%3D1.0
GET http://photos.example.net/photos file=vacation.jpg&size=original &oauth_version=1.0&oauth_consumer_key=dpf43f3p2l4k3l03 &oauth_token=nnch734d00sl2jdk &oauth_timestamp=1191242096&oauth_nonce=kllo9940pd9333jh &oauth_signature=ignored&oauth_signature_method=HMAC-SHA1 GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file%3Dvacation.jpg%26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce%3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk%26oauth_version%3D1.0%26size%3Doriginal

 

HMAC-SHA1 (section 9.2)

 

Consumer Secret Token Secret Base String Signature
cs   bs egQqG5AJep5sJ7anhXju1unge2I=
cs ts bs VZVjXceV7JgPq/dOTnNmEfO0Fv8=
kd94hf93k423kf44 pfkkdhi9sl3r4s00 GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file%3Dvacation.jpg%26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce%3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk%26oauth_version%3D1.0%26size%3Doriginal tR3+Ty81lMeYAr/Fid0kMTYa/WM=

 

RSA-SHA1 (section 9.3)

 

Consumer Key: dpf43f3p2l4k3l03
Private Key (PKCS#8 and Base64-encoded):
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBALRiMLAh9iimur8V
A7qVvdqxevEuUkW4K+2KdMXmnQbG9Aa7k7eBjK1S+0LYmVjPKlJGNXHDGuy5Fw/d
7rjVJ0BLB+ubPK8iA/Tw3hLQgXMRRGRXXCn8ikfuQfjUS1uZSatdLB81mydBETlJ
hI6GH4twrbDJCR2Bwy/XWXgqgGRzAgMBAAECgYBYWVtleUzavkbrPjy0T5FMou8H
X9u2AC2ry8vD/l7cqedtwMPp9k7TubgNFo+NGvKsl2ynyprOZR1xjQ7WgrgVB+mm
uScOM/5HVceFuGRDhYTCObE+y1kxRloNYXnx3ei1zbeYLPCHdhxRYW7T0qcynNmw
rn05/KO2RLjgQNalsQJBANeA3Q4Nugqy4QBUCEC09SqylT2K9FrrItqL2QKc9v0Z
zO2uwllCbg0dwpVuYPYXYvikNHHg+aCWF+VXsb9rpPsCQQDWR9TT4ORdzoj+Nccn
qkMsDmzt0EfNaAOwHOmVJ2RVBspPcxt5iN4HI7HNeG6U5YsFBb+/GZbgfBT3kpNG
WPTpAkBI+gFhjfJvRw38n3g/+UeAkwMI2TJQS4n8+hid0uus3/zOjDySH3XHCUno
cn1xOJAyZODBo47E+67R4jV1/gzbAkEAklJaspRPXP877NssM5nAZMU0/O/NGCZ+
3jPgDUno6WbJn5cqm8MqWhW1xGkImgRk+fkDBquiq4gPiT898jusgQJAd5Zrr6Q8
AO/0isr/3aa6O6NLQxISLKcPDk2NOccAfS/xOtfOz4sJYM3+Bs4Io9+dZGSDCA54
Lw03eHTNQghS0A==
Certificate:
-----BEGIN CERTIFICATE-----
MIIBpjCCAQ+gAwIBAgIBATANBgkqhkiG9w0BAQUFADAZMRcwFQYDVQQDDA5UZXN0
IFByaW5jaXBhbDAeFw03MDAxMDEwODAwMDBaFw0zODEyMzEwODAwMDBaMBkxFzAV
BgNVBAMMDlRlc3QgUHJpbmNpcGFsMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQC0YjCwIfYoprq/FQO6lb3asXrxLlJFuCvtinTF5p0GxvQGu5O3gYytUvtC2JlY
zypSRjVxwxrsuRcP3e641SdASwfrmzyvIgP08N4S0IFzEURkV1wp/IpH7kH41Etb
mUmrXSwfNZsnQRE5SYSOhh+LcK2wyQkdgcMv11l4KoBkcwIDAQABMA0GCSqGSIb3
DQEBBQUAA4GBAGZLPEuJ5SiJ2ryq+CmEGOXfvlTtEL2nuGtr9PewxkgnOjZpUy+d
4TvuXJbNQc8f4AMWL/tO9w0Fk80rWKp9ea8/df4qMq5qlFWlx6yOLQxumNOmECKb
WpkUQDIDJEoFUzKMVuJf4KO/FJ345+BNLGgbJ6WujreoM1X/gYfdnJ/J
-----END CERTIFICATE-----
HTTP URL: http://photos.example.net/photos
Parameters oauth_signature_method=RSA-SHA1, oauth_version=1.0, oauth_consumer_key=dpf43f3p2l4k3l03, oauth_timestamp=1196666512, oauth_nonce=13917289812797014437, file=vacaction.jpg, size=original
Base String:
GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file%3Dvacaction.jpg%26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce%3D13917289812797014437%26oauth_signature_method%3DRSA-SHA1%26oauth_timestamp%3D1196666512%26oauth_version%3D1.0%26size%3Doriginal
Signature:
jvTp/wX1TYtByB1m+Pbyo0lnCOLIsyGCH7wke8AUs3BpnwZJtAuEJkvQL2/9n4s5wUmUl4aCI4BwpraNx4RtEXMe5qg5T1LVTGliMRpKasKsW//e+RinhejgCuzoH26dyF8iY2ZZ/5D1ilgeijhV/vBka5twt399mXwaYdCwFYE=
Complete signed URL:
http://photos.example.net/photos?oauth_signature_method=RSA-SHA1&oauth_version=1.0&oauth_consumer_key=dpf43f3p2l4k3l03&oauth_timestamp=1196666512&oauth_nonce=13917289812797014437&file=vacaction.jpg&size=original&oauth_signature=jvTp%2FwX1TYtByB1m%2BPbyo0lnCOLIsyGCH7wke8AUs3BpnwZJtAuEJkvQL2%2F9n4s5wUmUl4aCI4BwpraNx4RtEXMe5qg5T1LVTGliMRpKasKsW%2F%2Fe%2BRinhejgCuzoH26dyF8iY2ZZ%2F5D1ilgeijhV%2FvBka5twt399mXwaYdCwFYE%3D

 

1 Note that HTTP does not allow empty absolute paths, so the URL 'http://example.com' is equivalent to 'http://example.com/' and should be treated as such for the purposes of OAuth signing (rfc2616, section 3.2.1)

Comments (0)

You don't have permission to comment on this page.