This wiki is no longer active and is left here for historical purposes. Please visit oauth.net for up-to-date information.
View
 

TestCases

This version was saved 8 years, 12 months ago View current version     Page history
Saved by John Kristian
on February 8, 2009 at 6:51:47 pm
 

Here are test cases for OAuth algorithms.

To discuss this page, please use the Test Cases thread in the Google Group OAuth.

There are several interactive tools that implement OAuth algorithms:

  • Netflix web page to compute signatures (by JR Conlin)
  • Googlecode web page to compute signatures (by John Kristian)
  • Mashery Windows application (by Rob Richards)

 

Parameter Encoding (section 5.1)

 In this table, U+xxxx means the character whose Unicode code point is xxxx (in hexadecimal notation).

 

parameter name or value encoded
abcABC123 abcABC123
-._~ -._~
% %25
+ %2B
&=* %26%3D%2A
U+000A (LF) %0A
U+0020 (space) %20
U+007F %7F
U+0080 %C2%80
U+3001 %E3%80%81

 

Authorization Header (section 5.4.1)

 

 

Normalize Request Parameters (section 9.1.1)

 

In this table, parameters are shown as a document of MIME type application/x-www-form-urlencoded that conforms to HTML 4.01 section 17.13.4.1. Note that '+' represents a space, in the parameters column (as in a URL query string).

 

parameters normalized
name name=
a=b a=b
a=b&c=d a=b&c=d
a=x!y&a=x+y a=x%20y&a=x%21y
x!y=a&x=a x=a&x%21y=a

 

Concatenate Request Elements (section 9.1.2)

 

In this table, parameters are shown as a document of MIME type application/x-www-form-urlencoded that conforms to HTML 4.01 section 17.13.4.1, with some white space inserted for legibility.

 

HTTP request method HTTP URL parameters Base String
GET http://example.com/ n=v GET&http%3A%2F%2Fexample.com%2F&n%3Dv
GET http://example.com 1 n=v GET&http%3A%2F%2Fexample.com%2F&n%3Dv
POST https://photos.example.net/request_token oauth_version=1.0&oauth_consumer_key=dpf43f3p2l4k3l03 &oauth_timestamp=1191242090&oauth_nonce=hsu94j3884jdopsl &oauth_signature_method=PLAINTEXT&oauth_signature=ignored POST&https%3A%2F%2Fphotos.example.net%2Frequest_token&oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce%3Dhsu94j3884jdopsl%26oauth_signature_method%3DPLAINTEXT%26oauth_timestamp%3D1191242090%26oauth_version%3D1.0
GET http://photos.example.net/photos file=vacation.jpg&size=original &oauth_version=1.0&oauth_consumer_key=dpf43f3p2l4k3l03 &oauth_token=nnch734d00sl2jdk &oauth_timestamp=1191242096&oauth_nonce=kllo9940pd9333jh &oauth_signature=ignored&oauth_signature_method=HMAC-SHA1 GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file%3Dvacation.jpg%26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce%3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk%26oauth_version%3D1.0%26size%3Doriginal

 

HMAC-SHA1 (section 9.2)

 

Consumer Secret Token Secret Base String Signature
cs   bs egQqG5AJep5sJ7anhXju1unge2I=
cs ts bs VZVjXceV7JgPq/dOTnNmEfO0Fv8=
kd94hf93k423kf44 pfkkdhi9sl3r4s00 GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file%3Dvacation.jpg%26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce%3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk%26oauth_version%3D1.0%26size%3Doriginal tR3+Ty81lMeYAr/Fid0kMTYa/WM=

 

RSA-SHA1 (section 9.3)

 

Consumer Key: dpf43f3p2l4k3l03
Private Key (PKCS#8 and Base64-encoded):
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBALRiMLAh9iimur8V
A7qVvdqxevEuUkW4K+2KdMXmnQbG9Aa7k7eBjK1S+0LYmVjPKlJGNXHDGuy5Fw/d
7rjVJ0BLB+ubPK8iA/Tw3hLQgXMRRGRXXCn8ikfuQfjUS1uZSatdLB81mydBETlJ
hI6GH4twrbDJCR2Bwy/XWXgqgGRzAgMBAAECgYBYWVtleUzavkbrPjy0T5FMou8H
X9u2AC2ry8vD/l7cqedtwMPp9k7TubgNFo+NGvKsl2ynyprOZR1xjQ7WgrgVB+mm
uScOM/5HVceFuGRDhYTCObE+y1kxRloNYXnx3ei1zbeYLPCHdhxRYW7T0qcynNmw
rn05/KO2RLjgQNalsQJBANeA3Q4Nugqy4QBUCEC09SqylT2K9FrrItqL2QKc9v0Z
zO2uwllCbg0dwpVuYPYXYvikNHHg+aCWF+VXsb9rpPsCQQDWR9TT4ORdzoj+Nccn
qkMsDmzt0EfNaAOwHOmVJ2RVBspPcxt5iN4HI7HNeG6U5YsFBb+/GZbgfBT3kpNG
WPTpAkBI+gFhjfJvRw38n3g/+UeAkwMI2TJQS4n8+hid0uus3/zOjDySH3XHCUno
cn1xOJAyZODBo47E+67R4jV1/gzbAkEAklJaspRPXP877NssM5nAZMU0/O/NGCZ+
3jPgDUno6WbJn5cqm8MqWhW1xGkImgRk+fkDBquiq4gPiT898jusgQJAd5Zrr6Q8
AO/0isr/3aa6O6NLQxISLKcPDk2NOccAfS/xOtfOz4sJYM3+Bs4Io9+dZGSDCA54
Lw03eHTNQghS0A==
Certificate:
-----BEGIN CERTIFICATE-----
MIIBpjCCAQ+gAwIBAgIBATANBgkqhkiG9w0BAQUFADAZMRcwFQYDVQQDDA5UZXN0
IFByaW5jaXBhbDAeFw03MDAxMDEwODAwMDBaFw0zODEyMzEwODAwMDBaMBkxFzAV
BgNVBAMMDlRlc3QgUHJpbmNpcGFsMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQC0YjCwIfYoprq/FQO6lb3asXrxLlJFuCvtinTF5p0GxvQGu5O3gYytUvtC2JlY
zypSRjVxwxrsuRcP3e641SdASwfrmzyvIgP08N4S0IFzEURkV1wp/IpH7kH41Etb
mUmrXSwfNZsnQRE5SYSOhh+LcK2wyQkdgcMv11l4KoBkcwIDAQABMA0GCSqGSIb3
DQEBBQUAA4GBAGZLPEuJ5SiJ2ryq+CmEGOXfvlTtEL2nuGtr9PewxkgnOjZpUy+d
4TvuXJbNQc8f4AMWL/tO9w0Fk80rWKp9ea8/df4qMq5qlFWlx6yOLQxumNOmECKb
WpkUQDIDJEoFUzKMVuJf4KO/FJ345+BNLGgbJ6WujreoM1X/gYfdnJ/J
-----END CERTIFICATE-----
HTTP URL: http://photos.example.net/photos
Parameters oauth_signature_method=RSA-SHA1, oauth_version=1.0, oauth_consumer_key=dpf43f3p2l4k3l03, oauth_timestamp=1196666512, oauth_nonce=13917289812797014437, file=vacaction.jpg, size=original
Base String:
GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file%3Dvacaction.jpg%26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce%3D13917289812797014437%26oauth_signature_method%3DRSA-SHA1%26oauth_timestamp%3D1196666512%26oauth_version%3D1.0%26size%3Doriginal
Signature:
jvTp/wX1TYtByB1m+Pbyo0lnCOLIsyGCH7wke8AUs3BpnwZJtAuEJkvQL2/9n4s5wUmUl4aCI4BwpraNx4RtEXMe5qg5T1LVTGliMRpKasKsW//e+RinhejgCuzoH26dyF8iY2ZZ/5D1ilgeijhV/vBka5twt399mXwaYdCwFYE=
Complete signed URL:
http://photos.example.net/photos?oauth_signature_method=RSA-SHA1&oauth_version=1.0&oauth_consumer_key=dpf43f3p2l4k3l03&oauth_timestamp=1196666512&oauth_nonce=13917289812797014437&file=vacaction.jpg&size=original&oauth_signature=jvTp%2FwX1TYtByB1m%2BPbyo0lnCOLIsyGCH7wke8AUs3BpnwZJtAuEJkvQL2%2F9n4s5wUmUl4aCI4BwpraNx4RtEXMe5qg5T1LVTGliMRpKasKsW%2F%2Fe%2BRinhejgCuzoH26dyF8iY2ZZ%2F5D1ilgeijhV%2FvBka5twt399mXwaYdCwFYE%3D

 

1 Note that HTTP does not allow empty absolute paths, so the URL 'http://example.com' is equivalent to 'http://example.com/' and should be treated as such for the purposes of OAuth signing (rfc2616, section 3.2.1)

Comments (0)

You don't have permission to comment on this page.