It is very difficult to answer your question as soon as possible, since the implementation of a full-featured OAuth client is not trivial and requires a real understanding of the OAuth1.0a specification. This is not rocket science, but actually it requires sorting all the pieces.
I will try to answer your question in parts.
What is the baseline?
The basic signature string in OAuth is constructed as follows:
- Start with the HTTP request method you submit in uppercase. For example,
POST or GET . - Add an ampersand character (
& ) to this - Add the URL encoded in the URL (in percent) that you call in your request (do not include the parameters here)
- Add another ampersand character (
& ) here - Finally add a URL encoded string
I will describe how to create the required parameter string in this last step.
Collect all the parameters included in the query. You will find them in the URL as part of the query string, as well as in the request body when you perform POST -ing requests. Say, for example, that you are POST by specifying parameter1=value1 at the URL http://example.com/?parameter2=value2 . This includes two options.
Now you also need to summarize all the OAuth parameters that are necessary for the protocol to be happy. This will result in a list of options that looks something like this:
oauth_consumer_key=fffffaaaafffaaaffoauth_nonce=aaaaabbbbbcccccaaaaudi2313oauth_signature_method=HMAC-SHA1oauth_timestamp=1319633599oauth_token=bbbbbbbbbfsdfdsdfsfserwerfsddffdsdfoauth_version=1.0parameter1=value1parameter2=value2
All these separate lines should be lexicographically sorted by the parameter name (should be sufficient in alphabetical order) and combined into a line. This is your parameter string.
I'm right in the blanks โ% 20 Example?
Yes. You are talking about percent encoding, which is also called HTTP encoding name and URL encoding. http://en.wikipedia.org/wiki/Percent-encoding .
HMAC-SHA1 includes a message and a key, is the secret message to the consumer? Is a consumer key a key?
A message is the base signature line that you created above. And the key is a combination of your consumerโs privacy and the secret of your access token. Thus, the key should look like this: CONSUMER_SECRET&TOKEN_SECRET (note the ampersand). In the absolute first request that you make, you will not have the token key yet, then the key will be only CONSUMER_SECRET& (again, pay attention to the ampersand).
How to create a signature using the HMAC-SHA1 algorithm.
I selected this from http://oauth.googlecode.com/svn/code/csharp/OAuthBase.cs , and it is assumed that secrets and a baseline are available for the code.
Basically pass the HMACSHA1 instance with the key and message, make this hash and convert it to base64 string.
HMACSHA1 hmacsha1 = new HMACSHA1(); hmacsha1.Key = Encoding.ASCII.GetBytes(string.Format("{0}&{1}", UrlEncode(consumerSecret), string.IsNullOrEmpty(tokenSecret) ? "" : UrlEncode(tokenSecret))); byte[] dataBuffer = System.Text.Encoding.ASCII.GetBytes(signatureBaseString); byte[] hashBytes = hmacsha1.ComputeHash(dataBuffer); return Convert.ToBase64String(hashBytes);
If I manage to create a signature, how do I submit these values โโto Twitter?
You can easily learn what an HTTP header is.
But you can add the final result of parameters and signatures to the URL, I think that Twitter even accepts them in the request body for some requests. But the preferred method is the Authorization HTTP header, because it provides a clear separation between specific protocols and requests for specific parameters.
It should look something like this (taken directly from the OAuth 1.0a spec ):
Authorization: OAuth realm="Example", oauth_consumer_key="0685bd9184jfhq22", oauth_token="ad180jjd733klru7", oauth_signature_method="HMAC-SHA1", oauth_signature="wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D", oauth_timestamp="137131200", oauth_nonce="4572616e48616d6d65724c61686176", oauth_version="1.0"