OAuth 1a
OAuth 1a can be a complicated method due to the need to generate a signature for the request. If anything is off with the signature, the request will not be validated.
Authorization
Step One - Obtain a Request Token
The first step is to obtain a request token that will be used when directing the user to the authorization page.
Make a POST to the request token endpoint /oauth/v1/request_token:
Review Generating the Authorization Header on the specifics of generating the OAuth header.
The response will be a query string:
Parse the string and use the parameters in the next step as indicated.
These must be preserved in some kind of persistent storage as they will be used when obtaining the access token.
Note that the refresh token is only good for the number of seconds specified in oauth_expires_in.
Step Two - Authorization
Now redirect the user to the authorization endpoint oauth/v1/authorize with the request token as part of the URL's query.
If the callback is something different than what is configured in Adaptix, url encode it and include in the query as oauth_callback.
The user will login and Adaptix will redirect back to the either the consumer's configured callback or to the oauth_callback included in the query.
The callback will include oauth_token and oauth_verifier in the URL's query.
Compare the oauth_token in the query with that obtained in step two to ensure they are the same and prevent cross-site request forgery.
oauth_verifier will need to be part of the header generated in step three.
Step Three - Obtain an Access Token
Generate the Authorization header and make a POST to the access token endpoint /oauth/v1/access_token.
When generating the header, the oauth_token_secret returned in step two should be used as the TOKEN_SECRET in the composite key.
oauth_verifier from step two should be part of the Authorization header generated.
The response should include a query string with the access token:
Adaptix's OAuth 1a access tokens do not expire but the user can deauthorize them. If the access token is invalid, a 401 response will be returned.
The oauth_token can be included in the authorize header and the oauth_token_secret should be used as the TOKEN_SECRET in the composite key when signing API requests.
Generating the Authorization Header
The OAuth header may include the following parameters:
| Key | Description |
|---|---|
| oauth_callback | Optional, URL encoded callback to redirect the user to after authorization. If the callback URL is set in Adaptix, this must match. |
| oauth_consumer_key | The consumer key obtained from Adaptix's API Credentials |
| oauth_nonce | Uniquely generated string that should be used only once |
| oauth_signature | Signature generated from all applicable data for the request |
| oauth_signature_method | Method for creating the signature. Currently, only HMAC-SHA1 is supported. |
| oauth_timestamp | Current unix timestamp |
| oauth_token | The access token |
| oauth_verifier | Returned after authorization and used when requesting an access token |
| oauth_version | Should always be 1.0 |
When making a GET or POST request with parameters, all parameters should be included in the header as well.
Step One - Build the Base String
The base string is used to generate the oauth_signature.
The structure of the base string is as follows:
METHOD should be the request method and should always be capitalized.
URL_ENCODED_URI should be the base URI the request is made to. It should not include any query parameters (query parameters should be part of NORMALIZED_PARAMETERS).
NORMALIZED_PARAMETERS should be a url encoded, alphabetically sorted query string of the above oauth parameters (except oauth_signature) plus the parameters of the request (query/post body).
Each key and each value of the parameters must be url encoded individually as well.
PHP should use rawurlencode() instead of urlencode().
Then each url encoded key/value pair should be concatenated into a single string with an ampersand (&) as the glue character.
For example, let's say a request includes a query of title=Mr&firstname=Joe&lastname=Smith. The process would look something like the following (replacing urlencode() with whatever function is appropriate for the language being used). Of course realistically, natural sort and loop functions would be used.
Multidimensional arrays should use foo=baz&foo=bar rather than foo[bar]=baz&foo[baz]=bar when generating the normalized parameters string.
Notice that oauth_callback, if included, is DOUBLE url encoded.
Put all together, a base string might look like:
Step Two - Build the Composite Key
The composite key is used to encrypt the base string. It is composed of the consumer secret and the token secret if available (post authorization) combined with an ampersand (&).
If the token secret is not available, i.e. during the request token process, then an ampersand (&) should still be used.
TOKEN_SECRET Sources
For /oauth/v1/request_token, TOKEN_SECRET is empty.
For /oauth/v1/access_token, TOKEN_SECRET will be the oauth_token_secret returned by the request to /oauth/v1/request_token
For all other API endpoints, TOKEN_SECRET will be the oauth_token_secret returned by the request to /oauth/v1/access_token
Step Three - Generate the Signature
Now, using the base string and the composite key, the signature can be generated using the appropriate HMAC function available to the language used. The signature generated should then be base64 encoded prior to being used in the Authorization header.
The resulting string should then be used included in the header as oauth_signature.
Signing the API Request
To sign the API request, generate the Authorization header using the obtained access token.