Skip to main content

Hello:

I have a project I'm working on where I connect to an API endpoint to get class information. The API requires that I establish oauth parameters and create the signature base string by:

1) Converting the HTTP method to upper case and set the output string equal to this value

2) Append the '&' character to the output string

3) Percent encode the URL and append it to the output string

4) Append the '&' character to the output string

5) Percent encode the parameter string and append it to the output

The final signature base string is encrypted using the consumer secret

I've accomplished all of the above with a variety of transformers in a workspace. My question is, how do I call the API endpoint when the URL has been encoded? This is something I've never had to do. Most of the API's I've processed against did not have this level of security/authorization and encryption (I had to encrypt my consumer secret).

I saw the Twitter API HTTPCaller post but after reviewing this several times, I could not figure out how to work my way through my scenario.

Any guidance would be greatly appreciated.

This is the excerpt from the API documentation. This is for OneRoster

Does any of this make sense @david_r, @takashi, @DaveAtSafe

If I'm understanding correctly, you've already managed to create a signature string, and now need to add it to the API request.

I haven't tried this with the OneRoster API specifically, but it looks like you need to set the "Authorization" header as follows (interpreting https://www.imsglobal.org/oneroster-v11-final-specification 3.6.1, using their example values):

Authorization: OAuth auth_consumer_key="imsglobal", oauth_nonce="1965da178f762237a8506e9d51b0398b4", oauth_signature="z47QdbCsasZP+5ZXelvc2b9xQeU=", oauth_signature_method="HMAC-SHA256", oauth_timestamp="1487345558", oauth_version="1.0"

The signature you've calculated goes in "oauth_signature".

The header is set in the HTTPCaller as follows:

0684Q00000ArJdcQAF.png

Alternatively, it looks like OneRoster allows OAuth 2 Bearer Token auth as well (section 3.6.3). From what I can tell, you wouldn't need to sign it in that case, but rather, it would work similarly to https://knowledge.safe.com/questions/45854/httpcaller-and-twitter-api-authentication-problems.html.


Thank you @DeWetAtSafe. This was helpful. I will review what you provided and go from there. I really appreciate your assistance.


Reply