Question

HTTPCaller Authorization Issue for OneRoster

  • 28 January 2019
  • 3 replies
  • 4 views
B
Badge

Hello:

I have a project I'm working on where I connect to an API endpoint to get class information. The API requires that I establish oauth parameters and create the signature base string by:

1) Converting the HTTP method to upper case and set the output string equal to this value

2) Append the '&' character to the output string

3) Percent encode the URL and append it to the output string

4) Append the '&' character to the output string

5) Percent encode the parameter string and append it to the output

The final signature base string is encrypted using the consumer secret

I've accomplished all of the above with a variety of transformers in a workspace. My question is, how do I call the API endpoint when the URL has been encoded? This is something I've never had to do. Most of the API's I've processed against did not have this level of security/authorization and encryption (I had to encrypt my consumer secret).

I saw the Twitter API HTTPCaller post but after reviewing this several times, I could not figure out how to work my way through my scenario.

Any guidance would be greatly appreciated.

This is the excerpt from the API documentation. This is for OneRoster

3 replies

B
Badge
Does any of this make sense @david_r, @takashi, @DaveAtSafe
D

If I'm understanding correctly, you've already managed to create a signature string, and now need to add it to the API request.

I haven't tried this with the OneRoster API specifically, but it looks like you need to set the "Authorization" header as follows (interpreting https://www.imsglobal.org/oneroster-v11-final-specification 3.6.1, using their example values):

Authorization: OAuth auth_consumer_key="imsglobal", oauth_nonce="1965da178f762237a8506e9d51b0398b4", oauth_signature="z47QdbCsasZP+5ZXelvc2b9xQeU=", oauth_signature_method="HMAC-SHA256", oauth_timestamp="1487345558", oauth_version="1.0"

The signature you've calculated goes in "oauth_signature".

The header is set in the HTTPCaller as follows:

0684Q00000ArJdcQAF.png

Alternatively, it looks like OneRoster allows OAuth 2 Bearer Token auth as well (section 3.6.3). From what I can tell, you wouldn't need to sign it in that case, but rather, it would work similarly to https://knowledge.safe.com/questions/45854/httpcaller-and-twitter-api-authentication-problems.html.

B
Badge

Thank you @DeWetAtSafe. This was helpful. I will review what you provided and go from there. I really appreciate your assistance.

Reply


Community Stats

28,694
Posts
109,434
Replies
36,545
Members
Terms & ConditionsCookie settings
A product of
Safe Software respectfully acknowledges that we live, learn and work on the traditional and unceded territories of the Kwantlen, Katzie, and Semiahmoo First Nations.