Constructing the Signature for Step Three of the TBA Authorization Flow
This section contains information and examples for how to construct the signature used in Step Three of the TBA authorization flow.
As of 2023.1, the support ended for the HMAC-SHA1 signature method.
The following values are used for the examples in this section:
Parameter |
Value |
---|---|
Company ID |
1234567 |
Consumer Key |
60712990bc09623786e7047c226bcb3f86d49dca0b04efc21001dc76d97a81f5 |
Consumer Secret |
60712990bc09623786e7047c226bcb3f86d49dca0b04efc21001dc76d97a81f5
Note:
For purposes of this example, the values of Consumer Key and Consumer Secret are identical. |
Token Key |
447d0cba5569a2d616e32a537110bc8c10ebcf42cc1fa34d6f76d08531abc179 |
Token Secret |
447d0cba5569a2d616e32a537110bc8c10ebcf42cc1fa34d6f76d08531abc179
Note:
For purposes of this example, the values of Token Key and Token Secret are identical. |
Verifier |
3eff1ae4de6f924014b88e489a41e88da8ed1ba8bd5ad7684a71579d7e97f4ee |
Nonce |
wjRgXQPWhYtKl0A7bO8Z |
Timestamp |
1576079512 |
The realm parameter is not a part of the single string. For more information, see RFC5849 section 3.4.1.3.1.
Signature Base String Construction for Step Three
The formation for the construction of the base string is as follows:
<base-string> = <http-request-method>&<base-string-uri>&<normalized-request-parameters>
Where:
Component |
Description |
---|---|
http-request-method |
POST |
base-string-uri |
https://1234567.restlets.api.netsuite.com/rest/accesstoken
Note:
The URI is to be encoded using the algorithm described in Encoding. |
normalized-request-parameters |
The following parameters to be normalized into a single string are:
Note:
The single string of normalized parameters is to be encoded using the algorithm described in Request Parameters Normalization. |
Signature Base String Example for Step Three
POST&https%3A%2F%2F1234567.restlets.api.netsuite.com%2Frest%2Faccesstoken&oauth_consumer_key%3D60712990bc09623786e7047c226bcb3f86d49dca0b04efc21001dc76d97a81f5%26oauth_nonce%3DwjRgXQPWhYtKl0A7bO8Z%26oauth_signature_method%3DHMAC-SHA256%26oauth_timestamp%3D1576079512%26oauth_token%3D447d0cba5569a2d616e32a537110bc8c10ebcf42cc1fa34d6f76d08531abc179%26oauth_verifier%3D3eff1ae4de6f924014b88e489a41e88da8ed1ba8bd5ad7684a71579d7e97f4ee%26oauth_version%3D1.0
Generating the Signature for Step Three
The key for generating the signature consists of the consumer secret and the token secret.
Be aware that the token secret is present in Step Three, whereas it was omitted in Step One.
60712990bc09623786e7047c226bcb3f86d49dca0b04efc21001dc76d97a81f5&447d0cba5569a2d616e32a537110bc8c10ebcf42cc1fa34d6f76d08531abc179
After using the algorithm described in Generating the Signature for the TBA Authorization Flow you get the following result:
BBzawyjesZyFrwBjUAJfBsPDDGUY2FRdp3k4NwGDAO0%3D
Final Authorization Header Example for Step Three
Authorization: OAuth realm="1234567", oauth_token="447d0cba5569a2d616e32a537110bc8c10ebcf42cc1fa34d6f76d08531abc179", oauth_consumer_key="60712990bc09623786e7047c226bcb3f86d49dca0b04efc21001dc76d97a81f5", oauth_nonce="wjRgXQPWhYtKl0A7bO8Z", oauth_timestamp="1576079512", oauth_signature_method="HMAC-SHA256", oauth_version="1.0", oauth_verifier="3eff1ae4de6f924014b88e489a41e88da8ed1ba8bd5ad7684a71579d7e97f4ee", oauth_signature="BBzawyjesZyFrwBjUAJfBsPDDGUY2FRdp3k4NwGDAO0%3D"