I am not very familiar with the OAuth flow and/or encoding, but I’ve managed to get my site (somewhat) working as an OAuth provider.
I am saying somehow, because for a long time I was getting the “Invalid signature” error when using the access token to fetch the protected information (I successfully got a request token, authorized it and got the access token).
So I looked a little over the signature generation method (I am using Drupal 7 and some undocumented modules). The code is:
public function build_signature($request, $consumer, $token) {
$base_string = $request->get_signature_base_string();
$request->base_string = $base_string;
$key_parts = array(
$consumer->secret,
($token) ? $token->secret : "" // the token object has a key and a secret property
);
$key_parts = OAuthUtil::urlencode_rfc3986($key_parts);
$key = implode('&', $key_parts);
return base64_encode(hash_hmac($this->algo, $base_string, $key, TRUE));
}
So this is using the $token secret to generate the signature for the request (plus the $base_string which is not important).
So I am guessing my question really is: does an application (client) that uses my OAuth, need to know the access token secret in order to be working? Is the secret a public information (am guessing not, hence the name). What am I doing wrong here?
Yes they do.
The access token secret (as well as the consumer secret) are used to sign the signature base string on the client side in subsequent requests to access protected resources, the same way as it’s done on the server side when the signature is being verified.
The OAuth 1.0 specifications also state that the OAuth provider must return the access token secret when the access token has been generated, see section 6.3.2 of the specs.