I am trying to verify an OAuth signature generated in code against a “known reputable source”. All my steps are verified correct except the last, wherein a ‘base signature string’ is HMAC-SHA1 hashed against a secret key and then base64 encoded.

I have confirmed that my hash value is the same as expected by the algorithm. I then disconfirmed that my base64 encode was the same. Attempting to determine why my encode failed, I wanted to check the encoder I was using.

Here is the (hash) string being base64 encoded:

203ebb13a65cccaae5cb1b9d5af51fe41f534357

Here is the base64 encode that results in my code:

MjAzZWJiMTNhNjVjY2NhYWU1Y2IxYjlkNWFmNTFmZTQxZjUzNDM1Nw==

According to http://www.motobit.com/util/base64-decoder-encoder.asp, that is the correct result:

But, according to http://www.online-convert.com/result/096d7b00138f3726daee5f6ddb107a62 (provided with the secret and base string, not the hash), a different base64 should have been output. Note that the hash output is my correct hash despite the difference in base64:

Finally, the “official” tester (http://hueniverse.com/oauth/guide/authentication/) outputs a third different base64 from the same hash:

I have no idea what I’m doing wrong, and the fact that these tools are outputting different results makes me wonder if there is in fact such a thing as base64 encoding or if they are actually using different algorithms? Perhaps the fact that it’s for OAuth would help you help me identify the answer.

Thanks for any leads from the wise.