How to set authorization headers for OAuth1.0a

Question

I'm pretty familiar with restAPIs, however this one is giving me a bit of a headache. I'm trying to migrate my OAuth 1.0 tokens into OAuth 2.0 tokens using this documentation https://developer.xero.com/documentation/oauth2/migrate.

The request:

POST https://api.xero.com/oauth/migrate
Content-Type: application/json
Authorization: OAuth oauth_consumer_key="your_consumer_key", oauth_token="your_access_token", 
    oauth_signature_method="RSA-SHA1", oauth_signature="your_signature", oauth_timestamp="1456175435", 
    oauth_nonce="83fd12eb-f578-4403-bd55-247b66efa11a", oauth_version="1.0"

Body: {
    "scope":"your_oauth_2_scopes + offline_access",
    "client_id":"your_app_client_id",
    "client_secret":"your_app_client_secret"
}

I'm trying to write a script in GO that will make make the POST request, grab the data and update our database.

Now what I'm confused about is the Authorization Header.

How do I fill in the information required? More specifically the oauth-signature, oauth-timestamp and oauth_nonce. I have little experience working with OAuth1.0a and would love to understand the flow.

Thanks!

Edit: trying to make use of this library https://godoc.org/github.com/gomodule/oauth1/oauth#example-Client-SetAuthorizationHeader

score 3 · Accepted Answer · answered Feb 04 '20 at 17:17

3

The OAuth1.0a signature is a set of key-value pairs, signed with your private key. This example migration app should give you an idea of the steps that need to be taken to build up the signature, even though it's not Go: OAuth1.0a => OAuth 2 token migration example.

There's also a Xero GoLang SDK that you can dig into to help with auth code: xerogolang

The nonce is a random single-use string that needs to be the same in your header and in the signature. The timestamp is the current date-time, in seconds since epoch, which also needs to be the same in your header and in the signature.

answered Feb 04 '20 at 17:17

rustyskates

856
4
10

Thank you I can definitely convert this into GO. But is the nonce something I randomly generate on my own? I've unfamiliar with the concept. – Nighthee Feb 04 '20 at 17:44
Yup, you should generate it yourself - you just need to make sure you have a different one (i.e. re-generate it) for every request you create. – rustyskates Feb 04 '20 at 17:54
Hey back with a few more questions. The oauth_token that i'm supposed to give, is it the oauth1.0 token I'm trying to give for oauth 2.0 tokens? Also it keeps giving me a 500 server error or 401 failed to validate signature error. I've hashed the base string with sha1 and used RSA to sign it using x509.ParsePKCS1PrivateKey and then rsa.SignPKCS1v15 from go. Any help would be appreciated! – Nighthee Feb 07 '20 at 19:08
Have you converted to Base64 after signing? – rustyskates Feb 09 '20 at 20:05
yes, I convert it to base64 after signing it. However after downloading and using your's I realized, I'm just using the contents of privatekey.pem, while your's uses the private_public_key.pfx file. Is there a difference? Also do you have any documentation on refreshing expired oauth1.0 tokens? The xero docs don't tell me much and the golang repo tells me less, the refreshtoken function only returns Nil, and an error. – Nighthee Feb 10 '20 at 18:53

How to set authorization headers for OAuth1.0a

1 Answers1