Here are test cases for OAuth algorithms.
To discuss this page, please use the Test Cases thread in the Google Group OAuth.
There are several interactive tools that implement OAuth algorithms:
In this table, U+xxxx means the character whose Unicode code point is xxxx (in hexadecimal notation).
parameter name or value | encoded |
abcABC123 | abcABC123 |
-._~ | -._~ |
% | %25 |
+ | %2B |
&=* | %26%3D%2A |
U+000A (LF) | %0A |
U+0020 (space) | %20 |
U+007F | %7F |
U+0080 | %C2%80 |
U+3001 | %E3%80%81 |
In this table, parameters are shown as a document of MIME type application/x-www-form-urlencoded that conforms to HTML 4.01 section 17.13.4.1. Note that '+' represents a space, in the parameters column (as in a URL query string).
parameters | normalized |
name | name= |
a=b | a=b |
a=b&c=d | a=b&c=d |
a=x!y&a=x+y | a=x%20y&a=x%21y |
x!y=a&x=a | x=a&x%21y=a |
In this table, parameters are shown as a document of MIME type application/x-www-form-urlencoded that conforms to HTML 4.01 section 17.13.4.1, with some white space inserted for legibility.
Consumer Secret | Token Secret | Base String | Signature |
cs | bs | egQqG5AJep5sJ7anhXju1unge2I= | |
cs | ts | bs | VZVjXceV7JgPq/dOTnNmEfO0Fv8= |
kd94hf93k423kf44 | pfkkdhi9sl3r4s00 | GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file%3Dvacation.jpg%26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce%3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk%26oauth_version%3D1.0%26size%3Doriginal | tR3+Ty81lMeYAr/Fid0kMTYa/WM= |
Consumer Key: | dpf43f3p2l4k3l03 |
Private Key (PKCS#8 and Base64-encoded): |
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBALRiMLAh9iimur8V A7qVvdqxevEuUkW4K+2KdMXmnQbG9Aa7k7eBjK1S+0LYmVjPKlJGNXHDGuy5Fw/d 7rjVJ0BLB+ubPK8iA/Tw3hLQgXMRRGRXXCn8ikfuQfjUS1uZSatdLB81mydBETlJ hI6GH4twrbDJCR2Bwy/XWXgqgGRzAgMBAAECgYBYWVtleUzavkbrPjy0T5FMou8H X9u2AC2ry8vD/l7cqedtwMPp9k7TubgNFo+NGvKsl2ynyprOZR1xjQ7WgrgVB+mm uScOM/5HVceFuGRDhYTCObE+y1kxRloNYXnx3ei1zbeYLPCHdhxRYW7T0qcynNmw rn05/KO2RLjgQNalsQJBANeA3Q4Nugqy4QBUCEC09SqylT2K9FrrItqL2QKc9v0Z zO2uwllCbg0dwpVuYPYXYvikNHHg+aCWF+VXsb9rpPsCQQDWR9TT4ORdzoj+Nccn qkMsDmzt0EfNaAOwHOmVJ2RVBspPcxt5iN4HI7HNeG6U5YsFBb+/GZbgfBT3kpNG WPTpAkBI+gFhjfJvRw38n3g/+UeAkwMI2TJQS4n8+hid0uus3/zOjDySH3XHCUno cn1xOJAyZODBo47E+67R4jV1/gzbAkEAklJaspRPXP877NssM5nAZMU0/O/NGCZ+ 3jPgDUno6WbJn5cqm8MqWhW1xGkImgRk+fkDBquiq4gPiT898jusgQJAd5Zrr6Q8 AO/0isr/3aa6O6NLQxISLKcPDk2NOccAfS/xOtfOz4sJYM3+Bs4Io9+dZGSDCA54 Lw03eHTNQghS0A== |
Certificate: |
-----BEGIN CERTIFICATE----- MIIBpjCCAQ+gAwIBAgIBATANBgkqhkiG9w0BAQUFADAZMRcwFQYDVQQDDA5UZXN0 IFByaW5jaXBhbDAeFw03MDAxMDEwODAwMDBaFw0zODEyMzEwODAwMDBaMBkxFzAV BgNVBAMMDlRlc3QgUHJpbmNpcGFsMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB gQC0YjCwIfYoprq/FQO6lb3asXrxLlJFuCvtinTF5p0GxvQGu5O3gYytUvtC2JlY zypSRjVxwxrsuRcP3e641SdASwfrmzyvIgP08N4S0IFzEURkV1wp/IpH7kH41Etb mUmrXSwfNZsnQRE5SYSOhh+LcK2wyQkdgcMv11l4KoBkcwIDAQABMA0GCSqGSIb3 DQEBBQUAA4GBAGZLPEuJ5SiJ2ryq+CmEGOXfvlTtEL2nuGtr9PewxkgnOjZpUy+d 4TvuXJbNQc8f4AMWL/tO9w0Fk80rWKp9ea8/df4qMq5qlFWlx6yOLQxumNOmECKb WpkUQDIDJEoFUzKMVuJf4KO/FJ345+BNLGgbJ6WujreoM1X/gYfdnJ/J -----END CERTIFICATE----- |
HTTP URL: | http://photos.example.net/photos |
Parameters | oauth_signature_method=RSA-SHA1, oauth_version=1.0, oauth_consumer_key=dpf43f3p2l4k3l03, oauth_timestamp=1196666512, oauth_nonce=13917289812797014437, file=vacaction.jpg, size=original |
Base String: |
GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file%3Dvacaction.jpg%26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce%3D13917289812797014437%26oauth_signature_method%3DRSA-SHA1%26oauth_timestamp%3D1196666512%26oauth_version%3D1.0%26size%3Doriginal |
Signature: |
jvTp/wX1TYtByB1m+Pbyo0lnCOLIsyGCH7wke8AUs3BpnwZJtAuEJkvQL2/9n4s5wUmUl4aCI4BwpraNx4RtEXMe5qg5T1LVTGliMRpKasKsW//e+RinhejgCuzoH26dyF8iY2ZZ/5D1ilgeijhV/vBka5twt399mXwaYdCwFYE= |
Complete signed URL: |
http://photos.example.net/photos?oauth_signature_method=RSA-SHA1&oauth_version=1.0&oauth_consumer_key=dpf43f3p2l4k3l03&oauth_timestamp=1196666512&oauth_nonce=13917289812797014437&file=vacaction.jpg&size=original&oauth_signature=jvTp%2FwX1TYtByB1m%2BPbyo0lnCOLIsyGCH7wke8AUs3BpnwZJtAuEJkvQL2%2F9n4s5wUmUl4aCI4BwpraNx4RtEXMe5qg5T1LVTGliMRpKasKsW%2F%2Fe%2BRinhejgCuzoH26dyF8iY2ZZ%2F5D1ilgeijhV%2FvBka5twt399mXwaYdCwFYE%3D |
1 Note that HTTP does not allow empty absolute paths, so the URL 'http://example.com' is equivalent to 'http://example.com/' and should be treated as such for the purposes of OAuth signing (rfc2616, section 3.2.1)