1

I'm able to consume APIs (OAuth 1.0 Authorization & signature method as HMAC-SHA256) in POSTMAN, but not working JAVA (maven project). Generated code from POSTMAN with OkHttp & Unirest libraries, both are not working. They give the following error.

403 Forbidden

I understand error is related to invalid authentication parameters. But not able to figure out what needs to be changed. Because same keys are working in Postman

OkHttp JAVA Code

OkHttpClient client = new OkHttpClient().newBuilder().build();
MediaType mediaType = MediaType.parse("application/json");
String url = "https://www.example.com?script=508&deploy=1";
String JSONpayload = "{}";
RequestBody body = RequestBody.create(mediaType, JSONpayload);
Request request = new Request.Builder()
  .url(url)
  .method("POST", body)
  .addHeader("Content-Type", "application/json")
  .addHeader("Authorization", "OAuth realm=\"1111222_SB1\",oauth_consumer_key=\"xxxxxxxxx\",oauth_token=\"xxxxxxxx\",oauth_signature_method=\"HMAC-SHA256\",oauth_timestamp=\"1628747273\",oauth_nonce=\"xxxxxx\",oauth_version=\"1.0\",oauth_signature=\"xxxxxxxxxxx\"")
  .addHeader("Cookie", "NS_ROUTING_VERSION=LAGGING")
  .build();
Response response = client.newCall(request).execute();

Unirest JAVA Code

Unirest.setTimeouts(0, 0);
String url = "https://www.example.com?script=508&deploy=1";
String JSONpayload = "{}";
HttpResponse<String> response = Unirest.post(url)
  .header("Content-Type", "application/json")
  .header("Authorization", "OAuth realm=\"1114415_SB1\",oauth_consumer_key=\"xxxxxxxxxx\",oauth_token=\"xxxxxxxxxxx\",oauth_signature_method=\"HMAC-SHA256\",oauth_timestamp=\"1628747273\",oauth_nonce=\"xxxxxxxx\",oauth_version=\"1.0\",oauth_signature=\"xxxxxxxx\"")
  .header("Cookie", "NS_ROUTING_VERSION=LAGGING")
  .body(JSONpayload).asString();

Any kind of help is appreciated. Thanks in Advance.

Pankaj
  • 360
  • 5
  • 22
  • oauth1 is very particular about signatures matching headers precisely. You can't expect to copy an existing signature and reuse it, you need to generate the signature in client code exactly for the request as submitted. – Yuri Schimke Aug 13 '21 at 05:50
  • I'm able to generate the valid HMAC-SHA256 signature, timestamp & nonce. Added them to the Authorization header. **Now APIs give 200 response sometimes**. The signature, timestamp & nonce are updated each time. It toggles between 403 & 200. Any idea why there is uncertain behavior? how to fix that? – Pankaj Aug 20 '21 at 15:29
  • There is no specific pattern with 200/403 response. Randomly it gives anyone of them. In Postman, APIs constantly gives 200 response. Not able to figure out what additional configuration need to be done here. – Pankaj Aug 20 '21 at 15:38
  • I suggest raising it with the server host. – Yuri Schimke Aug 23 '21 at 07:33

0 Answers0