Jaspal Saini Jaspal Saini - 2 years ago 90
PHP Question

how to genrate oath_signature in experian api

i want to generate oath_signature in php but experian documentation is written in .net. I try to ask form experian developer but he does not respond well. I use following code to develop oath_signature:

$timestamp = 1461944620; // timestapm

$nonce = 3774707; // nonce

$consumerKey = "e172b7b1-056f-48be-aeca-a641a60c88ea"; // consumer key - provided by experian dev.

$consumerSecret = "1c339256-2e1c-48bb-82c2-8e33abe550fd"; // consumer secret - provided by experian dev.

$url = "https://demo.backgroundchecking.com/API/Service/ProductCodes"; // Url - provided by experian dev.

$httpMethod = "GET";

$params = "oauth_consumer_key=".$consumerKey."&oauth_nonce=".$nonce."&oauth_signature_method=HMAC-SHA1&oauth_timestamp=".$timestamp."&oauth_version=1.0";

$urlEncoded = urlencode($url); // Url encoding

$paramsEncoded = urlencode($params); // Url encoding

$signatureBase = $httpMethod."&".$urlEncoded."&".$paramsEncoded; // signature base - genrated according to your documents

$key = urlencode($consumerSecret)."&"; //mysecretkey& - url encoding secret kay followed by ampersand

$signatureBytes=hash_hmac("sha1", $signatureBase, $key); // converting into sha1

$signature = base64_encode($signatureBytes); // base64 encription

$signatureEncoded = urlencode($signature); // signature url encoding. This is the final signature which is not matching with your signature as i describe you in my previous email.

i have go "NjdhNTUyMDU2Y2M2MDcyMTQ2ZDNkZWFjYjUxODVlOGQ3MGZlZWM1Mg%3D%3D" signature but experian developer said that using above details it must genrate "Z6VSBWzGByFG096stRhejXD%2b7FI%3d" oath signature.

Following is the documentation to generate the oath_signature:

Manually generating the signature
1. We need to sort the query parameters in alphabetical order and add a few more parameters, then combine them into a string. This string looks like a standard query string, though you are not actually going to send this to the server as is.
It is important that the string looks exactly like this with only the three values in italics replaced with your values.

  1. We need to generate a Signature Base string that can be hashed. This string consists of the HTTP Method, the URL encoded URL and the URL encoded query string.

Assuming that you are POSTing to “above provide url (demo.backgroundchecking.com/API/Service/ProductCodes)” then the Signature Base would look like this (line breaks for readability only, this should all be one line):
3. POST&
4. https%3A%2F%2Fuat.backgroundchecking.com%2FAPI%2FData%2FRequestData&
5. oauth_consumer_key%3Dmyconsumerkey%26oauth_nonce%3D123456%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D999999%26oauth_version%3D1.0

As you can see, the Signature Base string consists of three separate elements, the HTTP Method, the URL and the paramaters from step 1, all separated by &.
It is important that you URL encode each of these three parts before you combine them into the Signature Base string, otherwise the separating & will also be encoded and your request will fail. Do also note that the hex values must be in upper case, i.e. %2F rather than %2f.
NOTE the uat.backgroundchecking.com in this example which of course needs to be
changed to the appropriate URL for the system you are using.

As another example, if you were GETing from demo.backgroundchecking.com/API/Service/ProductCodes then the Signature Base string would look something like this (the method and the URL are different):

  1. Next we need to get the Key for generating the hash. The key is the Consumer Secret followed by an ampersand, so "mysecretkey&" for example. Note that if the consumer key contains characters that are not legal in a URL then you need to URL encode the consumer key before you add the ampersand.

  2. We then need to to generate the HMAC-SHA1 hash and return it as a Base64 encoded string. This is normally done via a library. Generally speaking, you should expect to convert both the Key and Signature Base to byte arrays using ASCII encoding and then generate a hash of the Signature Base using the Key from step 3.

  3. Because Base64 includes certain characters that are not legal in URLs, we need to URL Encode the hash before it is ready for use.

And Example is :
1. [int]$timestamp = ((Get-Date).ToUniversalTime() - (Get-Date -Date "1970-01-01 00:00:00Z").ToUniversalTime()).TotalSeconds

  1. $timestamp = 999999 #override with our sample value

  2. $nonce = 123456 #in production, make sure this is random on each request

  3. $consumerKey = "myconsumerkey"

  4. $consumerSecret = "mysecretkey"

  5. $url = same as above provided

  6. $httpMethod = "POST"

  7. $regex = [regex] '%[a-f0-9]{2}' # oAuth requires hex values to be in upper case, .NET defaults to lower case so we need to do some magic with regex

  8. $params = "oauth_consumer_key=" + $consumerKey + "&oauth_nonce=" + $nonce + "&oauth_signature_method=HMAC-SHA1&oauth_timestamp=" + $timestamp + "&oauth_version=1.0"

  9. $urlEncoded = $regex.Replace([System.Web.HttpUtility]::UrlEncode($url), { param ($m) $m.Value.ToUpperInvariant()})

  10. $paramsEncoded = $regex.Replace([System.Web.HttpUtility]::UrlEncode($params), { param ($m) $m.Value.ToUpperInvariant()})

  11. $signatureBase = $httpMethod + "&" + $urlEncoded + "&" + $paramsEncoded

  12. $key = $regex.Replace([System.Web.HttpUtility]::UrlEncode($consumerSecret), { param ($m) $m.Value.ToUpperInvariant()}) + "&"

  13. $hmacsha = New-Object System.Security.Cryptography.HMACSHA1

  14. $hmacsha.key = [Text.Encoding]::ASCII.GetBytes($key)

  15. $signatureBytes=$hmacsha.ComputeHash([Text.Encoding]::ASCII.GetBytes($signatureBase))

  16. $signature= [System.Convert]::ToBase64String($signatureBytes)

  17. $signatureEncoded = $regex.Replace([System.Web.HttpUtility]::UrlEncode($signature), { param ($m) $m.Value.ToUpperInvariant()})

Please help.

Answer Source
$timestamp = time(); 
$nonce = 5678765; 
$consumerKey = "consumerkey"; 
$consumerSecret = "secret"; 
$url = "demo.backgroundchecking.com/API/Service/ProductCodes";
$httpMethod = "GET"; 
$params = "oauth_consumer_key=".$consumerKey."&oauth_nonce=".$nonce."&oauth_signature_meth‌​od=HMAC-SHA1&oauth_timestamp=".$timestamp."&oauth_version=1.0"; 
$urlEncoded = urlencode($url); 
$paramsEncoded = urlencode($params); 
$signatureBase = $httpMethod."&".$urlEncoded."&".$paramsEncoded; 
$key = urlencode($consumerSecret)."&"; 
$signature = urlencode(base64_encode(hash_hmac('sha1', $signatureBase, $key, true)));
Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download