This is specified by http://oauth.net/core/1.0a#signing_process (look for 'Verifying Signature' for each of the signature methods). Software that implements it in several languages is available.
For HMAC signature methods, you'll need the consumer secret and token secret (in addition to the request parameters). I would guess the token secret is empty, but I'm not familiar with OpenSocial. Some fine points: don't include the oauth_signature in the signature base string. Decode the other parameters and re-encode them into the signature base string. Decode the oauth_signature and use the resulting binary value to verify the signature. On Jul 24, 7:55 am, jaap <[email protected]> wrote: > I'm creating an opensocial widget. The widget can make SIGNED requests > to an arbitrary url. The signing is done by the opensocial container. > The result is a request which is enriched with these attributes: > * opensocial_owner_id > * opensocial_viewer_id > * opensocial_app_id > * oauth_consumer_key > * oauth_token (empty) > * xoauth_signature_publickey > * oauth_signature_method > * oauth_nonce > * oauth_timestamp > * oauth_signature > > I want to verify that that the request is genuine. I this this should > be possible with the oauth signature and the public key, but I don't > know where I should begin! > Can someone please explain how I should verify the signature against > the request? It's probably somewhere in the oauth documentation but I > couldn't find it between all the other use cases of oauth (i.e. > requesting a token and using it). --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
