I use the open-source Jon Crosby Objective-C OAuth library http://code.google.com/p/oauthconsumer/ for some basic HTTP authentication that does not concern tokens, only the consumer key and the consumer secret. My code is great for GET, GET with parameters in url and POST. When I issue a POST request that has parameters in the URL, the request denies authorization. I am trying to understand why.
The server uses Apache Commons OAuth, so I would like to compare my base line with this library. Here's a far-fetched example and a baseline and signature created by my library. Can anyone understand what the problem is?
consumer key: abcdef consumer secret: ghijkl POST request: http://emptyrandomhost.com/a/uriwith/params?interesting=foo&prolific=bar my base string: POST&http%3A%2F%2Femptyrandomhost.com%2Fa%2Furiwith%2Fparams&interesting%3Dfoo%26oauth_consumer_key%3Dabcdef%26oauth_nonce%3D1%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D2%26oauth_version%3D1.0%26prolific%3Dbar
This data returns the following OAuth header authorization:
Authorization: OAuth oauth_consumer_key="abcdef", oauth_version="1.0", oauth_signature_method="HMAC-SHA1", oauth_timestamp="2", oauth_nonce="1", oauth_signature="Z0PVIz5Lo4eB7aZFT8FE3%2FFlbz0%3D"
And, apparently, my signature is erroneous. The problem should either be building the baseline, as if the HMAC-SHA1 function is implemented (using Apple CCHmac from CommonHMAC.h, so hopefully this is not the case) or with my Base64Transcoder, which is open source c. 2003 Jonathan White / Toxic Software. First of all, I suspect the base line, since requests work for GET and POST and only with a POST error with URL parameters, as indicated above.
Could someone with more OAuth experience identify the problem above? Something else that would be very helpful is the baseline created by Apache Commons OAuth during their authentication. Thanks.