OAuth Signing
Eloqua signs all outgoing calls with OAuth 1.0a so the receiving system, in this case your app, can validate that the call was sent by Eloqua. As an app provider, it's your responsibility to ensure the validity of all inbound calls. Validation should be performed on every inbound call your app receives with OAuth parameters.
When your application receives any call from Eloqua, it will be appended by the following information:
| Parameter | Description | Example value |
oauth_consumer_key |
Your app's Client ID | eb954432-a19f-4250-85dd-827a9ddf17db |
oauth_nonce |
A random unique number used by the app provider to verify that a request has never been made before, preventing replay attacks. Nonces only need to be unique for all requests using the same timestamp. | 9519484 |
oauth_signature_method |
Eloqua uses a keyed-hash message authentication specification known as HMAC-SHA1 to sign outgoing calls. | HMAC-SHA1 |
oauth_timestamp |
The timestamp is expressed in Unix time, which is the number of seconds since January 1, 1970 00:00:00 UTC. The timestamp value must be no more than 5 minutes older than your current server time. | 1410986606 |
oauth_version |
1.0 | 1.0 |
oauth_signature |
This is the value against which to validate. | AZbD26DeXrEV6iNLqBAxSXwWURg= |
For example, if Eloqua makes a call to your app situated at https://app.example.com/action/create in order to pass some information: instance_id=768acf98-f0d2-4f1b-8956-bd204de20684&site_id=b379a93e-dd7a-41a1-99be-fffd93c8e4fa. This HTTP call would look something like:
https://app.example.com/action/create?instance_id=768acf98-f0d2-4f1b-8956-bd204de20684&site_id=b379a93e-dd7a-41a1-99be-fffd93c8e4fa&oauth_consumer_key=eb954432-a19f-4250-85dd-827a9ddf17db&oauth_nonce=9519484&oauth_signature_method=HMACSHA1&oauth_timestamp=1410986606&oauth_version=1.0&oauth_signature=xoEGUaC029gD8UWeEOyguxGBkZU%3D