Specifications for Signature Construction for the TBA Authorization Flow
This section contains details about the specifications for creating signatures required for both Step One and Step Three of the TBA authorization flow. For more information about signatures, refer to Section 3.4 of RFC 5849.
As of 2023.1, the support ended for the HMAC-SHA1 signature method.
Encoding
For more information about encoding, refer to Section 3.6 of RFC 5849:
-
For Text values, refer to RFC 3629. Text values must be encoded as UTF-8 octets if they are not already encoded.
-
Values are escaped using the Percent-Encoding (%XX) mechanism:
-
Do not encode characters from the unreserved character set. Refer to Section 2.3 of RFC 3986 for documentation of the unreserved character set.
-
All other characters must be encoded.
-
Two hexadecimal characters used to represent encoded characters must be uppercase.
Important:A blank symbol is encoded as %20 and not as the plus (+) symbol. Be aware that some framework functions may return unwanted results.
-
Request Parameters Normalization
For more information, refer to Section 3.4.1.3.2 of RFC 5849.
-
The parameters that are used include: (refer to Request Parameters, Section 3.4.1.3 of RFC 5849):
-
parameters from the Authorization header (excluding “realm” and “oauth_signature”)
-
parameters from the HTTP request entity body
-
parameters from the query part of the request URL
-
-
Encoding of parameter names and values occurs using the algorithm described in Encoding.
-
Sorting by name is performed using ascending byte value ordering. If names are identical, sorting is done by values.
-
Names and values form pairs separated by the equal (=) symbol, even when there is no value.
-
Pairs are concatenated in the defined order by the ampersand (&) symbol.