Using oauth1.0a two-legged flow, must sign request using RSA-SHA1. Need advice!
Having issues with authentication for Xero accounting software.
Looking for advise on the best way to generate a request string and sign it using RSA-SHA1 and a private certificate? Time is of the essence so just wanted to make sure I’m not overlooking a module that supports this already. I would suppose it’s possible to generate the string and sign it using “Extension - Server-Side Script” module and some java code but maybe I’m overlooking a simpler way? All API requests will require this auth method so I’ll probably need to create a sub assembly. There’s are a few native JavaScript libs to accomplish the task but that seems less than ideal…
Docs: https://developer.xero.com/documentation/getting-started/api-application-types
Note: Using a “Private App” that uses a pre-configured x509 .cer certificate keypair which is manually supplied for the “Authorized App”. No token request/exchange is required as in this configuration the Consumer Key act’s as a permanent token. Valid requests must use RSA-SHA1 to sign a request that includes a multitude of parameters in specific order and then the signature calculation is passed as parameter in an authorization header string along with the usual suspects (oauth_timestamp, oauth_nonce, oauth_consumer_key, oauth signature_method, oauth_token [same as consumer key], etc.). Postman doesn’t support RSA-SHA1 anymore, but I’ve confirmed the format required for the string to sign that makes results in a valid request by manually signing and creating the proper authorization header.
The second to last post here details the string to sign structure:
https://community.xero.com/developer/discussion/31821/
Found a nice oauth resource here:
http://oauthbible.com/#oauth-10a-two-legged
Thanks in advance, I’m in a bit of a time crunch!