Auth requires RSA-SHA1, any suggestions?

Using oauth1.0a two-legged flow, must sign request using RSA-SHA1. Need advice!
Having issues with authentication for Xero accounting software.

Looking for advise on the best way to generate a request string and sign it using RSA-SHA1 and a private certificate? Time is of the essence so just wanted to make sure I’m not overlooking a module that supports this already. I would suppose it’s possible to generate the string and sign it using “Extension - Server-Side Script” module and some java code but maybe I’m overlooking a simpler way? All API requests will require this auth method so I’ll probably need to create a sub assembly. There’s are a few native JavaScript libs to accomplish the task but that seems less than ideal…


Note: Using a “Private App” that uses a pre-configured x509 .cer certificate keypair which is manually supplied for the “Authorized App”. No token request/exchange is required as in this configuration the Consumer Key act’s as a permanent token. Valid requests must use RSA-SHA1 to sign a request that includes a multitude of parameters in specific order and then the signature calculation is passed as parameter in an authorization header string along with the usual suspects (oauth_timestamp, oauth_nonce, oauth_consumer_key, oauth signature_method, oauth_token [same as consumer key], etc.). Postman doesn’t support RSA-SHA1 anymore, but I’ve confirmed the format required for the string to sign that makes results in a valid request by manually signing and creating the proper authorization header.

The second to last post here details the string to sign structure:

Found a nice oauth resource here:

Thanks in advance, I’m in a bit of a time crunch!

Xero doesn’t use standard OAuth v1.0a.

Whenever apps don’t follow the OAuth standard, we have to integrate them in a custom manner. We have already done Xero in this assembly: cccad6a281104014835c94ca287fb98f

The “canned” OAuth module is where we add our custom integrations for apps that don’t follow the OAuth spec. It is not currently possible for anyone but us to do non-standard OAuth integrations.

I don’t know of any samples in the system of signing requests with RSA-SHA1. My guess is that you’ll have to use inline Java or PHP code for that.

1 Like

Thank you! Somehow when I looked I concluded the Xero assembly diddn’t support private apps but clearly that’s exactly what it’s build for, and just I’m looking for :-/

Will do the encryption with inline java if needed.

If the existing Xero integration is what you need, then making API calls can be done like shown in this trigger: f558c6b08e60479f8ecdf4093b2acd14