How do you find out what is your Consumer Secret?

With providers like Facebook or Twitter, they enable you to see your own CONSUMER_KEY and CONSUMER_TOKEN to connect to their own API.

From my understanding, consumer key is just an identification value which points to specific service. The consumer token is unique to your own account, that’s how you can obtain further access.

But what happens when there is a service on the website that do not provide their API. You have your own account and you know they are using OAuth 1.0.

I would like to ask 2 questions.

  1. You can inspect your own HTTP traffic and you see how POST request that was sent with the following Authorization Header:
Authorization:OAuth oauth_consumer_key="XXXXXXXX-XXXX-XXXX-XXXXXXXXXXXX1EFA",oauth_signature_method="HMAC-SHA1",oauth_timestamp="******6814",oauth_nonce="***9gi",oauth_version="1.0",oauth_signature="****************************p5o%3D"

You might see that the consumer_token is missing, does that mean the signature itself will not include one during the creation of oath_signature? or will it actually be part of oauth_signature?

  1. How would you go about finding what is your own personal account oauth_consumer_token? (From smartphone android app perspective)

To answer my 1. question

If you go to the following reference page with oauth 1.0 OAuth 1.0 Signature Reference Implementation

You can see that indeed, the actual Authorization header does not have the consumer secret specified, it is only used when building the signature.

  1. question still unanswered… still unclear where you would find your consumer secret (oauth_consumer_token) on an android app