With providers like Facebook or Twitter, they enable you to see your own CONSUMER_KEY and CONSUMER_TOKEN to connect to their own API.
From my understanding, consumer key is just an identification value which points to specific service. The consumer token is unique to your own account, that’s how you can obtain further access.
But what happens when there is a service on the website that do not provide their API. You have your own account and you know they are using OAuth 1.0.
I would like to ask 2 questions.
- You can inspect your own HTTP traffic and you see how POST request that was sent with the following Authorization Header:
Authorization:OAuth oauth_consumer_key="XXXXXXXX-XXXX-XXXX-XXXXXXXXXXXX1EFA",oauth_signature_method="HMAC-SHA1",oauth_timestamp="******6814",oauth_nonce="***9gi",oauth_version="1.0",oauth_signature="****************************p5o%3D"
You might see that the consumer_token is missing, does that mean the signature itself will not include one during the creation of oath_signature? or will it actually be part of oauth_signature?
- How would you go about finding what is your own personal account oauth_consumer_token? (From smartphone android app perspective)