From ba7d8790a82545966a77314a5682d5d0e751e414 Mon Sep 17 00:00:00 2001 From: sparkweb Date: Tue, 16 Jun 2015 10:46:05 -0600 Subject: [PATCH] Noting Oauth spec differences regarding ampersand --- source/includes/v2/_introduction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/includes/v2/_introduction.md b/source/includes/v2/_introduction.md index ac2e1454..209b21a4 100644 --- a/source/includes/v2/_introduction.md +++ b/source/includes/v2/_introduction.md @@ -118,7 +118,7 @@ If you are having trouble generating a correct signature, you'll want to review * The OAuth nonce can be any randomly generated 32 character (recommended) string that is unique to the consumer key. Read more suggestions on [generating a nonce](https://dev.twitter.com/discussions/12445) on the Twitter API forums. * The OAuth timestamp should be the unix timestamp at the time of the request. The API will deny any requests that include a timestamp that is outside of a 15 minute window to prevent replay attacks. * You must use the store URL provided by the index when forming the base string used for the signature, as this is what the server will use. (e.g. if the store URL includes a `www` sub-domain, you should use it for requests) -* Some OAuth libraries add an ampersand to the provided secret key before generating the signature. This does not adhere to the OAuth spec and the ampersand should be removed prior to generating the signature. +* Some OAuth libraries add an ampersand to the provided secret key before generating the signature. WooCommerce does *not* adhere to the OAuth spec in this regard and the ampersand should be removed prior to generating the signature. An ampersand at the end of the string will result in an invalid signature. * You may test your generated signature using LinkedIn's [OAuth test console](http://developer.linkedinlabs.com/oauth-test/) -- leave the member token/secret blank. * Twitter has great instructions on [generating a signature](https://dev.twitter.com/docs/auth/creating-signature) with OAuth 1.0a, but remember tokens are not used with this implementation. * Note that the request body is *not* signed as per the OAuth spec, see [Google's OAuth 1.0 extension](https://oauth.googlecode.com/svn/spec/ext/body_hash/1.0/oauth-bodyhash.html) for details on why.