Many external client applications still use OAuth 1.0a (HMAC-SHA 1 signature method) and they can be integrated with MuleSoft Anypoint Platform. As a useful protocol, OAuth 1.0a is not obsolete or irrelevant. As of version 1.0a (RFC 5849 is 1.0a), there are no known vulnerabilities that make it less secure than 2.0, and in fact it is arguably more secure by default. OAuth 1.0a is just as capable of handling most use cases.

The primary change from version 1 to 2 was the removal of the complicated signature system. This signature system was designed to ensure only the client can use the user tokens, since it relies on a shared secret. However, every request must be individually signed. Version 2 instead relies on SSL/TLS to handle message authenticity. This means that OAuth 2.0 requires HTTPS. We need to be able to provide authentication for all sites, not just those with HTTPS. While the OAuth RFC requires SSL for some endpoints, OAuth 1.0a does not. This is a willful violation of the RFC, as we need to support non-SSL sites.

OAuth 1.0a is used for server to server communication based applications.

What you'll learn

What you'll need

Authenticating with OAuth 1.0a

OAuth authentication is done in three steps:

Parameters of consumer request:

Parameters of service provider grants:

OAUTH 1.0a authentication flow

Source: Oauth 1.0a

YAML file containing the values:

  host: ""
'OAuth oauth_consumer_key="4xxxxxxxxxxxxxxxxxxx",oauth_token="1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",oauth_signature_method="HMAC-SHA1",oauth_timestamp="1xxxxxxxxx",oauth_nonce="kxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",oauth_version="1.0",oauth_signature="kxxxxxxxxxxxxxxxxxxxxxxxxxx"'

  host: ""
  consumer_key: "4xxxxxxxxxxxxxxxxxxxxxxxx"
  consumer_secret: "Txxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
  access_token: "1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
  token_secret: "Vxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
  signature_method: "HMAC-SHA1"
  version: "1.0"

First transform component - Dynamically compute values using Mule 4 DataWeave 2.0

%dw 2.0
output application/json
import dw::Crypto
import toBinary from dw::core::Numbers
import withMaxSize from dw::core::Strings
import toBase64 from dw::core::Binaries
import * from dw::core::URL
var http_method = "GET"
var base_url = ""
var query_string = attributes.queryString
var oauth_consumer_key = Mule::p('oauth.consumer_key')
var oauth_nonce = toBase64(toBinary(randomInt(99999999999))) withMaxSize 32
var oauth_timestamp = now() as Number
var oauth_signature_method = Mule::p('oauth.signature_method')
var oauth_token = Mule::p('oauth.access_token')
var oauth_version = Mule::p('oauth.version')
var consumer_secret = Mule::p('oauth.consumer_secret')
var oauth_token_secret = Mule::p('oauth.token_secret')
var parameter_string = query_string ++ '&oauth_consumer_key=' ++ oauth_consumer_key ++ '&oauth_nonce=' ++ oauth_nonce ++ '&oauth_signature_method=' ++ oauth_signature_method ++ '&oauth_timestamp=' ++ oauth_timestamp ++ '&oauth_token=' ++ oauth_token ++ '&oauth_version=' ++ oauth_version
var signature_base_string = http_method ++ '&' ++ encodeURIComponent(base_url)  ++ '&' ++ encodeURIComponent(parameter_string)
var signing_key = consumer_secret ++ "&" ++ oauth_token_secret
var signature = toBase64(Crypto::HMACBinary(signing_key as Binary, signature_base_string as Binary, "HmacSHA1"))
        http_method: http_method,
        base_url: base_url,
        query_string: query_string,
    oauth_consumer_key: oauth_consumer_key,
    oauth_token: oauth_token,
    oauth_signature_method: oauth_signature_method,
    oauth_timestamp: oauth_timestamp,
    oauth_nonce: oauth_nonce,
    oauth_version: oauth_version,
    consumer_secret: consumer_secret,
    oauth_token_secret: oauth_token_secret,
    signing_key: signing_key,
    parameter_string: parameter_string,
    signature_base_string: signature_base_string,
        signature: signature,
    oauth_signature: encodeURIComponent(signature)

Second transform component - Setting the dynamically computed values in "Authorization" variable in HTTP request component.

%dw 2.0
output application/java
'OAuth oauth_consumer_key="' ++ vars.oauth_signature.oauth_consumer_key ++
'",oauth_token="' ++ vars.oauth_signature.oauth_token ++
'",oauth_nonce="' ++ vars.oauth_signature.oauth_nonce ++ 
'",oauth_timestamp="' ++ vars.oauth_signature.oauth_timestamp ++ 
'",oauth_signature_method="' ++ vars.oauth_signature.oauth_signature_method ++ 
'",oauth_version="' ++ vars.oauth_signature.oauth_version ++ 
'",oauth_signature="' ++ vars.oauth_signature.oauth_signature ++ '"'

You can effortlessly use Anypoint Studio (Mule 4) flow along with a few lines of code in DataWeave 2.0, to send OAuth 1.0a authenticated requests to Twitter or to any application requiring OAuth 1.0a.

Happy Learning.