PHP Classes

Authorisation header

Recommend this page to a friend!

      PHP OAuth Library  >  All threads  >  Authorisation header  >  (Un) Subscribe thread alerts  
Subject:Authorisation header
Summary:How do you pass things like oauth_signature to the endpoint
Author:Mike Buckley
Date:2019-11-04 15:50:13


  1. Authorisation header   Reply   Report abuse  
Mike Buckley - 2019-11-04 15:50:13
Hi, I'm very new to the OAuth process and I'm probably in way over my head, but I can't understand, or see how/where you pass things like this to the webservice? I'll need to pass mutliple things such as oauth_nonce, oauth_timestamp.

Many thanks

  2. Re: Authorisation header   Reply   Report abuse  
Manuel Lemos - 2019-11-05 01:58:43 - In reply to message 1 from Mike Buckley
Hello Mike,

You do not need to be concerned with passing those parameters to OAuth server. This OAuth class takes care of that for you.

What you need to be concerned is the what OAuth server do you need to access to make the API calls you need to do in your PHP applications.

This package comes with built-in support to many OAuth servers that you may be using. For those with built-in support there are examples scripts in this package named test_some_API_login.php .

Do you see an example script in this package for the API you want to access?

  3. Re: Authorisation header   Reply   Report abuse  
Mike Buckley - 2019-11-06 11:25:37 - In reply to message 2 from Manuel Lemos
Hi Manuel,

First of all, thank you for taking the time to reply. The API I'm trying to get the key from isn't listed but I didn't expect it would be - it's an API for an online survey site. Forgive me for my many questions but as I said, this is a new area for me and I'm struggling to follow.

The API I'm trying to access receives POST request and is OAuth version1.0 so I've set these values in the json configuration:

"oauth_version": "1.0",
"dialog_url":" https://XXXXXXXXXX ",
"request_token_url": "https://XXXXXXXXXX”

Incidentally, I don’t have different urls for “dialog_url” or “request_token_url” so I have used the same for both. I’m also confused about the scope, I’ve left this blank at the moment, will this need a value?

I’ve had a bit of success and can see in the php error log that the oauth class connects and passes a correctly formed authorisation header to the endpoint. I think it’s now failing on the CallAPI function, the API requires xml in the body request – it currently returns:

<ErrorMessage>Root element is missing.</ErrorMessage>

Is there a way to format the body request/parameters as xml?

Thanks again for your time

  4. Re: Authorisation header   Reply   Report abuse  
Manuel Lemos - 2019-11-06 18:27:40 - In reply to message 3 from Mike Buckley
You need to seek for the documentation of that API to find out what are the correct URLs for the dialog_url and request_token_url.

The scope may not be necessary. That is usually for complex APIs that support different products, like for instance Google APIs that support Google Calendar, Google Drive, etc..

Anyway, it seems that you succeed getting a token to make authorized API calls.

To send API call requests that require data in XML format use the RequestBody parameter and set RequestContentType parameter maybe to 'text/xml' or 'application/xml'.

  5. Re: Authorisation header   Reply   Report abuse  
Mike Buckley - 2019-11-07 12:56:42 - In reply to message 4 from Manuel Lemos
Hi Manuel, thanks again for your time – I think this is still failing before CallAPI

I was given this by the API author as a structure for the oauth request and login xml, I appreciate it’s a lot to look through but I’m really failing at every turn.


Authorization: OAuth oauth_consumer_key="123456XXXXXX", oauth_token="", oauth_signature_method="HMAC-SHA1", oauth_signature="123456RCXXXXXX", oauth_timestamp="1572443565", oauth_nonce="8071245", oauth_version="1.0"
Content-Type: application/xml; charset=utf-16
Content-Length: 612
Expect: 100-continue
Connection: Keep-Alive

<?xml version="1.0" encoding="utf-16"?>
<LogonParameters xmlns:xsi="" xmlns:xsd="">


This was the error in the php log:
[07-Nov-2019 12:32:08 Europe/Dublin] OAuth client: Checking the OAuth token authorization state
[07-Nov-2019 12:32:08 Europe/Dublin] OAuth client: The OAuth access token is not set
[07-Nov-2019 12:32:08 Europe/Dublin] OAuth client: Requesting the unauthorized OAuth token
[07-Nov-2019 12:32:08 Europe/Dublin] OAuth client: Accessing the OAuth request token at
[07-Nov-2019 12:32:08 Europe/Dublin] Connecting to
[07-Nov-2019 12:32:08 Europe/Dublin] Resolving HTTP server domain ""...
[07-Nov-2019 12:32:08 Europe/Dublin] Connecting to HTTP server IP SomeIP port 443...
[07-Nov-2019 12:32:09 Europe/Dublin] Connected to
[07-Nov-2019 12:32:09 Europe/Dublin] C POST XXX/Logon/ HTTP/1.1
[07-Nov-2019 12:32:09 Europe/Dublin] C Host:
[07-Nov-2019 12:32:09 Europe/Dublin] C User-Agent: PHP-OAuth-API ( $Revision: 1.166 $)
[07-Nov-2019 12:32:09 Europe/Dublin] C Accept: */*
[07-Nov-2019 12:32:09 Europe/Dublin] C Authorization: OAuth oauth_consumer_key="XXXXXX",oauth_nonce="XXXXX",oauth_signature_method="HMAC-SHA1",oauth_timestamp="1573129928",oauth_version="1.0",oauth_token="",oauth_callback="http%3A%2F%2Fredirectpage",oauth_signature="XXXXX"
[07-Nov-2019 12:32:09 Europe/Dublin] C Connection: Keep-Alive
[07-Nov-2019 12:32:09 Europe/Dublin] C Content-Type: application/x-www-form-urlencoded
[07-Nov-2019 12:32:09 Europe/Dublin] C Content-Length: 0
[07-Nov-2019 12:32:09 Europe/Dublin] C
[07-Nov-2019 12:32:09 Europe/Dublin] S HTTP/1.1 500 Root element is missing.
[07-Nov-2019 12:32:09 Europe/Dublin] S Cache-Control: private
[07-Nov-2019 12:32:09 Europe/Dublin] S Content-Type: application/xml; charset=utf-8
[07-Nov-2019 12:32:09 Europe/Dublin] S Server:
[07-Nov-2019 12:32:09 Europe/Dublin] S Set-Cookie: ASP.NET_SessionId=XXXXXXXXXX; path=/; HttpOnly
[07-Nov-2019 12:32:09 Europe/Dublin] S X-Confirmit-ID: FE01
[07-Nov-2019 12:32:09 Europe/Dublin] S Strict-Transport-Security: max-age=15768000
[07-Nov-2019 12:32:09 Europe/Dublin] S Date: Thu, 07 Nov 2019 12:32:08 GMT
[07-Nov-2019 12:32:09 Europe/Dublin] S Content-Length: 225
[07-Nov-2019 12:32:09 Europe/Dublin] S
[07-Nov-2019 12:32:09 Europe/Dublin] S <ResponseError xmlns="http://schemas.datacontract.orgXXXX" xmlns:i=""><ErrorMessage>Root element is missing.</ErrorMessage></ResponseError>
[07-Nov-2019 12:32:09 Europe/Dublin] Keeping the connection alive to
[07-Nov-2019 12:32:09 Europe/Dublin] OAuth client: Could not retrieve the OAuth access token. Error: it was not possible to access the OAuth request token: it was returned an unexpected response status 500 Response: <ResponseError xmlns=" " xmlns:i=""><ErrorMessage>Root element is missing.</ErrorMessage></ResponseError>

I notice that in their authorisation header the Content-type is ‘application/xml’ whereas in the errorlog the Content-type is ‘application/x-www-form-urlencoded‘ I’ve tried to change this in the json configuration/and manually in the Sign function but it doesn’t change – it stays as ‘application/x-www-form-urlencoded’.

If I can get past the oath request would set the RequestBody like this?

$xmlstring = '<?xml version="1.0" encoding="utf-16"?><LogonParameters xmlns:xsi="" xmlns:xsd=""><UserName>SomeUser</UserName><Password>SomePassword</Password><PanelId>pXXXXXX</PanelId><Language>9</Language></LogonParameters>';

$success = $client->CallAPI(
'POST', array(), array('FailOnAccessError'=>true, 'RequestBody'=>$xmlstring, 'RequestContentType'=>'application/xml'), $user);

Many thanks

  6. Re: Authorisation header   Reply   Report abuse  
Manuel Lemos - 2019-11-07 20:02:36 - In reply to message 5 from Mike Buckley
It should work. Would it be possible for you to create private repository in GitHub with the your example script and the version of the class that you use so I can try to reproduce the problem?

If so, please share that repository with GitHub account manuellemos and let me know here so I can check what is the problem.

  7. Re: Authorisation header   Reply   Report abuse  
Mike Buckley - 2019-11-08 12:13:56 - In reply to message 6 from Manuel Lemos
Hi Manuel, I expect you've been notified by gitHub but just to be sure I've added you to the repo, there's a few notes in the first commit.
Once again thank you so much for your time.

  8. Re: Authorisation header   Reply   Report abuse  
Manuel Lemos - 2019-11-08 20:55:45 - In reply to message 7 from Mike Buckley
It seems no invitation came to access that repository yet. Can you please check if you really submitted the invitation?

  9. Re: Authorisation header   Reply   Report abuse  
Mike Buckley - 2019-11-09 09:09:36 - In reply to message 8 from Manuel Lemos
It seems nothing wants to work for me :( here's the invite link