"What" does oauth_signature sign?
In the section 6.1.1. Consumer Obtains a Request Token of the OAuth Spec says that you must send a request that contains the following paramter:
oauth_signature:
The signature as defined in Signing Requests.
But how can you sign the request if the oauth_signature itself is part of it? I mean, "what" do you sign? All the fields except the oauth_signature or what?
For example, in the The OAuth 1.0 Protocol they provide the following example of obtaining the temporary credentials:
POST /initiate HTTP/1.1
Host: photos.example.net
Authorization: OAuth realm="Photos",
oauth_consumer_key="dpf43f3p2l4k3l03",
oauth_signature_method="HMAC-SHA1",
oauth_timestamp="137131200",
oauth_nonce="wIjqoS",
oauth_callback="http%3A%2F%2Fprinter.example.com%2Fready",
oauth_signature="74KNZJeDHnMBp0EMJ9ZHt%2FXKycU%3D"
But how did they get the oauth_signature field? What was it that they signed?
Sorry, new to crypto - so dummy explanation would be appreciated.
Answer
The "signature base string" is being signed. It captures the "essence" of this particular request, so that that cannot be messed with. (Note that it does not include everything, especially not the request body).
In the example you linked to, read on for an example base string:
For example, the HTTP request:
POST /request?b5=%3D%253D&a3=a&c%40=&a2=r%20b HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Authorization: OAuth realm="Example",
oauth_consumer_key="9djdj82h48djs9d2",
oauth_token="kkk9d7dh3k39sjv7",
oauth_signature_method="HMAC-SHA1",
oauth_timestamp="137131201",
oauth_nonce="7d8f3e4a",
oauth_signature="bYT5CMsGcbgUdFHObYMEfcx6bsw%3D"
is represented by the following signature base string (line breaks are for display purposes only):
POST&http%3A%2F%2Fexample.com%2Frequest&a2%3Dr%2520b%26a3%3D2%2520q
%26a3%3Da%26b5%3D%253D%25253D%26c%2540%3D%26c2%3D%26oauth_consumer_
key%3D9djdj82h48djs9d2%26oauth_nonce%3D7d8f3e4a%26oauth_signature_m
ethod%3DHMAC-SHA1%26oauth_timestamp%3D137131201%26oauth_token%3Dkkk
9d7dh3k39sjv7