The HMAC-SHA1 signature method requires a key formed with the concatenation of the client shared secret, '&' and the token shared secret.
I wonder which value should I use for the token shared secret when the client still does not have the request or access token: the client shared-secret again or leave it empty.
From the specification:
3.4.2. HMAC-SHA1
The "HMAC-SHA1" signature method uses the HMAC-SHA1 signature algorithm as defined in [RFC2104]:
digest = HMAC-SHA1 (key, text)The HMAC-SHA1 function variables are used in following way:
text is set to the value of the signature base string from Section 3.4.1.1.
key is set to the concatenated values of:
1. The client shared-secret, after being encoded (Section 3.6). 2. An "&" character (ASCII code 38), which MUST be included even when either secret is empty. 3. The token shared-secret, after being encoded (Section 3.6).digest is used to set the value of the "oauth_signature" protocol parameter, after the result octet string is base64-encoded per [RFC2045], Section 6.8.
Thanks
