I am making a Rest API call to Jira in C# using Oauth 1.0a. So far I have been able to get the access token and make API calls using this token to fetch the projects, issue, create tickets, and add attachments without any issue.
I am facing an issue when I have some query parameters in the URL wherein I am getting a response oauth_problem="signature_invalid"
"{WWW-Authenticate: OAuth realm="https%3A%2F%2Fxxxx-stage.dummy.com%2Fjira", OAuth realm="https%3A%2F%2Fxxxx-stage.dummy.com%2Fjira", oauth_problem="signature_invalid", oauth_signature="fxrHjNmz3C0gPClh667xKO93fU9PI%2FFAy2o%2B0tA98oso3d%2FiHF957LnMJdKWdmN1w6lJIgEYA5WLpvRuv65IIgAVeSWQWyyE2iqKY5NKpVe8w9lNKJpp6jVX3OzUfhZFsUmNcfwmrfEzDfq0DFKHbDltA9KX51daMWfE5bOxUwA%3D", oauth_signature_base_string="GET%26https%253A%252F%252Fxxxx-stage.dummy.com%252Fjira%252Frest%252Fapi%252F2%252Fissue%252Fcreatemeta%26oauth_callback%253Doob%2526oauth_consumer_key%253DOauthKey-elite%2526oauth_nonce%253D161227630350881010%2526oauth_signature_method%253DRSA-SHA1%2526oauth_timestamp%253D1612276303%2526oauth_token%253DIuXbcYTqh5kAIbirTWg7zqzJhVITFHny%2526oauth_version%253D1.0", oauth_signature_method="RSA-SHA1"
Date: Tue, 02 Feb 2021 14:34:19 GMT Strict-Transport-Security: max-age=16000000; includeSubDomains; preload X-XSS-Protection: 1;mode=block Referrer-Policy: strict-origin-when-cross-origin
X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'
X-Permitted-Cross-Domain-Policies: none X-Download-Options: noopen
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 654 }
The actual url is "https://xxxx-stage.dummy.com/jira/rest/api/2/issue/createmeta?projectKeys=Elite&issueTypeNames=Task&expand=projects.issuetypes.fields"
After sorting and encoding the url and the parameters I have the below string which I am signing using RSA-SHA1.
GET&https%3A%2F%2Fxxxx-stage.dummy.com%2Fjira%2Frest%2Fapi%2F2%2Fissue%2Fcreatemeta&expand%3Dprojects.issuetypes.fields%26issueTypeNames%3DTask%26projectKeys%3DSciFiProject%26oauth_callback%3Doob%26oauth_consumer_key%3DOauthKey-elite%26oauth_nonce%3D161227476865431774%26oauth_signature_method%3DRSA-SHA1%26oauth_timestamp%3D1612274768%26oauth_token%xxxxcYTqh5kAIbirTWg7zqzJhVITFHny%26oauth_version%3D1.0
And the query parameters are not added to the Authorization header. It only has the OAuth parameters.
Also, I noticed that in the encoded URL, the "GET" method name and the URL are separated by "&". And the first parameter "expand" and the end of the URL "createmeta" are separated by "&" but the other parameters which follow including the OAuth parameters are URL encoded. The strange thing is this works for other URLs with no query parameters.
This has been already answered here GET fails with 401 (Unauthorized) when query parameter is involved due to invalid OAuth signature, I have tried doing the steps mentioned there but I guess I might be missing something.
Can somebody guide me where I am going wrong?