The test case OAuthClient.sign - produces correct HMAC-SHA1 signature (RFC) added in a7168ad fails. The signature base string looks correct (verified in a test case for getBaseString). So, it could be a bug in a signature computation.

Strangely, a test case inherited from ddo/oauth-1.0a succeeds. In that test case an HMAC-SHA1 signature is computed. But without token secret (as opposed to the failing test case).

Maybe something is wrong with the handling of token secret in the current implementation.

It's an error in the RFC: eratta 2550. So,

wrong: bYT5CMsGcbgUdFHObYMEfcx6bsw=
wrong: djosJKDKJSD8743243/jdk33klY=

should both read

correct: r6/TJjbCOr97/+UU0NsvSne7s5g=

Fixed. d1677e9