I'm using this library to connect to the ETrade API which uses OAuth 1.0. All of the GET requests work just fine. However, anything with a body (e.g. POST or PUT) fails because the signature includes oauth_body_hash as part of the base string computation. (I've confirmed this by monkey patching this library and removing that parameter.)

I see that oauth_body_hash was added in an old commit 3edeaf4 . It references some "OAuth Body Hash Draft 4" document. I can't see that this draft was ever ratified and/or accepted as part of the OAuth 1.0 (or 1.0a) protocol. Here's a link to the oauth 1.0a protocol and here's a link to the oauth 1.0 protocol.

None of them reference any header value named oauth_body_hash at all.

The inclusion of this value breaks the oauth comms with ETrade (and presumably others). I am going to make a PR to allow for disabling this header but I wanted to start a discussion here to make sure it would be accepted.

What am I missing here?

EDIT: used this tool which is an online oauth1 sandbox that computes signatures from various inputs. For POST, it does not ask for the post body as an input. It also doesn't produce any oauth_body_hash field. Circumstantial evidence that this body hash is not part of the spec.