The goal is to be able to call RESTlets using OAuth-header instead of NLAuth-header from my Java-application. In order to achieve it I took the following steps:

1. I created NetSuite Developer Community Account and got a testing environment with admin access (domain system.na1.netsuite.com).

2. I opened Setup --> Company --> Enable Features. Then opened the "SuiteCloud"-tab and checked the "Client SuiteScript", "Server SuiteScript" and "Token-Based Authentication" here.

3. I opened the edit-page of one of the roles (it is called "08: Inspection" here). On the "Permissions"-tab I opened the "Setup"-tab and added the following permissions to this role: "Access Token Management", "Log in using Access Tokens" and "User Access Tokens".

4. I edited my account to have that role: opened "Access"-tab while editing the user and on the"Roles"-tab I added that role ("08: Inspection").

5. I opened Setup --> Integration --> Manage Integrations --> New and created new application here ("TestIntegr"). The final page held two strings: Consumer Key and Consumer Secret. I saved them in my separate file.

6. I opened Setup --> Users/Roles --> Access Tokens --> New and created new token for my application+user+role. The final page held two strings: Token ID and Token Secret. I saved them in my separate file.

7. I used my test program to generate authorization header string and then used this string in rest-client (I used "Insomnia") to reach my dummy-restlet. Got "INVALID_LOGIN_ATTEMPT"-error.

8. In NetSuite audit-logs I can see failures on behalf of my user but without a role.

More technical info on the 7th step with examples below.

The URL I used to reach my dummy-restlet was https://rest.na1.netsuite.com/app/site/hosting/restlet.nl?script=546&deploy=1

So I generated the "signature string" ("consumer_key" from step 5 and "token" from step 6):

GET&https%3A%2F%2Frest.na1.netsuite.com%2Fapp%2Fsite%2Fhosting%2Frestlet.nl&deploy%3D1%26oauth_consumer_key%3D17840f699409f5031c22a6e4af15961e9627c168cd0ae71f9c14f71b4097a0b6%26oauth_nonce%3D1444927941574%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1444927941%26oauth_token%3Df3c29a8b2c7988e00947d8c5836ef0ff1883556d96b8beac5bbbdda001ba0292%26realm%3DTSTDRV1403065%26script%3D546

Then I generated "signature" using this string and "consumer_secret&token_secret". The header then had the following look:

OAuth oauth_signature="7doRJOJyV36Av4e4BBUgoOPn7Vk%3D", oauth_nonce="1444927941574", oauth_signature_method="HMAC-SHA1", oauth_consumer_key="17840f699409f5031c22a6e4af15961e9627c168cd0ae71f9c14f71b4097a0b6", oauth_token="f3c29a8b2c7988e00947d8c5836ef0ff1883556d96b8beac5bbbdda001ba0292", oauth_timestamp="1444927941", realm="TSTDRV1403065"

Then I used this header with my rest-client and got the "INVALID_LOGIN_ATTEMPT"-error (while NLAuth header works perfectly with this rest-client, this user and this dummy-restlet).

I checked my signature-algorithm with this online-tool: http://nouncer.com/oauth/authentication.html It shows the same results with the same tokens/timestamp/nonce/etc. I suppose I missed something during setting up NetSuite environment (user/role/something else). On the other side the NetSuite HelpCenter says: "An INVALID_LOGIN_ATTEMPT error is returned when the nonce, consumer key, token, or signature in the OAuth header is invalid".

Please tell me what is wrong.