You need different pieces of information at different times in OAuth. Sometimes they’re named the same thing – oauth_token and oauth_token_secret are together called an access token. But they also could be a request token.
In the first step of OAuth you call oauth/request_token. You don’t have a oauth_token or oauth_token_secret yet on that step but as you said, oauth_token_secret is part of the signing algorithm. When you don’t have this value, it’s just the equivalent of an empty string, so the signing key effectively becomes “consumerSecret&” instead of “consumerSecret&oauthTokenSecret”
