37
votes

I have the WordPress rest API and WordPress OAuth server setup plugins setup and am trying to authenticate using http://sevengoslings.net/~fangel/oauth-explorer/ every time the call content is not giving me the OAuth token or OAuth secret that I need.

I tried these steps https://wordpress.org/support/topic/json-rest-api-from-mobile-app-with-authentication

1. Enter base url (http(s)://your.domain.com/oauth1
2. Access token = request
3. Authorize = authorize
4. Access_Token = access
5. Enter your consumer key and secret (leave method as HMAC-SHA1)

Click Get Request Token and you get Call content

I should get this in Call Content

Call content now = 

oauth_token=xxxxxxxxxxxxxxx&oauth_token_secret=xxxxxxxxxxxxxxxxxxxxx&oauth_call_back_confirmed=true

But I only get this

 page not found 

Here they were not able to get 3-legged OAuth1 .0a to work so they used basic OAuth which requires another plugin and is not recommended for production.

Should I be using a different signature method?

I'm looking for two curl commands to get an OAuth grant from the server and another one to trade this grant for an access token+ refresh token.

1
Can you provide some code samples you already tried? Does your OAuth setup accept POST requests? Is your setup accessible for others to try?dafyk

1 Answers

4
votes

I have got this to work and I'll outline how I have done this.

I'm using the Postman application to test and perfect the API calls. I highly advise using this. Once you have got the call working you can export to PHP Curl (or whatever you need).

If you use Postman you can view my API calls using this shared link.

For the First call you are having trouble with I have the following settings

First, I made sure my endpoint URL was:

{{url}}/oauth1/request

I set my API Call to PUSH and my AuthType to OAuth 1.0

I added my consumer_key and consumer_secret that I created in the WP Backend > Users > Applications (this is added with the OAuth plugin).

Signature Method - HSAC-SHA1

Then Postman will update this and dynamically create your Nonce, Timestamp and Version.

I set my Realm as 'Example'

I then made sure that I enabled the options: - Add Params to header - Add empty params to signature

Here is what I get for my params:

realm="Example",oauth_consumer_key="AdPuqyWrAQQc",oauth_signature_method="HMAC-SHA1",oauth_timestamp="1470248765",oauth_nonce="dnOTvG",oauth_version="1.0",oauth_signature="gUahTX2hfV1lqZCfMUvHtLLoauI%3D"

This provides me with the following output:

oauth_token=xbTb4E93K6pP2tcg4qGJIYgl&oauth_token_secret=qWo01WL2ish205yvjiU8qyCkKVPMNUvSbKpFBB1T1oOuOtBc&oauth_callback_confirmed=true

I can use Postman to export this API call to a cURL function and if so I get the following:

$curl = curl_init();

curl_setopt_array($curl, array(
  CURLOPT_URL => "http://mydomain.dev/oauth1/request",
  CURLOPT_RETURNTRANSFER => true,
  CURLOPT_ENCODING => "",
  CURLOPT_MAXREDIRS => 10,
  CURLOPT_TIMEOUT => 30,
  CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
  CURLOPT_CUSTOMREQUEST => "POST",
  CURLOPT_POSTFIELDS => "-----011000010111000001101001\r\nContent-Disposition: form-data; name=\"oauth_consumer_key\"\r\n\r\nAdPuqyWrAQQc\r\n-----011000010111000001101001\r\nContent-Disposition: form-data; name=\"oauth_token\"\r\n\r\n\r\n-----011000010111000001101001\r\nContent-Disposition: form-data; name=\"oauth_signature_method\"\r\n\r\nHMAC-SHA1\r\n-----011000010111000001101001\r\nContent-Disposition: form-data; name=\"oauth_timestamp\"\r\n\r\n1470241356\r\n-----011000010111000001101001\r\nContent-Disposition: form-data; name=\"oauth_nonce\"\r\n\r\n7VKp4N\r\n-----011000010111000001101001\r\nContent-Disposition: form-data; name=\"oauth_version\"\r\n\r\n1.0\r\n-----011000010111000001101001\r\nContent-Disposition: form-data; name=\"oauth_signature\"\r\n\r\n9qRrIkDxt56S9Ikf061eFOVLAdA%3D\r\n-----011000010111000001101001--",
  CURLOPT_HTTPHEADER => array(
    "authorization: OAuth realm=\"Example\",oauth_consumer_key=\"AdPuqyWrAQQc\",oauth_signature_method=\"HMAC-SHA1\",oauth_timestamp=\"1470248765\",oauth_nonce=\"dnOTvG\",oauth_version=\"1.0\",oauth_signature=\"gUahTX2hfV1lqZCfMUvHtLLoauI%3D\"",
    "cache-control: no-cache",
    "content-type: multipart/form-data; boundary=---011000010111000001101001",
    "postman-token: dd85258e-a72a-b731-82d1-00109e30962f"
  ),
));

$response = curl_exec($curl);
$err = curl_error($curl);

curl_close($curl);

if ($err) {
  echo "cURL Error #:" . $err;
} else {
  echo 'response ' . $response;

  $a = parse_str($response);

  echo 'token ' . $oauth_token;
  echo '<br>';
  echo 'secret '. $oauth_token_secret;


}

This is step 1 of a 3 step process for OAuth Authentication. I'm just starting out on my journey to connect them all. There is not much documentation out there and not many examples.

Step 2 looks like a call to /oauth1/authorize with the provided token and secret. This looks like it then requires a user login and a new (and permenant) token and secret is created.

Step 3 looks like a call to /oauth1/access

I haven't succesfully got Step 2 and Step 3 to link together correctly, but I thought I should post to help with the original query about the first step not returning the correct tokens

This article is one of the better ones out there explaining how to use WP-API and OAuth.