Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

WordPress rest API OAuth curl commands

I have the WordPress rest API and WordPress OAuth server setup plugins setup and am trying to authenticate using http://sevengoslings.net/~fangel/oauth-explorer/ every time the call content is not giving me the OAuth token or OAuth secret that I need.

I tried these steps https://wordpress.org/support/topic/json-rest-api-from-mobile-app-with-authentication

1. Enter base url (http(s)://your.domain.com/oauth1 2. Access token = request 3. Authorize = authorize 4. Access_Token = access 5. Enter your consumer key and secret (leave method as HMAC-SHA1) 

Click Get Request Token and you get Call content

I should get this in Call Content

Call content now =   oauth_token=xxxxxxxxxxxxxxx&oauth_token_secret=xxxxxxxxxxxxxxxxxxxxx&oauth_call_back_confirmed=true 

But I only get this

 page not found  

Here they were not able to get 3-legged OAuth1 .0a to work so they used basic OAuth which requires another plugin and is not recommended for production.

Should I be using a different signature method?

I'm looking for two curl commands to get an OAuth grant from the server and another one to trade this grant for an access token+ refresh token.

like image 744
0101 Avatar asked Dec 18 '15 14:12

0101


People also ask

Does Curl support OAuth?

Use CURL to run the following OAuth ROPC command in a shell terminal to obtain an access token.

Can OAuth be used for REST API?

OAuth is an authorization framework that enables an application or service to obtain limited access to a protected HTTP resource. To use REST APIs with OAuth in Oracle Integration, you need to register your Oracle Integration instance as a trusted application in Oracle Identity Cloud Service.

What method does the WordPress REST API use for authentication?

Cookie authentication is the standard authentication method included with WordPress. When you log in to your dashboard, this sets up the cookies correctly for you, so plugin and theme developers need only to have a logged-in user. However, the REST API includes a technique called nonces to avoid CSRF issues.


1 Answers

I have got this to work and I'll outline how I have done this.

I'm using the Postman application to test and perfect the API calls. I highly advise using this. Once you have got the call working you can export to PHP Curl (or whatever you need).

If you use Postman you can view my API calls using this shared link.

For the First call you are having trouble with I have the following settings

First, I made sure my endpoint URL was:

{{url}}/oauth1/request 

I set my API Call to PUSH and my AuthType to OAuth 1.0

I added my consumer_key and consumer_secret that I created in the WP Backend > Users > Applications (this is added with the OAuth plugin).

Signature Method - HSAC-SHA1

Then Postman will update this and dynamically create your Nonce, Timestamp and Version.

I set my Realm as 'Example'

I then made sure that I enabled the options: - Add Params to header - Add empty params to signature

Here is what I get for my params:

realm="Example",oauth_consumer_key="AdPuqyWrAQQc",oauth_signature_method="HMAC-SHA1",oauth_timestamp="1470248765",oauth_nonce="dnOTvG",oauth_version="1.0",oauth_signature="gUahTX2hfV1lqZCfMUvHtLLoauI%3D" 

This provides me with the following output:

oauth_token=xbTb4E93K6pP2tcg4qGJIYgl&oauth_token_secret=qWo01WL2ish205yvjiU8qyCkKVPMNUvSbKpFBB1T1oOuOtBc&oauth_callback_confirmed=true 

I can use Postman to export this API call to a cURL function and if so I get the following:

$curl = curl_init();  curl_setopt_array($curl, array(   CURLOPT_URL => "http://mydomain.dev/oauth1/request",   CURLOPT_RETURNTRANSFER => true,   CURLOPT_ENCODING => "",   CURLOPT_MAXREDIRS => 10,   CURLOPT_TIMEOUT => 30,   CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,   CURLOPT_CUSTOMREQUEST => "POST",   CURLOPT_POSTFIELDS => "-----011000010111000001101001\r\nContent-Disposition: form-data; name=\"oauth_consumer_key\"\r\n\r\nAdPuqyWrAQQc\r\n-----011000010111000001101001\r\nContent-Disposition: form-data; name=\"oauth_token\"\r\n\r\n\r\n-----011000010111000001101001\r\nContent-Disposition: form-data; name=\"oauth_signature_method\"\r\n\r\nHMAC-SHA1\r\n-----011000010111000001101001\r\nContent-Disposition: form-data; name=\"oauth_timestamp\"\r\n\r\n1470241356\r\n-----011000010111000001101001\r\nContent-Disposition: form-data; name=\"oauth_nonce\"\r\n\r\n7VKp4N\r\n-----011000010111000001101001\r\nContent-Disposition: form-data; name=\"oauth_version\"\r\n\r\n1.0\r\n-----011000010111000001101001\r\nContent-Disposition: form-data; name=\"oauth_signature\"\r\n\r\n9qRrIkDxt56S9Ikf061eFOVLAdA%3D\r\n-----011000010111000001101001--",   CURLOPT_HTTPHEADER => array(     "authorization: OAuth realm=\"Example\",oauth_consumer_key=\"AdPuqyWrAQQc\",oauth_signature_method=\"HMAC-SHA1\",oauth_timestamp=\"1470248765\",oauth_nonce=\"dnOTvG\",oauth_version=\"1.0\",oauth_signature=\"gUahTX2hfV1lqZCfMUvHtLLoauI%3D\"",     "cache-control: no-cache",     "content-type: multipart/form-data; boundary=---011000010111000001101001",     "postman-token: dd85258e-a72a-b731-82d1-00109e30962f"   ), ));  $response = curl_exec($curl); $err = curl_error($curl);  curl_close($curl);  if ($err) {   echo "cURL Error #:" . $err; } else {   echo 'response ' . $response;    $a = parse_str($response);    echo 'token ' . $oauth_token;   echo '<br>';   echo 'secret '. $oauth_token_secret;   } 

This is step 1 of a 3 step process for OAuth Authentication. I'm just starting out on my journey to connect them all. There is not much documentation out there and not many examples.

Step 2 looks like a call to /oauth1/authorize with the provided token and secret. This looks like it then requires a user login and a new (and permenant) token and secret is created.

Step 3 looks like a call to /oauth1/access

I haven't succesfully got Step 2 and Step 3 to link together correctly, but I thought I should post to help with the original query about the first step not returning the correct tokens

This article is one of the better ones out there explaining how to use WP-API and OAuth.

like image 70
raison Avatar answered Sep 30 '22 21:09

raison