Using 211eaa9 and WP-API/WP-API@c8e9fe9 and WP-API/api-console@fe23ce5, I am unable to access restricted resources (such as GET /wp-json/users) even after I have successfully authenticated and authorised as a Wordpress admin user.

I'm running Apache 2.4.7 with mod_fastcgi & PHP-FPM, passing through the "Authorization" header ("FastCgiExternalServer ... -pass-header Authorization")

Below are the 3 HTTP requests (copied as CURL requests from Chromium) & responses related to auth & getting the resource:

curl 'http://wordpress.localhost/oauth1/request' -X POST -H 'Origin: http://wordpress.localhost' -H 'Accept-Encoding: gzip, deflate' -H 'Accept-Language: en-GB,en-US;q=0.8,en;q=0.6' -H 'Authorization: OAuth oauth_consumer_key="4S3gke1W8PMi", oauth_nonce="WfNZsG", oauth_signature="UR%2Fbry%2FZSL3SwQasdZzq05cT5DU%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1428934973"' -H 'Content-Type: application/x-www-form-urlencoded' -H 'Accept: */*' -H 'Referer: http://wordpress.localhost/api-console/' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/41.0.2272.76 Chrome/41.0.2272.76 Safari/537.36' -H 'Connection: keep-alive' -H 'Content-Length: 0' --compressed

oauth_token=dIyKhfm0HDTFkumKF98TglzX&oauth_token_secret=TkbFxPx9AVFM8cdt9YhJ2Se1wa4hct3ejnyGIJpXkK9vxFYD&oauth_callback_confirmed=true

curl 'http://wordpress.localhost/oauth1/access' -X POST -H 'Cookie: wordpress_logged_in_0e57f20711fa7d290be68ab20909f1b5=admin%7C1429107897%7C9nno9YhTCV36zlqBP5CBOxqF4NWqywkfHFDbCKxS3Jq%7Cc7557d528029f34fd02d34f41279458d6e8645ead4d61ac21a1445b831827049; wordpress_test_cookie=WP+Cookie+check' -H 'Origin: http://wordpress.localhost' -H 'Accept-Encoding: gzip, deflate' -H 'Accept-Language: en-GB,en-US;q=0.8,en;q=0.6' -H 'Authorization: OAuth oauth_consumer_key="4S3gke1W8PMi", oauth_nonce="k00ZTX", oauth_signature="%2BOHgT9GwL2LKe4OTKY5v0qn6jrE%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1428935099", oauth_token="dIyKhfm0HDTFkumKF98TglzX", oauth_verifier="xvTW0BdXbeIlrLb7rVQ6218E"' -H 'Content-Type: application/x-www-form-urlencoded' -H 'Accept: */*' -H 'Referer: http://wordpress.localhost/api-console/' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/41.0.2272.76 Chrome/41.0.2272.76 Safari/537.36' -H 'Connection: keep-alive' -H 'Content-Length: 0' --compressed

oauth_token=E63X7qDX3C52AsWG4GnEbaZj&oauth_token_secret=hDdXaxFip2bpxWop5YAqjjDo5wdu2JCAqFoPdu9NfyQ3ZZ0V

curl 'http://wordpress.localhost/wp-json/users?' -H 'Cookie: wordpress_logged_in_0e57f20711fa7d290be68ab20909f1b5=admin%7C1429107897%7C9nno9YhTCV36zlqBP5CBOxqF4NWqywkfHFDbCKxS3Jq%7Cc7557d528029f34fd02d34f41279458d6e8645ead4d61ac21a1445b831827049; wordpress_test_cookie=WP+Cookie+check' -H 'Accept-Encoding: gzip, deflate, sdch' -H 'Accept-Language: en-GB,en-US;q=0.8,en;q=0.6' -H 'Authorization: OAuth oauth_consumer_key="4S3gke1W8PMi", oauth_nonce="fR7du6", oauth_signature="tXs3Yb9HkN1Zw0g4wqfV1R2DvsU%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1428935109", oauth_token="E63X7qDX3C52AsWG4GnEbaZj"' -H 'Accept: */*' -H 'Referer: http://wordpress.localhost/api-console/' -H 'X-Requested-With: XMLHttpRequest' -H 'Connection: keep-alive' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/41.0.2272.76 Chrome/41.0.2272.76 Safari/537.36' --compressed

[{"code":"json_user_cannot_list","message":"Sorry, you are not allowed to list users."}]

I can successfully access "GET /wp-json/users" if I use WP-API/Basic-Auth@d20ac18 using a cURL request such as:

curl -u admin:foobar http://wordpress.localhost/wp-json/users

Just seems that oAuth is not working here, and really unsure why.

Hi !

I've managed to get an access token, now I wondered if it is now possible to revoke it.
Does it have an expiration date or is it permanent until revocation ?

I see in the mysql database that all keys (request/access) are stored in the WP_OPTIONS table, but I hope there is another way to revoke an access key than suppressing them manually in database ?

Thank you for your help !

Jon

When creating a consumer on the server it should be possible to give it a title and a description.

wp oauth1 add --name="title" --description="what you want to say about it"

This code, in WP_JSON_Authentication::add_consumer nearly works.

        $data = array();
        $data['post_title'] = $params['name'];
        $data['post_content'] = $params['description'];
        unset( $data['post_title'], $data['post_content'] );
        $data['post_type'] = 'json_consumer';
        $ID = wp_insert_post( $data );

But the unset() prevents the title and content from being set.
If you comment out the unset(), the title will be displayed on the Authorize dialog.

Note: json_consumer is currently defined to be invisible to admin users on the dashboard.
If you want to make it visible then you can hook into 'registered_post_type' to dynamically change the settings. Note that the posts are created with a status of 'draft'. If you want to see the actual values for the key, secret and type post meta data then you need to add 'custom-fields' post type support.

I've been trying to use the OAuth plugin to access password-protected JSON on my WordPress instance. I'm pulling data into an external website (running on the Play Framework with Scala stack). I need to be able to callback to my original website after receiving verifier.

My workflow is this:

1. Consumer successfully created using WP CLI
2. Can hit http://mywordpress.com/oauth1/request and receive a request token
3. Can hit http://mywordpress.com/oauth1/authorize?oauth_token=mytoken&oauth_callback=http://mysite/callback
4. When I hit the above URL, I am redirected to http://mywordpress.com/wp-login.php?action=oauth1_authorize&oauth_token=mytoken&oauth_callback=http://mysite/callback
5. From there, I authorize the token, and am redirected back to http://mysite/callback?oauth_token=mytoken&oauth_verifier=myverifier&wp_scope=%2A
6. When I try to post my request to get the access token, I get a 401 from http://mywordpress.com.
7. However, if I intercept the same request using a debugger, and instead send the same request with my WordPress login cookie appended in the headers, I successfully receive the new access oauth_token and oauth_token_secret.

So I need to manually attached the cookie from the http://mywordpress.com domain, with key started wordpress_logged_in_... to be able to get my access token.

Is this correct expected behaviour, or have I made some mistake? Is this some way around the login cookie forwarding requirement?

I'm trying to connect a desktop client to a WordPress blog using this library. After making some changes to the check_oauth_signature function I was able to get the URL to open in a web browser so that the user could log in and grant access to my application.

When attempting to redirect the browser reported the error "The callback URL is invalid". In the handle_callback_redirect function the following validation is applied to $callback:

$callback = wp_http_validate_url( $callback );

This validation is problematic for desktop applications. A desktop application has three approaches to using OAuth:

1. Designate a custom URL protocol that the browser passes off to the desktop application (e.g. myapp://)
2. Listen on a port of the localhost (e.g. 127.0.0.0:9999)
3. Perform the whole operation within a browser hosted in the desktop application and intercept the callback URL.

(3) never made sense to me as the user has no way of ensuring that you are indeed sending them to the right website.

I've used (1) and (2) in the past. I use (1) with the OAuth implementations for Dropbox and Evernote.

The issue here is that the OAuth1 code thinks that 127.0.0.1:9999 is an invalid URL. wp_http_validate_url() seems overly strict for the purposes of an OAuth callback URL. I know some services with only allow "http" prefixed URLs or they make you register the callback URL with the service.

Ive been trying to get this to work with WP-API on my Wordpress install, using the chome extension postman to test the oauth api. For some reason, the signatures do not match. I have used the appropriate consumer key / secret and generated the signature just fine on the postman client, but when i test that against the oauth response, they never match up. in the file "class-wp-json-authentication-oauth1.php" on line 560 :

$signature = base64_encode( hash_hmac( $hash_algorithm, $string_to_sign, $key, true ) );

    if ( $signature !== $consumer_signature ) {
        return new WP_Error( 'json_oauth1_signature_mismatch', __( 'OAuth signature does not match'), array( 'status' => 401 ) );
    }

I have echoed the $signature along with the error message, and then tested that signature using postman, and indeed it worked. So, can someone explain to me how we can get this to function correctly ? (postman is just my intermediary step -- Im actually indending to use guzzle + subscribe)

An example of what it looks like to make an authenticated request via jQuery AJAX and/or WordPress HTTP API is needed here. If someone can fill that information in, I'll do PR with a more readable guide based on the spec. I'm missing that piece of the puzzle.

Hi,

From the check_oauth_timestamp_and_nonce function, There is a wrong condition :

I patched it like this :

// Remove expired nonces
        foreach ( $used_nonces as $nonce_timestamp => $nonce ) {
            if ( ( $nonce_timestamp < time() - $valid_window ) ){
                unset( $used_nonces[ $nonce_timestamp ] );
            }
        }

We don't currently check this. Critical issue.

I have a client working now (in PHP and mobile on IOS) which can authenticate and create new posts, once they get their access token.

But I'm running into issues when creating the OAuth base string to sign when one of the parameters is an array. eg : post_meta is an array of key/value pairs.

When collecting together all the GET|POST parameters for the signature, how should we deal with parameter arrays in a client app? (Also, does the server know how to deal with the params (which would be JSON-encoded in the POST body) at the other end, to be able to check the signature?

thx

Hi!

I started to use wp-api days ago. I felt in love with it, but now comes to learn how to use oAuth1.
I'm frustrated because I cant get through request step.
I'm searching and cant get what should I do.
Only one thing what I get is "No OAuth parameters supplied"
What params should I pass?

I had a look over the spec but couldn't see any explicit discussion about why version 1 of the protocol was chosen over v2. The closest I saw to an explanation was this line:

The API must work on any site. The API must only use features available to the majority of sites in order to provide a useful utility.

Which I presume is hinting that you can't rely on all sites having SSL to protect v2's secret credentials?

Hi

Is there any indication yet as to when this functionality in the plug will find its way into WP-JSON (or core)?

I have a working development app set up at the moment which all works fine for authenticating and posting (kinda). I'd like to get a couple of people I know to test it out, but I've been wondering whether I should wait for this plugin to get rolled-in (as I understood it) rather than ask them to install something temporary.

Thanks.

Hi, I'm trying to retrieve posts with authentication required parameters. I'm using Zend_OAuth library, and already succeeded to get access token and get authentication required data. However, with some parameters, I got "OAuth signature does not match" error (code: json_oauth1_signature_mismatch). Here is my code. Very normal.

$token = new Zend_Oauth_Token_Access;
$token->setParams(array(
    Zend_Oauth_Token_Access::TOKEN_PARAM_KEY => $oauth_token,
    Zend_Oauth_Token_Access::TOKEN_SECRET_PARAM_KEY => $oauth_token_secret
));
$client = $token->getHttpClient(array(
    'consumerKey' => $oauth_key,
    'consumerSecret' => $oauth_secret
));
$client->setUri( $wp_rest_api_url . '/posts' );
$client->setParameterGet( 'filter[posts_per_page]', $num );
$client->setMethod( Zend_Http_Client::GET );
$res = $client->request();

The problem is the filter[posts_per_page] key.

In ZendFramework, encode each parameter key and values first, then build query string, finally urlencode it again.
https://github.com/zendframework/ZendOAuth/blob/c0eca2ca6e930a5464a6a76ac1eb293237304d2a/library/ZendOAuth/Signature/AbstractSignature.php#L115

In WP-API/OAuth1, each parameter key and values are not encoded.

So, which way is correct? IMHO, ZF way.
3.4.1.3.2. Parameters Normalization http://tools.ietf.org/html/rfc5849#section-3.4.1.3.2

But unfortunately, I don't have any experience of other OAuth provider, so I'd like to hear others opinion.

Thanks!

I use nginx, and I have a line in my nginx.conf that looks like this:

try_files $uri $uri/ /index.php?q=$uri&$args; 

This means that when my OAuth client hits /oauth1/request, WP receives a q parameter as well as the usual OAuth params. Because WP_JSON_Authentication_OAuth1::get_parameters doesn't strip it out, it's an automatic 401 from the plugin because the signature doesn't match.

I fixed it by unsetting $params['q'] before get_parameters returns. Obviously this won't work in all cases, so I attempted a patch that stripped all params that weren't in

$param_names = array(
            'oauth_consumer_key',
            'oauth_timestamp',
            'oauth_nonce',
            'oauth_signature',
            'oauth_signature_method'
        );

but that caused some other issue. Happy to investigate further if this is considered worth fixing.

My hosting doesn't allow remote access, so I am unable to add a new customer. Is it possible to add a new consumer without wp-cli? Is it possible by adding some files to plugin directory? Is any admin UI for OAuth plugin planned?

where do i upload the files? i'm pretty sure i can figure it out from there, but right now i'm lost... what's up doc(s)?

Hi,
i would like to use this plugin together with wp-json. How can i install the plugin without terminal or ftp access to my wordpress installation? i cant find the plugin via the wordpress plugin page :(

thx and regards
thorsten

A call to php.net/hash_equals within lib/class-wp-json-authentication-oauth1.php:319 passes in two variables of type int when the function expects strings. This results in hash_equals returning bool false when running on PHP >= 5.6.

I've followed the docs, which appear to have some parsing issues, it looks like someone add an extra back tick when adding the commands to create the consumer.

Currently when I run: $ wp oauth1 add I see the following:

$ wp oauth1 add
Error: This does not seem to be a WordPress install.
Pass --path=`path/to/wordpress` or run `wp core download`.

Please note that my entire install is based on your REST API Install guide. Meaning, I have vanilla Vagrant, VirutalBox, and Chassis, set-up, and yes the plugins are activated.

So I'm at a loss as to why, the simple command wp oauth1 add isn't working.

$mu_blogs = wp_get_sites();
foreach ( $mu_blogs as $mu_blog ) {
    switch_to_blog( $mu_blog['blog_id'] );
    json_oauth_server_register_rewrites();
    flush_rewrite_rules();
}
restore_current_blog();

This line will (may?) result in each site on the network inheriting the rewrite rules of the main site. Or the first 100 due to the default limit on wp_get_sites().

delete_option( 'rewrite_rules' ); would be a replacement, but things get ugly when there's a bunch of sites. 😞

It may be best to just put up a notice in the network admin instead explaining that rewrites need to be flushed manually.

Also, restore_current_blog() only goes up one level in the stack. That should live in the foreach() or there should be a while( ms_is_switched() ).

Sorry, walking out the door and didn't have time to put together a proper PR. 🌟 💥

I have been looking for a solution for this for days... This plugin works fine on a multisite network when posting to the main site but not to any of the sub sites. I believe that a solution might be to force the rewrites to process the authentication request on the main site (captzapp.com) instead of the subsite (test.captzapp.com). Is this something that might work? Do you think I could just hard code this into the existing plugin.

In the future maybe it could be handles with an if statement..?

oauth_server_register_rewrites() should be json_oauth_server_register_rewrites();

https://github.com/WP-API/OAuth1/blob/master/oauth-server.php#L129

Installed the WP API plugin and then the OAuth1 as well, but every time I go my dedicated server and try to run this

$ wp oauth1 add

It gives an error and nothing is returned. 

root@server1 [/home/site/www]# wp
-bash: wp: command not found

Any idea what I'm doing wrong? I can't figure it out.

Thank you

From a JS client I get the following message on oauth1/request:

No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:8080' is therefore not allowed access. The response had HTTP status code 400.

You might want to copy this function from the WP-API:

function rest_send_cors_headers( $value ) {
    $origin = get_http_origin();

    if ( $origin ) {
        header( 'Access-Control-Allow-Origin: ' . esc_url_raw( $origin ) );
        header( 'Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE' );
        header( 'Access-Control-Allow-Credentials: true' );
    }

    return $value;
}

Hi there,

Firstly, great work on the API ! Very much appreciated!

This version of API allows me to work a lot faster, thank you very much.

I was checking around and noticed that there is a lack of examples on how to use OAuth1 together with WP-API and Client-JS ( https://github.com/WP-API/client-js ). The closest example I can find is https://github.com/WP-API/api-console but unfortunately, the issues were not solved there.

Since OAuth1 plays such an important part of the WP-API, is it possible to write up a tutorial on how to use OAuth1 together with WP-API and Client-JS so that we understand how to connect to WP-API securely ?

( it seems that many people are requesting for a tutorial like this. Please help! )

Thanks!

Or will it remain a separate plugin requirement?

thanks.

Spent some time trying to debug why things weren't working for me and found that the .htaccess file was removing the Authorization header. Although, using a multipart post allowed for the headers to get to OAuth1. Maybe this could be documented somewhere?

Here is the original .htaccess:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

Here's the modified version that is working for me now:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
RewriteBase /
RewriteRule ^index\.php$ - [E=X-HTTP_AUTHORIZATION:%{HTTP:Authorization},QSA,L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [E=X-HTTP_AUTHORIZATION:%{HTTP:Authorization},QSA,L]
</IfModule>
# END WordPress

i use http://oauth.googlecode.com/svn/code/javascript/example/signature.html
to generate the signature
with the result oauth_signature=MUz1UB7gszjP0kwD4pq3Ib5rC54=

but the oauth1 wp api error show
OAuth signature does not match. Shoud be: T31Bww4Nxs08SM/rzUDNETwqksY=.

anyone have idea why ?

Would be great if you can shine some more light in the docs on the actual authentication. I can see the authentication endpoint in the WP-API now but what are the next steps? How do I for example add consumer_keys?

The best example of this is the oauth_callback. If you set a URI, JSON, or something else that is already encoded as a parameter to your oauth_callback, then you have trouble.

For example (extraneous parameters removed for clarity):

Sent from client:

http://mywpsite.org/oauth/request?oauth_callback=http%3A%2F%2Fmyapp.com%2Fredirect.html%3Fstate%3D%257B%2522client_id%2522%253A%2522myClientID%2522%257D

In the plugin, $_GET decodes all parameters, so $_GET['oauth_callback'] gets you:

http://myapp.com/redirect.html?state=%7B%22client_id%22%3A%22myClientID%22%7D

Then, in check_oauth_signature, the processing includes a call to normalize_parameters, which decodes, then re-encodes each parameter key and value. That ends up doing this:

After decode:

http://myapp.com/redirect.html?state={"client_id":"myClientID"}   <--- This is the problem!

After re-encode:

http%3A//myapp.com/redirect.html%3Fstate%3D%7B%22client_id%22%3A%22myClientID%22%7D

So, as you can see, the oauth_callback was stripped of a layer of URI encoding. This means the signatures will never match if you include anything that needs to be encoded in a callback parameter.

I'm willing to help fix this, but I'm unsure why it's being decoded and re-encoded in the first place. I'm sure it was for a good reason, so if a project maintainer can provide some insight, I'd be happy to help.

Hi,
Great to see OAuth and the WP-API coming together!

I've finally managed to get the OAuth server and everything else up and running, created a consumer and then obtained an access_token and access_token_secret for myself for the app (via PHP running on another domain see : https://github.com/kosso/OAuth1/blob/master/php_test/wp_oauth_test_auth_flow.php )

So, now I want to use the access token and secret to make an authenticated request to the WP-API JSON. eg: The most obvious first request after getting the access tokens would be to /wp-json/users/me to provide the information about the logged in user back to a client app.

Am I right in saying that /wp-json/users/me will now detect OAuth Authorization headers?

My attempts so far have always resulted in the json_not_logged_in error.

A simple cUrl or PHP (or JS) example would be great if anyone has one.
Thanks.

I just installed the plugin from git and activated it.

$ http http://wpt.koke.me/
HTTP/1.0 500 Internal Server Error

Looking at the logs

[25-Jun-2014 12:32:04 UTC] PHP Fatal error:  Call to a member function get() on a non-object in /srv/apache/wptest/wpt/wp-includes/query.php on line 28
[25-Jun-2014 12:32:04 UTC] PHP Stack trace:
[25-Jun-2014 12:32:04 UTC] PHP   1. {main}() /srv/apache/wptest/wpt/index.php:0
[25-Jun-2014 12:32:04 UTC] PHP   2. require() /srv/apache/wptest/wpt/index.php:17
[25-Jun-2014 12:32:04 UTC] PHP   3. require_once() /srv/apache/wptest/wpt/wp-blog-header.php:12
[25-Jun-2014 12:32:04 UTC] PHP   4. require_once() /srv/apache/wptest/wpt/wp-load.php:29
[25-Jun-2014 12:32:04 UTC] PHP   5. require_once() /srv/apache/wptest/wpt/wp-config.php:24
[25-Jun-2014 12:32:04 UTC] PHP   6. do_action() /srv/apache/wptest/wpt/wp-settings.php:236
[25-Jun-2014 12:32:04 UTC] PHP   7. call_user_func_array() /srv/apache/wptest/wpt/wp-includes/plugin.php:470
[25-Jun-2014 12:32:04 UTC] PHP   8. Jetpack::load_modules() /srv/apache/wptest/wpt/wp-includes/plugin.php:470
[25-Jun-2014 12:32:04 UTC] PHP   9. do_action() /srv/apache/wptest/wpt/wp-content/plugins/jetpack/class.jetpack.php:738
[25-Jun-2014 12:32:04 UTC] PHP  10. call_user_func_array() /srv/apache/wptest/wpt/wp-includes/plugin.php:470
[25-Jun-2014 12:32:04 UTC] PHP  11. Jetpack_VideoPress->jetpack_modules_loaded() /srv/apache/wptest/wpt/wp-includes/plugin.php:470
[25-Jun-2014 12:32:04 UTC] PHP  12. Jetpack_VideoPress->is_connection_owner() /srv/apache/wptest/wpt/wp-content/plugins/jetpack/modules/videopress/videopress.php:39
[25-Jun-2014 12:32:04 UTC] PHP  13. get_current_user_id() /srv/apache/wptest/wpt/wp-content/plugins/jetpack/modules/videopress/videopress.php:402
[25-Jun-2014 12:32:04 UTC] PHP  14. wp_get_current_user() /srv/apache/wptest/wpt/wp-includes/user.php:326
[25-Jun-2014 12:32:04 UTC] PHP  15. get_currentuserinfo() /srv/apache/wptest/wpt/wp-includes/pluggable.php:58
[25-Jun-2014 12:32:04 UTC] PHP  16. apply_filters() /srv/apache/wptest/wpt/wp-includes/pluggable.php:118
[25-Jun-2014 12:32:04 UTC] PHP  17. call_user_func_array() /srv/apache/wptest/wpt/wp-includes/plugin.php:192
[25-Jun-2014 12:32:04 UTC] PHP  18. WP_JSON_Authentication_OAuth1->authenticate() /srv/apache/wptest/wpt/wp-includes/plugin.php:192
[25-Jun-2014 12:32:04 UTC] PHP  19. get_query_var() /srv/apache/wptest/wpt/wp-content/plugins/OAuth1/lib/class-wp-json-authentication-oauth1.php:145

Besides the error itself, I don't think that filter should be called in the first place for non-api requests. I think that's what the get_query_var( 'json_oauth_route' ) was trying to accomplish, even though that's the line that's crashing

Hello,

When trying to use the OAuthSwift framework: https://github.com/dongri/OAuthSwift

With this plug-in, the error "401 Unauthorized, response: OAuth signature does not match" is returned.

So one of the two is doing encoding differently. Since the swift framework is working with other OAuth1 providers, I wonder if it isn't the wordpress plug-in?

Any guidance would be appreciated.

Thanks

The plugin is currently attempting to register routes by filtering on json_index, but this filter has been changed to rest_index in v2. Additionally, v2 is passing the WP_REST_Response object to this filter, where v1 was passing an associative array - so simply adding a filter to rest_api with the same callback won't work, and updating the callback will break backwards compatibility.

I'm generating a key and secret from the command line for use with client-cli, and when I go to the URL to "Authorize", without having yet logged in, I'm prompted to authorise (though the name to be displayed is missing: https://cloudup.com/cuJzXtl-jkc )

I click "Authorize", and am given a token.

I haven't yet tried the token or even looked to see what user it's authorised against, but regardless, it shouldn't be happening! :)

From #22.

The way WP-API/OAuth1 constructs the OAuth1 signature does not conform to the OAuth1 specification, making it impossible to use WP-API with this OAuth1 plugin.

For example, the parameter key and value should be rawurlencode() separately, not after the entire string has been constructed (as this'll encode "=" to "%3D"). The same goes for multidimensional arrays, it should not use [ or ] but the encoded version. The separator of these parameters should also not be encoded (at this stage).

The final string to sign ($string_to_sign) should now rawurlencode() the request URI and query string (the parameters).

Pull request to follow

I'm not sure what the this is for, but the consumer description and title are unset right before they are inserted into the database,

https://github.com/WP-API/OAuth1/blob/master/lib/class-wp-json-authentication.php#L74

So regardless of what I call my consumers, this is how it looks when you perform the authentication step:

This seems like a strange thing to do: Set the title and content elements for the post, then immediately unset them, so title and content for the consumer post object are ALWAYS empty. I can only assume that this is just an error in the code.

This occurs when attempting to make a post edit request.

currently i am getting oauth1 working well with my mobile app.

and i wondering is that possible send get request like

http://www.example.com/wp-json/users?access_token=W2NILogo2yynwwlzTIlDAb1Q

instead of send all the header

headers: {

        'Authorization':
            'OAuth oauth_consumer_key="aHzRikUJcuLI", ' +
            'oauth_signature_method="HMAC-SHA1", ' +
            'oauth_timestamp="1936244848", ' +
            'oauth_nonce="dsfsda323", ' +
            'oauth_version="1.0", ' +
            'oauth_token="W2NILogo2yynwwlzTIlDAb1Q", ' +
            'oauth_signature="HgunDoJc2WFYdyEOcNigxdl9OTc="'
    }

In my mobile app, i create a login form with username and password, with basic authorization.

after user login, which i have user username.

and getting all user from http://example.com/wp-json/users

and do the foreach loop to compare login username with wp-json/users username

so i can have current user information.

is there easy way to get the current user information , if i dont have user id?

The prefix is present on some configurations of PHP with FastCGI. So I guess OAuth1 should check for both.
See here: WP-API/api-console#1 (comment)

From WP-API/WP-API#494

Please refer to this comment on WP-API : WP-API/WP-API#493 (comment)

I have successfully built and tested a PHP OAuth client to go through the authentication flow and then GET /wp-json/users/me to verify the user. This all works fine. (Note this only works when PHP cUrl CURLOPT_FOLLOWLOCATION is false - the default.)

But when I try a native mobile app (in this case iOS built using Appcelerator Titanium), I can go through the authentication flow fine, then collect an access_ token/secret pair, but the final /wp-json/users/me GET request signature never matches.

Lots of debugging and logging has shown that the client is being sent on a 2nd GET request to /wp-json/users/<ID> with the same parameters detected in get_parameters() from the original request. Therefore, the signatures don't match, as the REQUEST_URI is now different for the base string creation.

Removing $response->set_status( 302 ); from class-wp-json-users.php in WP-API seems to fix this.

I tried to setup a callback but it's never called. The oauth documentation says that I must provide oauth_callback parameters but I get an error saying that the callback is missing. It works if I use callback, after the user grants the authorisation I'm shown a page with a verification token. What am I supposed to do with this token? Why the callback isn't called?

I am getting an error when attempting to create a consumer in the CLI. The wp command works fine, so I know that WP-CLI is correctly installed, however when I try to run the wp oauth1 add command I get the following error:

Error: 'oauth1' is not a registered wp command. See 'wp help'

I have the WP-API and OAuth1 plugins installed in my Wordpress installation and I am running the command from within the Wordpress directory.

Any help with this would be much appreciated.

Could anyone shed some light on authenticating without actually using WP CLI? I've created an API client and have a key/secret, but am unsure of what the next steps are.

The following code will force HTTP to be used when constructing the $base_require_uri variable, meaning that the OAuth signature will not match if you're accessing WP-API w/ OAuth1 over HTTPS.

lib/class-wp-json-authentication-oauth1.php:554

$base_request_uri = rawurlencode( get_home_url( null, parse_url( $_SERVER['REQUEST_URI'], PHP_URL_PATH ) ), 'http' );

The last argument to get_home_url should be removed, so that it is auto-detected.

This repo needs tags. Else no stable and reliable composer install will be possible.