OAuth server implementation for WP API

Overview

WP REST API - OAuth 1.0a Server

Connect applications to your WordPress site without ever giving away your password.

This plugin uses the OAuth 1.0a protocol to allow delegated authorization; that is, to allow applications to access a site using a set of secondary credentials. This allows server administrators to control which applications can access the site, as well as allowing users to control which applications have access to their data.

This plugin only supports WordPress >= 4.4.

The latest stable version is also available from the WordPress Plugin Directory.

New to OAuth

We strongly recommend you use an existing OAuth library. You'll be best off if you understand the authorization process, but leave the actual implementation to well-tested libraries, as there are a lot of edge cases.

Start reading from the Introduction to get started!

For OAuth Veterans

If you already know how to use OAuth, here's the lowdown:

  • The plugin uses OAuth 1.0a in
  • We use the three-legged flow
  • To find the REST API index, apply the API autodiscovery process
  • The endpoints for the OAuth process are available in the REST API index: check for $.authentication.oauth1 in the index data.
    • The temporary credentials (request token) endpoint is $.authentication.oauth1.request (typically /oauth1/request)
    • The authorization endpoint is $.authentication.oauth1.authorize (typically /oauth1/authorize)
    • The token exchange (access token) endpoint is $.authentication.oauth1.access (typically /oauth1/access)
  • Your callback URL must match the registered callback URL for the application in the scheme, authority (user/password) host, port, and path sections. (Subpaths are not allowed.)
  • The only signature method supported is HMAC-SHA1.
  • OAuth parameters are supported in the Authorization header, query (GET) parameters, or request body (POST) parameters (if encoded as application/x-www-form-urlencoded). OAuth parameters are not supported in JSON data.
Comments
  • Unable to get the key and secret

    Unable to get the key and secret

    Installed the WP API plugin and then the OAuth1 as well, but every time I go my dedicated server and try to run this

    $ wp oauth1 add
    
    It gives an error and nothing is returned. 
    
    root@server1 [/home/site/www]# wp
    -bash: wp: command not found
    
    Any idea what I'm doing wrong? I can't figure it out.
    
    Thank you
    
    opened by crisanders 46
  • OAuth Server accept signature

    OAuth Server accept signature

    Ive been trying to get this to work with WP-API on my Wordpress install, using the chome extension postman to test the oauth api. For some reason, the signatures do not match. I have used the appropriate consumer key / secret and generated the signature just fine on the postman client, but when i test that against the oauth response, they never match up. in the file "class-wp-json-authentication-oauth1.php" on line 560 :

    $signature = base64_encode( hash_hmac( $hash_algorithm, $string_to_sign, $key, true ) );

        if ( $signature !== $consumer_signature ) {
            return new WP_Error( 'json_oauth1_signature_mismatch', __( 'OAuth signature does not match'), array( 'status' => 401 ) );
        }
    

    I have echoed the $signature along with the error message, and then tested that signature using postman, and indeed it worked. So, can someone explain to me how we can get this to function correctly ? (postman is just my intermediary step -- Im actually indending to use guzzle + subscribe)

    opened by cynex 15
  • How does one add consumers?

    How does one add consumers?

    Would be great if you can shine some more light in the docs on the actual authentication. I can see the authentication endpoint in the WP-API now but what are the next steps? How do I for example add consumer_keys?

    Documentation 
    opened by lapidus 15
  • Added support for WP blogs that reside in the folder of a domain.

    Added support for WP blogs that reside in the folder of a domain.

    When checking the OAuth signature, the comparison would fail if the WP blog was in a folder under the host. This code fixes the issue. It could probably be condensed but it gets the job done.

    opened by trevordevore 12
  • URL callback validator is overly strict for non-web clients

    URL callback validator is overly strict for non-web clients

    I'm trying to connect a desktop client to a WordPress blog using this library. After making some changes to the check_oauth_signature function I was able to get the URL to open in a web browser so that the user could log in and grant access to my application.

    When attempting to redirect the browser reported the error "The callback URL is invalid". In the handle_callback_redirect function the following validation is applied to $callback:

    $callback = wp_http_validate_url( $callback );
    

    This validation is problematic for desktop applications. A desktop application has three approaches to using OAuth:

    1. Designate a custom URL protocol that the browser passes off to the desktop application (e.g. myapp://)
    2. Listen on a port of the localhost (e.g. 127.0.0.0:9999)
    3. Perform the whole operation within a browser hosted in the desktop application and intercept the callback URL.

    (3) never made sense to me as the user has no way of ensuring that you are indeed sending them to the right website.

    I've used (1) and (2) in the past. I use (1) with the OAuth implementations for Dropbox and Evernote.

    The issue here is that the OAuth1 code thinks that 127.0.0.1:9999 is an invalid URL. wp_http_validate_url() seems overly strict for the purposes of an OAuth callback URL. I know some services with only allow "http" prefixed URLs or they make you register the callback URL with the service.

    opened by trevordevore 11
  • Implementing Resource Owner Password Flow ???

    Implementing Resource Owner Password Flow ???

    I own site and i created an official android app for the same site... now i want the users to be able to login with simply username and password (no prompting of authorize screen)... i read its in OAuth2 ...but i dont know how to implement it with Oauth1.0a plugin...?? help???

    opened by lapak10 10
  • get_parameters() is ignoring data params sent as application/json

    get_parameters() is ignoring data params sent as application/json

    get_parameters() is still ignoring extra post data parameters sent as application/json.
    Is this on purpose?

    When merging all $_GET and $_POST parameters, along with Authorization headers, since PHP 5.6 data sent as application/json is ignored in $_POST, so we need to also collect parameters from posted JSON data using php://input

    After line 93 of class-wp-json-authentication-oauth1.php

    // ... 
            $params = array_merge( $_GET, $_POST );
            $params = wp_unslash( $params );
    
            if($_SERVER['CONTENT_TYPE']=='application/json'){
                $raw_post_data_params = json_decode(file_get_contents('php://input'), true);
                if ( ! empty( $raw_post_data_params ) ) {
                    $raw_post_data_params = wp_unslash( $raw_post_data_params );
                    $params = array_merge( $params, $raw_post_data_params );
                    ksort($params);
                }
            }
    
    // .....
    

    This fixed my Missing OAuth parameter oauth_verifier error.

    Now, I can finally connect a client to my server and get an access_token for its user, since my OAuth client was sending the oauth_verifier as application/json. (And likely to interact with the API in this way for all other POST requests).

    I have also successfully tested creating a new post with my newly acquired access_token/secret after making these changes, when sending the data as application/json.

    One thing, however... the OAuth1.0a signing requests spec does state:

    The request parameters are collected, sorted and concatenated into a normalized string: Parameters in the OAuth HTTP Authorization header excluding the realm parameter. Parameters in the HTTP POST request body (with a content-type of application/x-www-form-urlencoded). HTTP GET parameters added to the URLs in the query part (as defined by [RFC3986] section 3).

    note: "(with a content-type of application/x-www-form-urlencoded)"

    but this ignores the PHP5.6+ issue when sending applicaton/json formatted data.

    also note: When I tested uploading a media file, I found I needed to use : multipart/form-data (in a PHP cUrl request)

    opened by kosso 10
  • Could not locate API; are you sure it's enabled?

    Could not locate API; are you sure it's enabled?

    I am getting "Could not locate API; are you sure it's enabled?" when I try to link client to WordPress. I have installed all necessary plugins and dependencies are installed & activated including (WP-REST API, oAuth1 etc). When I try HEAD http://mywebsitelink it returns link with wp-json which indicates WP-API is working. Also, when I try wp oauth1 add, it works fine and generates key and secret. Any suggestion on how to fix this issue? Thanks in advance.

    opened by zubaer-ahammed 8
  • [CORS] Access-Control-Allow-Origin header missing

    [CORS] Access-Control-Allow-Origin header missing

    From a JS client I get the following message on oauth1/request:

    No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:8080' is therefore not allowed access. The response had HTTP status code 400.

    You might want to copy this function from the WP-API:

    function rest_send_cors_headers( $value ) {
        $origin = get_http_origin();
    
        if ( $origin ) {
            header( 'Access-Control-Allow-Origin: ' . esc_url_raw( $origin ) );
            header( 'Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE' );
            header( 'Access-Control-Allow-Credentials: true' );
        }
    
        return $value;
    }
    
    opened by shprink 7
  • Oauth Signature does not match when signing a request programatically.

    Oauth Signature does not match when signing a request programatically.

    I'm running into an issue with programming a hashed signature that works with the system.

    Here is what I know:

    • The Oauth server has been installed and is working properly
    • I have successfully generated a shared token/secret through the 3-leg authorization process using Postman.
    • I am able to submit a signed request and get a valid response from my install including JSON data in the request body, using postman,

    So I know the system works.

    Now, because I'm trying to automate a client to communicate with my server, I need to automatically timestamp and sign the requests, so I am generating a request using PHP and sending it with CURL.

    Here's the code (and yeah, it's likely quite messy as I'm still in the beating-head-on-desk phase of development here)...

    // These two values identify the application (on dev.StevenBritton.net)
    
    	$consumerKey = "consumer-key";
    	$consumerSecret ="consumer-secret";
    
    	// These two values are the client's individual long-term credentials.
    
    	$oToken = "client-token"
    	$oSecret = "client-secret";
    
    	// Nonce to assign to the signature
    
            //add_filter( 'nonce_life', function() { return 300;} );  // I had this because I wanted short-lived nonces.
    	$timeStamp = time();
    	$nonce = wp_create_nonce($timeStamp); // Not really sure what I should pass to this here...
            //remove_filter( 'nonce_life',function() { return 300;});
    
           // urlencode everything.  I'll clean this up a bit later...
           $base_method = urlencode('POST');
           $base_url = urlencode('http://dev.stevenbritton.net/wp-json/custom/path/that/works');
           $oauthConsumerKey = urlencode('oauth_consumer_key='.$consumerKey);
           $oauthNonce = urlencode('oauth_nonce='.$nonce);
           $oauthSignatureMethod = urlencode('oauth_signature_method=HMAC-SHA1');
           $oauthTimestamp = urlencode('oauth_timestamp='.$timeStamp);
           $oauthToken = urlencode('oauth_token='.$oToken);
           
           $sigBase = $base_method . '&' . $base_url . '&' . $oauthConsumerKey . '&'. $oauthNonce . '&'.$oauthSignatureMethod.'&'.$oauthTimestamp.'&'.$oauthToken;
           $keyBase = $consumerSecret . '&' . $oSecret;
           
    // Here's the line that generates the signature...
    
           $signature = hash_hmac('sha1',$sigBase,$keyBase);
    
    //  Build the CURL request:
    $url = "http://dev.stevenbritton.net/wp-json/stevenBritton/licenseMe/v1/single?" . urlencode($auth_string);
    
    $curl = curl_init();
    
    
    	curl_setopt_array($curl, array(
    	CURLOPT_URL => $url,
    	CURLOPT_RETURNTRANSFER => true,
    	CURLOPT_ENCODING => "",
    	CURLOPT_MAXREDIRS => 10,
    	CURLOPT_TIMEOUT => 30,
    	CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
    	CURLOPT_CUSTOMREQUEST => "POST",
    	CURLOPT_HTTPHEADER => array(
    	  "authorization: OAuth oauth_consumer_key=\"" . $consumerKey . "\",oauth_token=\"" . $oToken . "\",oauth_signature_method=\"HMAC-SHA1\",oauth_timestamp=\"" . $timeStamp . "\",oauth_nonce=\"" . $nonce . "\",oauth_signature=\"" . $signature . "\"",
    	  "cache-control: no-cache",
    	  "content-type: application/json"
    	),
    ));
           curl_setopt($curl, CURLOPT_POSTFIELDS, $json);
    
           $response = curl_exec($curl); // <-- craps out.  Every time I get "signature does not match"
           $err = curl_error($curl);
    
           curl_close($curl);
    
           if ($err) {
             echo "cURL Error #:" . $err;
           } else {
             echo $response;
           }
    
    
    

    So, here's the question:

    What am I doing differently than the OAuth machine that is causing my signature to mismatch the verification, when Postman does it correctly?

    opened by scbritton 6
  • No Oauth parameters supplied

    No Oauth parameters supplied

    When I hit domain.com/blog/oauth/request with a simple GET, I get 'No Oauth parameters supplied'

    I downloaded: https://github.com/WP-API/example-client and fired it up. Discovery worked fine, I put in my credentials and still receive the same error:

    error image

    any suggestions would be greatly appreciated.

    opened by Critter 6
  • PHP 8.0 warning thrown by normalize_parameters

    PHP 8.0 warning thrown by normalize_parameters

    After switching from PHP 7.4 to 8.0 a warning is thrown:

    [16-Dec-2020 10:43:09 UTC] PHP Warning: WP_REST_OAuth1::normalize_parameters(): Argument #2 ($value) must be passed by reference, value given in /.../wp-content/plugins/rest-api-oauth1/lib/class-wp-rest-oauth1.php on line 672

    opened by szaqal83 7
  • how to get dynamicaly user data with main auth token and token secrete

    how to get dynamicaly user data with main auth token and token secrete

    Hello,

    Currently, when I run this function get_current_user_id() it returns current authenticated user data like We have used header authorization. Please check below link.

    http://prntscr.com/luhp1v

    if we have call login API, then we want to get this login user ID with get_current_user_id()

    We have generated this OAuth keys with main administrator user User id 1 now using this key when we call any API we want get_current_user_id() function will return the user ID which we want, like what we need to do with login API or every API call how we can pass parameters which set user.

    Thanks

    opened by tushar4monto 0
  • ionic 3 Cors issue

    ionic 3 Cors issue

    Hi there,i am facing the ionic cors issue and i also create a proxy for that,update my ".htaccess" file but if dones not work.Please help me capture

    opened by ajeetberiha 0
  • oauth1/access endpoint is returning the Wordpress site index on 4.9

    oauth1/access endpoint is returning the Wordpress site index on 4.9

    All the other steps in the tutorials work for me (oauth1/request, oauth1/authorize) but when I try to get a permanent access token, all I get back is an HTML response with 200 OK.

    If I'm missing an oauth parameter then I get an error as expected, but if everything in my request is correct, I get back the index page rather than an application/x-www-form-urlencoded list like expected.

    opened by kfreezen 0
  • I get back 404 every time if I try with rauth, but I tried with requests and it worked fine?

    I get back 404 every time if I try with rauth, but I tried with requests and it worked fine?

    I ran this, the top one comes back a 200, the bottom one always a 404 saying "missing parameter oauth_token. Any ideas on what I can check? I have been going through the forums and posts for hours now, trying different configs within nginx, etc. I am at a loss now. (the keys and site were, of course, changed on purpose. Everything is as it should be)

        para0 = {
                    'name':'Verifier',
                    'consumer_key':'kl****K79Got6',
                    'consumer_secret':'B9******boKvvEd1IIvV87ZfaPJ3oeBO91kzVp6X48c6a3Bw',
                    'request_token_url':'https://mysite/oauth1/token',
                    'access_token_url':'https://mysite/oauth1/access',
                    'authorize_url':'https://mysite/oauth/authorize',
                    'base_url':'https://mysite'}
        
        para1 = OAuth1Service(
                    name='Verifier',
                    consumer_key='kl5*****9Got6',
                    consumer_secret='B992qbFS**********7ZfaPJ3oeBO91kzVp6X48c6a3Bw',
                    request_token_url='https://mysite/oauth1/token',
                    access_token_url='https://mysite/oauth1/access',
                    authorize_url='https://mysite/oauth/authorize',
                    base_url='https://mysite')
        
        
        r = requests.get('http://mysite/oauth1/authorize', params=para0)
        print(r.text)
        oauth_token, oauth_token_secret = para1.get_request_token()
        print(oauth_token, oauth_token_secret)
    

    It is strange, I can't get to Oauth1 from postman, but I can get to 2.

    opened by MostHated 0
  • Need updated testing against recent WP versions

    Need updated testing against recent WP versions

    Hello! I currently have WP OAuth Server 1.0a on a number of client WP installations, and it has worked wonderfully so far. I really appreciate the great work on this plugin!

    I wanted to raise as an issue the current status of this plugin on the WP plugin site: https://wordpress.org/plugins/rest-api-oauth1/

    The current status is:

    This plugin hasn’t been tested with the latest 3 major releases of WordPress. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress.

    This has become something of a deterrent for new clients that we are trying to integrate, as they believe it is no longer a secure plugin. I'm not sure if there is a plan to validate the plugin against the most recent versions, or if there is any way I could even help with that. If so, please let me know as I'd like to keep using this plugin.

    Thanks! Eric

    opened by adamsea 0
Releases(0.3.0)
Owner
WordPress REST API Team
WordPress REST API Team
PHPoAuthLib provides oAuth support in PHP 7.2+ and is very easy to integrate with any project which requires an oAuth client.

PHPoAuthLib NOTE: I'm looking for someone who could help to maintain this package alongside me, just because I don't have a ton of time to devote to i

David Desberg 1.1k Dec 27, 2022
EAuth extension allows to authenticate users by the OpenID, OAuth 1.0 and OAuth 2.0 providers

EAuth extension allows to authenticate users with accounts on other websites. Supported protocols: OpenID, OAuth 1.0 and OAuth 2.0.

Maxim Zemskov 330 Jun 3, 2022
OAuth 1/2 Provider implementations for chillerlan/php-oauth-core. PHP 7.4+

chillerlan/php-oauth-providers Documentation See the wiki for advanced documentation. Requirements PHP 7.4+ a PSR-18 compatible HTTP client library of

chillerlan 4 Dec 2, 2022
A Laravel 5 package for OAuth Social Login/Register implementation using Laravel socialite and (optionally) AdminLTE Laravel package

laravel-social A Laravel 5 package for OAuth Social Login/Register implementation using Laravel socialite and (optionally) AdminLTE Laravel package. I

Sergi Tur Badenas 42 Nov 29, 2022
A spec compliant, secure by default PHP OAuth 2.0 Server

PHP OAuth 2.0 Server league/oauth2-server is a standards compliant implementation of an OAuth 2.0 authorization server written in PHP which makes work

The League of Extraordinary Packages 6.2k Jan 4, 2023
Kaiju is an open source verification bot based on Discord's OAuth written in C# and PHP, with the functionality of being able to integrate the user to a new server in case yours is suspended.

What is Kaiju? Kaiju is an open source verification bot for Discord servers, based on OAuth and with permission for the server owner, to be able to mi

in the space 10 Nov 20, 2022
Symfony bundle which provides OAuth 2.0 authorization/resource server capabilities

Symfony bundle which provides OAuth 2.0 authorization/resource server capabilities. The authorization and resource server actors are implemented using the thephpleague/oauth2-server library.

Trikoder 253 Dec 21, 2022
Painless OAuth 2.0 Server for CodeIgniter 4 🔥

Inspired from the Norse mythology, Heimdallr, modernly anglicized as Heimdall is the gatekeeper of Bifröst, the rainbow road connecting Midgard, realm

Ezra Lazuardy 37 Nov 12, 2022
The first PHP Library to support OAuth for Twitter's REST API.

THIS IS AN MODIFIED VERSION OF ABRAHAMS TWITTER OAUTH CLASS The directories are structured and the class uses PHP5.3 namespaces. Api.php has a new

Ruud Kamphuis 51 Feb 11, 2021
The most popular PHP library for use with the Twitter OAuth REST API.

TwitterOAuth The most popular PHP library for Twitter's OAuth REST API. See documentation at https://twitteroauth.com. PHP versions listed as "active

Abraham Williams 4.2k Dec 23, 2022
Twitter OAuth API for PHP 5.3+

README The Wid'op OAuth library is a modern PHP 5.3+ API allowing you to easily obtain a Twitter access token. For now, it supports OAuth Web & Applic

Wid'op 8 Dec 11, 2020
Easy integration with OAuth 2.0 service providers.

OAuth 2.0 Client This package provides a base for integrating with OAuth 2.0 service providers. The OAuth 2.0 login flow, seen commonly around the web

The League of Extraordinary Packages 3.4k Dec 31, 2022
PHP 5.3+ oAuth 1/2 Client Library

PHPoAuthLib NOTE: I'm looking for someone who could help to maintain this package alongside me, just because I don't have a ton of time to devote to i

David Desberg 1.1k Dec 27, 2022
OAuth 1 Client

OAuth 1.0 Client OAuth 1 Client is an OAuth RFC 5849 standards-compliant library for authenticating against OAuth 1 servers. It has built in support f

The League of Extraordinary Packages 907 Dec 16, 2022
OAuth client integration for Symfony. Supports both OAuth1.0a and OAuth2.

HWIOAuthBundle The HWIOAuthBundle adds support for authenticating users via OAuth1.0a or OAuth2 in Symfony. Note: this bundle adds easy way to impleme

Hardware Info 2.2k Dec 30, 2022
An OAuth 2.0 bridge for Laravel and Lumen [DEPRECATED FOR LARAVEL 5.3+]

OAuth 2.0 Server for Laravel (deprecated for Laravel 5.3+) Note: This package is no longer maintaned for Laravel 5.3+ since Laravel now features the P

Luca Degasperi 2.4k Jan 6, 2023
This module is intended to provide oauth authentication to freescout.

OAuth FreeScout This module is intended to provide oauth authentication to freescout. Module was tested on keycloak oauth provider with confidential o

Michael Bolsunovskyi 9 Dec 21, 2022
OAuth Service Provider for Laravel 4

OAuth wrapper for Laravel 4 oauth-4-laravel is a simple laravel 4 service provider (wrapper) for Lusitanian/PHPoAuthLib which provides oAuth support i

Dariusz Prząda 693 Sep 5, 2022
OAuth Service Provider for Laravel 5

OAuth wrapper for Laravel 5 oauth-5-laravel is a simple laravel 5 service provider (wrapper) for Lusitanian/PHPoAuthLib which provides oAuth support i

null 2 Sep 19, 2018