This plugin hasn’t been tested with the latest 3 major releases of WordPress.
please update plugin

Hi there,

I am building a Nuxt JS application as the front-end channel to my WordPress website.

I am currently trying to access a list of all redirects created via the REST API endpoints in the documentation. I am having trouble with authentication engine. The REST API Authentication guide only gives context when using wp_localize_script(). Obviously, given the fact I am building my front-end as a separate application, I can’t utilise that functionality to get a nonce value.

So, what I have done is built a WordPress plugin which will initialise a REST API endpoint (e.g. https://localhost/sandbox/wp-json/custom-wp-api/auth) which returns the following data

return [
    'data' => [
        'nonce' => wp_create_nonce('wp_rest')
    ]
];

I then use that nonce value within my requests to the Redirection API endpoints as per the documentation but I am getting 401 errors. I imagine that is because that nonce is for a non-logged in user.

async getRedirections (nonce) {
  const options = {
    method: 'get',
    url: 'https://localhost/sandbox/wp-json/redirection/v1/redirect/?_wpnonce=' + nonce
  }

  const request = await this.$axios(options)
  console.dir(request)
}

Could you provide some insight into what I should be doing when using WordPress in a headless environment?

I have read via the REST API authentication docs you can use technologies like OAuth1, Application Passwords etc but all of those plugins seem to have limited support and unclear whether they are being maintained to support the latest version of WordPress.

Thanks in advance!

hi
please update this plugin

We have WP REST API – OAuth 1.0a Server plugin and if we test requesting temporary token directly to the request API from Postman it is good. However if we test requesting temporary token to the request API via API Gateway (reverse proxy) from Postman we get 400 – Invalid header name error. Is there log to find out which header is giving problem or how to troubleshoot the problem?

I’ve been trying to get the plugin to work in such a scenario where other plugins such as the WP Cerber Security would change the wp_login_url(). Such plugins that do not create custom login pages, but rather creates custom redirect rules, by changing the login/register urls might be the cause I suppose.

In this case, all checks towards the ordinary wp-login.php on my theme is useless as long as there are other plugin blocking any access to it…

The issue I’m facing is that while authorizing an app, the plugin completely fails to display its UI, I mean the authorize screen is the same as the login one, although all url actions are properly set by the plugin.

On my theme I’d generally use something like the following to detect the login/register pages, so I believe a few plugins would use similar checks:

if ( $GLOBALS['pagenow'] === 'wp-login.php' && ! empty( $_REQUEST['action'] ) && $_REQUEST['action'] === 'register' ) {
    // We're registering
}

However, the above does not work at all if I’m blocking access to wp-login.php while setting up a custom url for the login/register pages, so I have to rely on custom checks in order to confirm I’m on those pages, and later on I’d perform more checks to verify if the right action is set…

    // No matter which url is set for the login/register pages this works!
    if(stripos($_SERVER['SCRIPT_NAME'], strrchr( wp_login_url(), '/' ) ) !== false ) {
	require_once( 'custom_login.php' );

        if( isset($_GET['action']) && $_GET['action'] === 'oauth1_authorize' ) {
          // additional stuff
        }
    }

How to authenticate login user id? get_current_user_id() gives 0 when i call api

Hello,

I get OAuth signature does not match with WPML Plugin.

When I pass( lang=language code ) https://mydomain/wp-json/myapi/v1/products/?lang=es
I am getting error OAuth signature does not match
Without query string param https://mydomain/wp-json/myapi/v1/products its working.

Please help me.

I have gone through the complete authentication flow to create an access token / secret. I’ve added an endpoint that returns my user name and everything is as expected. I’m wondering now how long that pair is valid for or if there is any way to revoke it or set an expiry date for it. It seems strange to me that it should be valid indefinitely but I created the pair last week and it’s still working today.

I did not found where to get the Client Key and the Client Secret. Where is it, please?

I’m new to WP REST API and need to authenticate one end point I created. There is not clear documentation on what the Callback URL should be in the oAuth settings.

When I try going to https://mysite.com/wp-login.php?action=oauth1_authorize&oauth_token=TOKEN&oauth_token_secret=SECRET
It says invalid token. So I’m not sure what that means as I clearly only have one Application and those are my values it generated.

I’ve tried putting https://mysite.com/wp-json/ and https://mysite.com/wp-json/my-rest-api-endpoint/ as the callback URLs but I don’t think this is right.

I’ve tried using the example client from github and am getting this error:
Received HTTP status code [500] with message "Callback URL is invalid" when getting temporary credentials.

What am I doing wrong?

Hi,

I have struggled with passing final parameters in headers of request to WP API with Oauth credentials.

What I have discovered that parameters with Underscores in header names are being filtered away (dropped ie removed).

Then I found this:
This was introduced to prevent cross-site-scripting attacks via header injection. Headers containing invalid characters (including underscores) are now silently dropped!

Here is the link:
https://github.com/requests/requests/issues/1292

Easiest fix is to remove _ underscore from parameter names from Oauth1 plugin!

Could please respond fast to this issue, because this plugin is not finished, and WP community should be aware of this!

Thank you and waiting for your fast response.

I am using “WordPress REST API – OAuth 1.0a Server” plugin for OAuth. When I call the OAuth page wordpress blog show me screen with 2 buttons “Authorize” and “Cancel”. When I click on Authorize button, process work fine, but when I click on Cancel button, a blank page is display.

My question is that is there any option to redirect to call back link even user click on cancel?

Hey there,

since WordPress 4.6.0 the function wp_get_sites() is deprecated and replaced by get_sites().

https://developer.www.ads-software.com/reference/functions/wp_get_sites/

get_sites() returns no longer an array, it returns an Object instead.

Deprecated code starts in oauth-server.php on lines 184 and 209:

Change $mu_blogs = wp_get_sites(); to $mu_blogs = get_sites();

and switch_to_blog( $mu_blog['blog_id'] ); to switch_to_blog( $mu_blog->blog_id );

Hope that helps somebody and the codes gets updated by the devs ??

Kind regards,
Florian

Whenever I try to create post I receive:

401 Unauthorized
Connection: close
Date: Thu, 19 Oct 2017 11:03:28 GMT
Server: Apache/2.4.18 (Ubuntu)
Allow: GET
Content-Type: application/json; charset=UTF-8
Access-Control-Allow-Headers: Authorization, Content-Type
Access-Control-Expose-Headers: X-WP-Total, X-WP-TotalPages
Client-Date: Thu, 19 Oct 2017 11:03:28 GMT
Client-Peer: 192.152.0.144:80
Client-Response-Num: 1
Client-Transfer-Encoding: chunked
Client-Warning: Missing Authenticate header
Link: <https://192.152.0.144/index.php/wp-json/>; rel="https://api.w.org/"
X-Content-Type-Options: nosniff
X-Robots-Tag: noindex

{"code":"rest_cannot_edit_others","message":"Sorry, you are not allowed to create posts as this user.","data":{"status":401}}

Request for it:

POST https://SERVER/wp-json/wp/v2/posts
Accept-Encoding: gzip
Authorization: OAuth oauth_consumer_key="4OyIe97fyJds", oauth_nonce="NONCE", oauth_signature="SIGNATURE", oauth_signature_method="SIGNATURE_METHOD", oauth_timestamp="1508413884", oauth_token="TOKEN", oauth_version="1.0"
User-Agent: WWW-Mechanize/1.75
Content-Length: 251
Content-Type: application/json

{"author":1,"content":"<p>TEST body<br\\/><\\/p>","date":"2017-10-19T00:00:00","link":"http:\\/\\/abcnews.go.com\\/US\\/wireStory\\/latest-police-maryland-office-park-shooter-50563833","modified":"2017-10-19T07:03:12","status":"publish","title":"TEST title"}

I got client key and client secret from:
users > applications > app
access token and access_secret from logged in user from “WP REST API – OAuth 1.0a Server”.
Other requests with the same parameters works. Even same code worked for prev version (I can’t remember which one exactly). Current one is 4.8.2.
What did change and how can I debug it?

Hello – I have a multi-site instance of WordPress and had some users who requested we install this plugin to resolve an issue they were having passing credentials to the API. When we installed the plugin we saw that many posts and links on the various blog pages hosted in this instance became unresolveable (404). All the data is still there, I can still see the posts and edit them, but when I click on the permalink they do not resolve. I have thousands of users complaining about this. Has anyone experiencd this before?

I’m noticing that the “nonces” cell in the usermeta table (below) gets appended on each request. It grows by about 1mb per month in our setup, and we get complete system failure when it hits 15mb.

The contents of the cell are an endless stream of

a:4:{i:1506372773;s:10:"deaaafc382";i:1506372774;s:10:"82edaf4844";i:1506372787;s:10:"012f4fd3a4";i:1506372788;s:10:"50403d953d";}

This seems like … a bug? Any ideas?

Hi,

I have installed and activated this plugin, but when I go to the API index of my site, https://www.gizmopress.co.nz/wp-json/ , the authentication section is empty.

As far as I can tell from the following article, it is not required to do so, but just in case I have set up an application under Users / Applications in WP Admin.
https://mindmapengineers.com/mmeblog/wp-rest-api-setting-and-using-oauth-10a-authentication

That article happens to mention “If the OAuth API is not enabled for a site, the server response would contain an empty authorization property value”, but I have no idea what that means “OAuth API is not enabled”?

Any help please.

Hello

I have generated Token and token Secret with main admin ( administrator ) user. now i can call may custom api with auth 1.0.
=> I want to know few things please help.
=> I can use this token and token secret with all user ?
=> This Auth Token and Token Secret will work life time ? or it will expired ?
=> How i can generate same auth with my ios app ? have any library ?
=> It is possible to we can just validate Consumer key, Consumer Secret and nonce Same like woo commerce auth ( without Token and Token Secret )

Thanks
Tushar Katariya

Hello

We have used woo-commerce API with its Auth in our IOS App. Woocomerce api hase same auth but does not need to pass toke and token secret. just send Consumer key , secret nonce etc.

We have create some others api for our ios app with WP Rest Server Auth.
in Wp server auth We need to pass token and token secret and others auth fields. So we want to use just Consumer key , secret nonce etc field without auth token and token secret same like woocomerce auth so its that posible

Please help us how we can auth without token and token secret

Thanks
Tushar katariya

I’m using C# to post restful request to my website, however, there is 30% chance I will get json_oauth1_signature_mismatch error on my requests. But if I send request with the same data again, it will success sometimes. Any idea why this is happening?

Dear Contributors,

It is very valuable plugin. Thanks for develop.

I am using this plugin and stuck on one place. After verified the token I have got oauth_toekn and oauth_secret. When I am using these values via postman it works fine but when I am using these details with curl it always gives me error rest_cannot_create_user. Will you help me solve this issue?

Regards
Devendra | https://www.ads-software.com/plugins/purge-varnish/

I keep getting this error. Would you have any suggestions for me please?
—-
Request header field oauth_verifier is not allowed by Access-Control-Allow-Headers in preflight response.

Here is my code:
var settings = {
“async”: true,
“crossDomain”: true,
“url”: “https://north.pl/wp-json/wp/v2/posts?title=ttttt&content=cccc”,
“method”: “POST”,
“headers”: {
“oauth_verifier”: “xxxxxxxxxxxxxxxxxxxx”,
“authorization”: “OAuth oauth_consumer_key=’xxxxxxxxxxx’,oauth_token=’xxxxxxxxxxx’,oauth_signature_method=’HMAC-SHA1′,oauth_timestamp=’1497028062′,oauth_nonce=’xxxxxxxxxxx’,oauth_version=’1.0′,oauth_signature=’xxxxxxxxxxx'”,
“content-type”: “application/x-www-form-urlencoded”
}
}
jQuery.ajax(settings).done(function (response) {
console.log(response);
});

Testing with postman to get the authentication setup https://wordpress.stackexchange.com/questions/213006/how-to-use-oauth-authentication-with-rest-api-via-curl-commands/239873#239873
I’m getting this error

<html>
    <head>
        <title>401 Unauthorized</title>
    </head>
    <body>
        <h1>Unauthorized</h1>
        This server could not verify that you
are authorized to access the document
requested.  Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.

    </body>
</html>

The WordPress site I’m want to access is an http server not https
Has anyone been able to successfully get this to work?

The README for this plugin is very thin. It points to an introduction file in a non-existant docs directory. How about a little help, folks?

Got latest WP and OAuth server plugin.
Tested with Postman, using this guide.

OAuth signature does not match response and a 401 status.

My POST:
https://www.site.com/oauth1/request?oauth_consumer_key=lPdqr6UQx5bd&oauth_token=&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1486519078&oauth_nonce=TlzIwKwRFUx&oauth_version=1.0&oauth_signature=A4xaFoRQwBKpb2B7%2BAn220djDQc%3D

My headers:

Access-Control-Allow-Headers →Authorization
Connection →keep-alive
Content-Type →text/html; charset=UTF-8
Date →Wed, 08 Feb 2017 01:56:48 GMT
MS-Author-Via →DAV
Server →nginx
Transfer-Encoding →chunked
X-Powered-By →PHP/7.0.15
X-Powered-By →PleskLin

Help? ??

• This topic was modified 7 years, 9 months ago by Duke.

I was wondering if request tokens gets deleted after they “die” when the time have expired. Because my options table becomes quit filled with dead tokens.

If yes when does this happen?
or is that a function planned for future releases?

• This topic was modified 7 years, 10 months ago by Victor.

Hello.

The plugin work fine, but it have a problen when you have a URL with ‘ ‘(space) o ‘~’. The problem is the function static urlencode_rfc3986 in class WP_REST_OAuth1, the definition is

protected static function urlencode_rfc3986( $value ) {
return str_replace( array( ‘+’, ‘%7E’ ), array( ‘ ‘, ‘~’ ), rawurlencode( $value));
}

But really no make this function, because the str_replace need change the array, the new definition work:

protected static function urlencode_rfc3986( $value ) {
return str_replace( array( ‘ ‘, ‘~’ ), array( ‘+’, ‘%7E’ ), rawurlencode( $value ) );
}

Displays error when activating the plugin:

The plugin was not activated because it triggered a fatal error.
Parse error: syntax error, unexpected T_PAAMAYIM_NEKUDOTAYIM in /home/a5411639/public_html/wp-content/plugins/OAuth1-master/lib/class-wp-rest-client.php on line 194

How to activate the plugin?