JSON REST API from Mobile App with Authentication

Hmmm – or should I just be using cookie authentication for the mobile app? ??

I have the same problem. Building a mobile app so not sure what to use. Setup Oauth1 but doesn’t work. Getting OAuth signature does not match

Have you tried OAuth Explorer

https://sevengoslings.net/~fangel/oauth-explorer/

It has a few weird quirks with JSON REST API, but works OK in stages:

1. Enter base url (http(s)://your.domain.com/oauth1
2. Access token = request
3. Authorize = authorize
4. Access_Token = access
5. Enter your consumer key and secret (leave method as HMAC-SHA1)

Now the fun begins!

Click Get Request Token and you get Call content = “No Oauth parameters supplied” – no idea why, but…

Copy the contents of “combined call (as GET)” into “CUSTOM API CALL” (delete any existing content) and press the “Call” button

Call content now = oauth_token=xxxxxxxxxxxxxxx&oauth_token_secret=xxxxxxxxxxxxxxxxxxxxx&oauth_call_back_confirmed=true

So – paste those manually into Request Token (oauth_token value goes into Request Key and oauth_token_secret value goes into Request Secret)

Now click authorize

Your browser gets redirected to the website “wp-login.php?action=…”

You then have to authorize the token manually, and you get your verification token

Go back to OAuth Explorer and click “Get Access Token” and enter the verifier code and click get access token.

Of course that produces another “No Oauth parameters supplied, so you then paste Combined call as get back into custom api call.

You then get your oauth_token and oauth_token_secret back.

The OAuth doesn’t “appear” to be set up for mobile users, but there are other authentication methods:

Cookie (but we can’t use as we are not in the domain, as far as I know)

Basic Auth (keep sending the username and password with the request)

Token (send the token – have not yet explored this in detail)

Basic Auth and Token and OAuth all require plugins – have a look at them and you might find enough code to create your own plugin with a more sensible authorisation method.

If your mobile app allows the user to create a new user ID then you need some way to give the app the ability to create the user via the API (or send the user to the website and tell them just create their own ID there)

If the above helps at all great – at least you can test out your install.

I am going to work on an auth plugin that requires basic auth the first time, and then passes a token which the token auth can use to identify the user (hopefully!!!)

Only problem is that after this

Copy the contents of “combined call (as GET)” into “CUSTOM API CALL” (delete any existing content) and press the “Call” button

Im getting OAuth signature does not match

This is where I’ve been stuck and no idea how to fix it.

Looks like the key/secret may not be set up correctly.

Below shows you how to set up the keys via client-cli

https://github.com/WP-API/client-cli

The developers are fulling committed to 4.1 launch, so I don’t see us mortals getting support this side of Christmas ??

Here is what I did so far, and maybe I missed a step:

Installed the WP API plugin
Installed the Oauth1 server https://github.com/WP-API/OAuth1

I had the host install wp-cli on the server

But when I run the $wp oauth1 add command, there is no output to show the key. So I used a plugin by someone in github that generates the keys with it.

Question is: do I still need the client-cli installed?

ps – if the above instructions do work and you then get OAuth signature does not match on your own code then the problem is probably with the HMAC-SHA1. However, OAuth explorer should work once you have the right key and secret via WP CLI.

I hope they come up with something better before release into 4.1. It is probably too much to hope that a better OAuth mechanism for mobiles is in place (or better documentation so I know what I am doing) ?

So at least you know what the problem is – you need to use wp cli to get the key and just need to fix that.

https://wp-cli.org/ may help

Since I couldn’t figure out how wp-cli worked on the server – it’s installed but doesn’t output the keys, someone pointed me out to this

https://github.com/WP-API/OAuth1/issues/39#issuecomment-57620637

So that plugin generates the keys, but hopefully the are the same ones

ps – are you/your host company changing directory to the actual wordpress root folder?

cd /var/www/wordpress or whatever before running the wp command?

I think they run the command at the root level, not in the wordpress folder. Should it be run in the index folder of the WordPress install?

That is what the instructions say…

Just did and I’m getting the same thing when I run wp oauth1 add

p?root@server1 [var/www/]

but no output.

This is crazy! ??

So I got to the point to access.

Missing OAuth parameter oauth_verifier

Any ideas?