Authenticating to the WordPress API using Oauth 1.0a server

wordpress

#1

The new WordPress REST API allow a lot of interesting scenarios, like creating posts from python scripts or other applications. Unfortunately in many cases to access these APIs one needs to install authentication plugins because WordPress natively only supports cookie-based authentication. This tutorial covers the steps necessary to authenticate to the WordPress API using OAuth 1.0.

As a high-level overview, first you must generate a key and secret that are associated with an application: in this context, an application can be anything that uses WordPress REST API. Then use the key and secret to generate a temporary token and secret that is used to obtain a long lasting token and secret. This last couple can then be used in an application that supports OAuth 1.0a

Installing the OAuth 1.0a server plugin

To start, install the WordPress OAuth 1.0a server plugin and enable it on your WordPress site, noting that it requires at least WordPress 4.4.

Registering an Application

After you have installed the plugin, the first step is to register your application so you have a key and secret you can use to generate a token. This can be done in two ways, the first way is through the dashboard by navigating to Users -> Applications -> Add new. The other way is using the wp-cli tool. Login to the server that hosts your WordPress site, then change directory into your WordPress install and run the following:

[user@server]$ wp oauth1 add --name=”application1” --description=”Application description goes here”

After you run this you will see your key and secret. Copy them somewhere safe, you will need them in later steps.

Getting a token

Now that you have the client key and secret, you can use that to generate a token to authenticate to WordPress. OAuth1 libraries handle the hard parts of this for you, we will be doing it all manually using Postman.

Generating the temporary token

To simplify things, install Postman first. Once you have Postman installed you can use it to generate the tokens you need to authenticate. At first you need to generate the temporary tokens and use those to generate the permanent ones. Follow these steps in Postman:

  1. Change the request type to “POST”
  2. Set the url to https://wordpress.example.com/oauth1/request
  3. Set the auth type to OAuth 1.0
  4. Fill in the Consumer Key using the key you obtained earlier
  5. Fill in the Consumer Secret using the secret you obtained earlier

Then finally in the Body tab set the content type to x-www-form-urlencoded. Finally in the Authorization tab hit Update Request and Send.

You should get a response that looks similar to:

oauth_token=<token>&oauth_token_secret=<token_secret>

Where token and token_secret are the actual contents of your token and secret.

Authorization

Once you have the tokens, you must associate them with a user in WordPress, this is done by visiting the following url in a browser:

https://wordpress.example.com/oauth1/authorize?oauth_token=$token&oauth_token_secret=$token_secret

WordPress will ask you to log in as the user you wish to associate these tokens with, if you are not already logged in. Once you authorize the token you will be given a verification token: save this somewhere safe for the next step.

Generating the permanent token

Use Postman again to generate the permanent token using the temporary token from the previous step:

  1. Change the request type to POST
  2. Set the url to https://wordpress.example.com/oauth1/access
  3. Set the auth type to OAuth 1.0
  4. Fill in the Consumer Key using the key you obtained earlier
  5. Fill in the Consumer Secret using the secret you obtained earlier
  6. Fill in the Token using the temporary token you obtained earlier
  7. Fill in the Token Secret using the temporary token secret you obtained earlier
  8. Click the params button and add a param with the key oauth_verifier and the value set to the verification key you got in the last step

Then finally in the Body tab set the content type to x-www-form-urlencoded. Finally in the Authorization tab hit Update Request and Send. Again, you should get a response that looks similar to:

oauth_token=token&oauth_token_secret=token_secret

Where token and token_secret are the content of your permanent tokens. If everything worked, you now have a token and token secret that you can use to authenticate to WordPress with your OAuth 1.0a app.

Creating a post

Now that you have authenticated to the API, you can create a post, assuming the user you are authenticated as has the proper permissions to do so. This can be done using Postman as well:

  1. Change the request type to POST
  2. Set the url to https://wordpress.example.com/wp-json/wp/v2/posts
  3. Fill in the Consumer Key using the key you obtained earlier
  4. Fill in the Consumer Secret using the secret you obtained earlier
  5. Fill in the Token using the oauth_token you obtained earlier
  6. Fill in the Token Secret using the oauth_token_secret you obtained earlier
  7. Go to the Body tab, select x-www-form-encoded
  8. Create a title key, where the value is the title of your post
  9. Create a content key, where the value is the body of your post
  10. Create a status key, where the value is the status of your post, possible values are publish, future, draft, pending, private, it defaults to draft.
  11. Click Update request in the Authorization tab
  12. Click Send

If everything worked out, you should get a response with some information about the post you just created, including the URL to visit it at.?


How to post content to WordPress using Python and Rest API
#2

shouldnt we use Oauth2? isnt this a secutiry concern?


#3

Is there a WordPress plugin that provides OAuth2 or OpenID Connect? Last time I checked, there wasn’t.

I’m also not aware of any security issues with OAuth1.0a protocol itself. If you have more details, please share them.


#4

on

Users -> Applications -> Add new

could you post a sample screenshot of the process? I filled name with “applicacion1” as ur wp-cli tool and description with “application description” but i have no idea what to put on callback

also since im using Plesk, i can SSH through putty and then "plesk ext wp-tookit . . ., but this seems too complicated, so id rather know how to fill the: add new (gui) -> callback-form

cheers


#5

I don’t have a callback URL in my WordPress panel and the sample code works fine. Is your code not working? What error do you get?

Also Plesk is not part of the equation, you can just ignore it.


#7

Your application’s callback URL. The callback passed with the request token must match the scheme, host, port, and path of this URL.

err: Consumer callback is required and must be a valid URL.

plesk doesnt have wp-cli as that

it does have some integration of it, but all commands are different etc so it gets really different, really fast with the commands

https://support.plesk.com/hc/en-us/articles/115001805173-How-to-integrate-wp-cli-in-Plesk

this has nothing to do with wordpress, its a twitter forum query but they advise to put in callback localhost, i am however not developing on a local development, but on a server subdomain so not sure what would exactely work. I doubt http:127.0.0.1 would, but perphaps just (https://)subdomain.domain(.com) would, also uncertain about ports but I dont think they are necessary even tho link used (http://)localhost:3000/auth/twitter/callback port 3000 here


#8

Using the CLI (not Plesk, which I have never used), the callback url is not mandatory. In any case, it is An absolute URL to which the Service Provider will redirect the User back when the Obtaining User Authorization step is completed. (from OAuth1.0a spec). I have never used that part of the plugin. I wrote this tutorial when I was experimenting with WP’s REST API but never used this plugin in production.

Have you tried putting something like https://your.domain/callback or something similar?