How to use OAuth authentication with REST API via CURL commands?

Let’s go step by step here. Looks like you’re trying to use OAuth just for authentication, but before you can do so you need to get the Access Token which will be used to authenticate when you make your API calls.

Because this is using OAuth version 1, in order to obtain the Access Token you must do the following:

  1. First, setup an application, make a call to the site to obtain the Request Token (temp credentials) using the Client ID and Secret for the application
  2. Second, make a call to the site to Authorize the application with the Request Token from first step (user-facing, see below).
  3. Third, after authorization has been completed, you then make a call to the site to obtain the Access Token (now that application has been authorized)

I recommend using Postman for the first few steps, because they only need to be completed once. Postman will also handle generating the timestamp, nonce and oauth signature, so if you’re not using an OAuth library, then you should absolutely use Postman. Once you have your Access Token you can make the calls via CURL without any libraries.

https://www.getpostman.com/

First Step (setup application)

Install WP OAuth 1 plugin, activate, then goto menu item under Users > Applications. Add new application, fill out name and description. For callback either the URL to redirect the user to (after authorizing), or oop for Out-of-Band flow which will redirect to an internal page which displays the verifier token (instead of redirecting).

https://github.com/WP-API/OAuth1/blob/master/docs/basics/Registering.md

To proceed to the second step a call needs to be made to your site, using the Client ID and Client Secret from the created application, to get temporary credentials (Request Token).

Open up Postman, create a new call to http://website.com/oauth1/request, click on the Authorization tab, select OAuth 1.0 from dropdown, enter in the Client Key, Client Secret, set signature method to HMAC-SHA1, enable add params to header, encode oauth signature, then click Update Request

Postman OAuth1 Request

Postman will auto generate the signature, nonce, and timestamp for you, and add them to the header (you can view under Headers tab).

Click Send and you should get a response that includes oauth_token and oauth_token_secret:
Postman OAuth1 Request Response

These values will be used in the next step to authorize the application under your WordPress user account.

Second Step (authorize application)

Authorization step only needs to be completed once, this step is user-facing, and the one that everyone is familiar with. This step is required because you’re using OAuth1, and the application needs to be associated with a WordPress user account. Think of when a site allows you to login with Facebook … they direct you to Facebook where you login and click “Authorize” … this needs to be done, just through your WordPress site.

I recommend using your Web Browser for this step, as you can easily just set the variables in URL, and this provides the “Authorize” page to authorize the application.

Open your web browser and type in the URL to your site, like this:
http://website.com/oauth1/authorize

Now add on to this URL, oauth_consumer_key (Client ID), oauth_token and oauth_token_secret (from previous step). In my example this is the full URL:

http://website.com/oauth1/authorize?oauth_consumer_key=TUPFNj1ZTd8u&oauth_token=J98cN81p01aqSdFd9rjkHZWI&oauth_token_secret=RkrMhw8YzXQljyh99BrNHmP7phryUvZgVObpmJtos3QExG1O

OAuth1 Authorize Application

Once you click on Authorize, you will get another screen with the verification token. In my example this is the verification token returned E0JnxjjYxc32fMr2AF0uWsZm

Third Step (get access token)

Now that we have authorized the application, we need to make one last call to get the Authorization Token which will be used to make all your API calls. Just like the first step i’m going to use Postman (because signature is required to be HMAC-SHA1), and it makes it 100x easier to complete these steps.

Open up Postman again, and change the URL to http://website.com/oauth1/access

Make sure to add the Token, and Token Secret (values from the first step), then click on Params to show the boxes below the URL. On the left type in oauth_verifier and on the right, enter the code from the second step, the Verification Token

Postman OAuth1 Access Step

Make sure to click Update Request, then click Send, and you should get a response back with oauth_token and oauth_token_secret … this is what you need to make your API calls with! Discard the original ones from step 1, save these ones in your code or somewhere else safe.

Postman OAuth1 Access Response

You can then make an API call to your site, setting the headers with the returned token, and token secret.

You can pass this multiple ways, via Authorization header, in GET parameters, or POST (if encoded as application/x-www-form-urlencoded). Keep in mind you MUST pass the signature, timestamp, and nonce. I didn’t realize how long this reply would take me, so i’ll update this tomorrow with example on doing that with your code.

I strongly recommend installing Rest API log so you can view log of API calls, and see what was sent, returned, etc. This will help with debugging tremendously.

https://github.com/petenelson/wp-rest-api-log

Related Posts:

  1. Blocking the direct access to images in the upload folder WordPress
  2. Change GitHub Account username
  3. Google OAuth 2 authorization – Error: redirect_uri_mismatch
  4. How to validate a user from ouside wordpress/php?
  5. Override user authentication with external credentials
  6. JWT authentication with WP – Approach
  7. why does WordPress need two cookies for auth/login
  8. Extend WordPress (4.x) session and nonce
  9. WordPress REST API – Permission Callbacks
  10. cURL 28 error after switch from to brew php 7.2 on localhost
  11. How to use WordPress authentication on non-WordPress page?
  12. how to authenticate for the REST API from a plugin and from command line
  13. How to check WordPress website username and password is correct
  14. WordPress Rest API: How do we validate with our custom API key?
  15. How does ifttt.com authenticate a supplied WordPress account
  16. Storing Dropbox Authentication?
  17. How to authenticate custom API endpoint in WooCommerce [closed]
  18. Creating a post with the REST API, curl and oauth returning 401 error
  19. How to Authenticate WP REST API with JWT Authentication using Fetch API
  20. How can I use CURLOPT_USERPWD in wp_remote_post?
  21. How to build a plugin that supports authenticated POST requests to the REST API from external servers?
  22. WordPress as a OAuth Provider
  23. Can I authenticate with both WooCommerce consumer key and JWT?
  24. How to leverage authentication outside of WordPress?
  25. WP REST API: check if user is logged in
  26. How do I execute a wp_remote_get call using NTLM authentication?
  27. Android authentication
  28. How to login to WordPress site using basic authentication HTTP headers?
  29. Can we access the REST request parameters from within the permission_callback to enforce a 401 by returning false?
  30. Rest API authentication issue when called from fetch request in bundle.js
  31. WordPress REST API “rest_authentication_errors” doesn’t work external queries?
  32. Can’t GET draft posts via REST API from headless frontend
  33. Outgoing proxy connection problem
  34. WordPress API returns empty page when page is less than X-WP-TotalPages
  35. WordPress user Authentication
  36. WordPress asking for FTP details when installing plugins
  37. WP REST API GET Requests require authentication
  38. current_user_can(‘administrator’) returns false when I’m logged in
  39. Authenticating with REST API
  40. Make authorization mandatory on custom routes
  41. WP REST API – Nonce passes wp_verify_nonce even after logout
  42. Rest API code to get ID of current user not working: get_current_user_id() gives 0
  43. How to save generated JWT token to cookies on login?
  44. How to create a post using REST API with sending data as a JSON body?
  45. How to force JWT auth for default GET endpoints of WordPress rest api?
  46. REST API: best place to set current user for JWT auth?
  47. Blocks Rest API rest_cannot_delete
  48. Curl requests sent two times
  49. for a role-protected page, programmatically login user and load page
  50. REST API authentication for a plugin
  51. guest authentication
  52. wordpress 3.9 remote token auth
  53. How to set up Shibboleth authentication for a MU site
  54. Login after “Read More” then return to article
  55. How to make WordPress use authentication from Parent Site
  56. Rest API basic auth not working
  57. auto logout user when user logout on one of the opened tab
  58. How can I have authenticated WordPress users automatically sign into Moodle?
  59. Getting 401 from ajax using an application password
  60. How to connect android app with WordPress website?
  61. Requiring Authentication for Parts of WordPress Site
  62. WordPress REST API calls that depend on the WordPress User
  63. Uploading a media item with the wp-json API to a specific path
  64. WordPress HTTP API NTLM Authentication
  65. WooCommerce OAuth 1.0 + JWT authentication with JS/React
  66. Authenticating users with usermeta fields
  67. REST API works in browser and via AJAX but fails via cURL
  68. Best Authetication between REST API and Mobile App
  69. Getting Authentication required popup
  70. How can LDAP/Active Directory be integrated in WordPress?
  71. Log in user using WordPress REST API
  72. Authenticate Subdomain
  73. How to create new users with JWT Auth Plugin?
  74. How to verify which WordPress user requested the API in ASP .NET Core?
  75. Mirgrating a user at signon
  76. Automate WordPress Login
  77. Secure WordPress API, how?
  78. Application to Website authentication
  79. register/login api
  80. Open authenticed WordPress page from mobile app
  81. The same session information for peer users on two different WordPress servers
  82. Access to customer profile with pin code
  83. Hide response returned from WordPress REST API call
  84. WP link for reset password is not received
  85. How to make an other web app can login with wordpress authentication?
  86. Authentication over CURL
  87. Check if user is logged in, inside php file in template directory
  88. WordPress Multisite and site speed and scaleability
  89. REST API Integration without user account?
  90. WP REST API with Basic Auth at target website
  91. rest_cannot_create_user – Sorry, you are not allowed to create new users. CURL WORDPRESS REST API
  92. Authenticate + Authorize WP REST API request before built-in WP JSON Schema Payload Validation?
  93. Rest Api WordPress
  94. Can you pass user/pass for HTTP Basic Authentication in URL parameters?
  95. What is the difference between authentication and authorization?
  96. Login and register by API
  97. wp_signon by user’s login by their particular role
  98. custom REST endpoints and application passwords
  99. wordpress rest api authentication failed
  100. How can I enforce user to use Application password to generate JWT token? [closed]

Leave a Comment