OAuth1 icon indicating copy to clipboard operation
OAuth1 copied to clipboard

Published 20 hours ago verified publisher icon WP-API

OAuth Signature Does Not Match

Open justindmyers opened this issue 9 years ago • 8 comments 

request url: http://www.example.com/oauth1/request?oauth_version=1.0&oauth_nonce=afba072131130e96b52d1063937ab472&oauth_timestamp=1464839688&oauth_consumer_key=d2JDLzmy07oI&oauth_signature_method=HMAC-SHA1&oauth_signature=8EkPuDVcTsh8cmZfoD3U2K3VHaI%3D
OAuthRequest Object
(
    [parameters:OAuthRequest:private] => Array
        (
            [oauth_version] => 1.0
            [oauth_nonce] => afba072131130e96b52d1063937ab472
            [oauth_timestamp] => 1464839688
            [oauth_consumer_key] => d2JDLzmy07oI
            [oauth_signature_method] => HMAC-SHA1
            [oauth_signature] => 8EkPuDVcTsh8cmZfoD3U2K3VHaI=
        )

    [http_method:OAuthRequest:private] => GET
    [http_url:OAuthRequest:private] => http://www.example.com/oauth1/request
    [base_string] => GET&http%3A%2F%2Fwww.example.com%2Foauth1%2Frequest&oauth_consumer_key%3Dd2JDLzmy07oI%26oauth_nonce%3Dafba072131130e96b52d1063937ab472%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1464839688%26oauth_version%3D1.0
)

I cannot figure out why I'm getting the error "OAuth Signature Does Not Match". I'm on a brand new WordPress install and I followed all of the instructions exactly for setting up the auth call.

Would anyone know why the above settings wouldn't be working? I've used both Postman and http://term.ie/oauth/example/client.php to try and check that oauth is working properly, but both return the Oauth signature error no matter what I do.

justindmyers avatar Jun 02 '16 04:06 justindmyers

I have a test PHP script I put together a while ago, which (still) works.

Run it on another domain and you should be able to connect to the host (WP) domain using your credentials. There are also some other tests in there (commented out), after logging in which can create a post and upload a file.

https://gist.github.com/kosso/71c957e30a40116e5f98

HTH

ps: You may want to comment out the line at the top regarding the opcache_reset.

kosso avatar Jun 02 '16 14:06 kosso

Kosso,

Whoa! That works perfectly. I was wondering if you could help me understand if it's appropriate for my use case. I'm really at the edge of my skill set on this topic.

Let's say I have a script running on WordPress site A that needs to make authenticated http requests to WordPress site B, where site B is running the WP API and the Oauth1 plugin, and I have added site A to the roster of sites in wp-admin/users.php?page=rest-oauth1-apps. I was able to use your class here to complete the auth process in my web browser. Once that was complete, grabbed the access_token_secret and access_token from $_COOKIES and hardcoded those values into my script. I then logged that user out of the site B via the logout link that you're class renders, and for good measure I started over in an incognito window. As I hoped, I was still able to use those creds, now hard-coded into my script, to make authenticated requests from site A to site B. I'm delighted, this seems perfect.

  1. Is this kosher? Can I continue using those hardcoded access_token_secret and access_token values forever? Any pitfalls I should be aware of?

  2. I'm not clear on why this is more secure than basic auth at this point. Couldn't someone wire-sniff those hard-coded creds on their way from site A to site B?

  3. What if at some point I want to revoke those values?

scofennell avatar Jun 21 '16 22:06 scofennell

Glad you're getting somewhere. ;)

Definitely DO NOT hard-code any access_token_secret or access_token anywhere. That kind of defeats the purpose of OAuth, to be able to revoke those tokens and get new ones via authentication.

Revoking the tokens is done on the /wp-admin/profile.php page.

The creds never get sent over the air/wire. They're used to create the oauth_signature to 'sign' the request to the server. The server then attempts to recreate that signature, knowing the credentials required for the user and the request being made, and compares it.

I took me forever to get my head around OAuth1 ;)

kosso avatar Jun 21 '16 23:06 kosso

Fantastic explanation. Sorry for the thread drift. Going to DM you a follow-up question if you don't mind ( @scottfennell123 ) .

scofennell avatar Jun 22 '16 01:06 scofennell

@kosso Hello! I use your OAuth test client which you posted below, but it doesn't work at the last step. When I authorized my application and redirecting to callback URL I got the following:

ERROR: Failed to get access tokens OAuth signature does not match

Could you explain me please, what's wrong? I use WP REST API v2.0-beta13.1, WP REST API - OAuth 1.0a Server v0.2.1

fliegerfaust avatar Aug 16 '16 13:08 fliegerfaust

Same issue here, got latest WP and OAuth server plugin. @kosso's script doesn't work for me unfortunately.

Tested with Postman, using this guide.

I keep getting OAuth signature does not match response and a 401 status.

My POST http://www.site.com/oauth1/request?oauth_consumer_key=lPdqr6UQx5bd&oauth_token=&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1486519078&oauth_nonce=TlzIwKwRFUx&oauth_version=1.0&oauth_signature=A4xaFoRQwBKpb2B7%2BAn220djDQc%3D

My headers Access-Control-Allow-Headers →Authorization Connection →keep-alive Content-Type →text/html; charset=UTF-8 Date →Wed, 08 Feb 2017 01:56:48 GMT MS-Author-Via →DAV Server →nginx Transfer-Encoding →chunked X-Powered-By →PHP/7.0.15 X-Powered-By →PleskLin

Help? :(

Jany-M avatar Feb 08 '17 02:02 Jany-M

Howdy Jany-M,

I wrote a tutorial on this subject, along with some heavily commented sample plugins. It's a pretty complex situation, but maybe it can be of some help:

https://css-tricks.com/oauth-fun-oauth1/

scofennell avatar Feb 08 '17 19:02 scofennell

I got the OAuth signature does not match as well... until i realized the copy-pasted client secret from Wordpress admin has an additional space before the key... sigh! Remove the space, all good!

ablunsum avatar Mar 28 '17 13:03 ablunsum