Unable to get the key and secret

[crisanders]

Installed the WP API plugin and then the OAuth1 as well, but every time I go my dedicated server and try to run this

$ wp oauth1 add

It gives an error and nothing is returned. 

root@server1 [/home/site/www]# wp
-bash: wp: command not found

Any idea what I'm doing wrong? I can't figure it out.

Thank you

[romuloctba]

That is because you don't have the wp-cli plugin installed on your server
http://wp-cli.org/

2014-10-01 21:17 GMT-03:00 crisanders notifications@github.com:

Installed the WP API plugin and then the OAuth1 as well, but every time I
go my dedicated server and try to run this

$ wp oauth1 add

It gives an error and nothing is returned.

root@server1 [/home/site/www]# wp
-bash: wp: command not found

Any idea what I'm doing wrong? I can't figure it out.

Thank you

—
Reply to this email directly or view it on GitHub
#39.

[crisanders]

The only way to install it is with root access, right? There is no package to download and install it thru Wordpress, correct?

[romuloctba]

You can upload the contents of this .rar in your wp-content/plugins then
activate trough wp-admin. It is still a little raw, only creates a new key
when you click on the 'Criar nova chave Oauth' menu, but it does the job. I
made this for myself, so not very beautifull, but woks

2014-10-02 2:30 GMT-03:00 crisanders notifications@github.com:

The only way to install it is with root access, right? There is no package
to download and install it thru Wordpress, correct?

—
Reply to this email directly or view it on GitHub
#39 (comment).

[romuloctba]

oops, sorry.. you can download it here: http://rcdev.com.br/palestraexemplos/create-key.rar

[crisanders]

I'll give it a try.

In the mean time, we installed wp-cli thru root but when we run the wp oauth1 add command, nothing is returned.

Should I just try your script?

[romuloctba]

Yeah just give it a try
I made it just because my point is to use wp-api in simple php + mysql
shared hosts (like ipage or hostgator), without SSH nor cli. So since I was
unable to install wp-cli, I unwrapped the original oAuth create Key code
into this plugin

Nothing special... If you want it in english I can translate it for you,
but i guess you can do it on your own, since there isn't much to translate
acctually.

You could even generate the key and secret, and then deactivate and exclude
the plugin if you want (keys are managed by OAuth plugin, not mine. Mine
just executes the function to generate'em without wp-cli)

2014-10-02 10:01 GMT-03:00 crisanders notifications@github.com:

I'll give it a try.

In the mean time, we installed wp-cli thru root but when we run the wp
oauth1 add command, nothing is returned.

Should I just try your script?

—
Reply to this email directly or view it on GitHub
#39 (comment).

[crisanders]

That worked! Thank you!

Question: what is the callback URL format? Something like http://example.com/auth_token?

[crisanders]

I'm still a bit confused what the next steps are. Basically everything is activated now, but need to perform OAuth handshaking and signs the user into the server. Not sure what the GET request to the request token URL is.

[romuloctba]

oauth.googlecode.com/svn/code/javascript/example/signature.html

the request will use the above inputs except for token and token secret.
All your next requests should be generater with the token an token secret
provided after your request is accepted

2014-10-02 19:06 GMT-03:00 crisanders notifications@github.com:

I'm still a bit confused what the next steps are. Basically everything is
activated now, but need to perform OAuth handshaking and signs the user
into the server. Not sure what the GET request to the request token URL is.

—
Reply to this email directly or view it on GitHub
#39 (comment).

[crisanders]

The iOS developer says that we would also need to construct a URL to login into the site for the first time. But not sure if it's something like http://username:password@example.com or http://username:password@example.com/wp-json/

Does that ring a bell?'

Again, thank you for your help, this is great advice

[romuloctba]

I'm not sure you'll need that. We are talking about oAUTH, where you
generate a token and sends to the server, wich generates the same token and
compares to yours. The genrated token is result from encription using your
secret key as encription key

[crisanders]

What's the easiest way to test if Oauth works?

[crisanders]

I'm getting OAuth signature does not match

[crisanders]

So I've been playing around with this a lot. I used the code you posted in a different thread and it seems that the base url is fine and it outputs the expected signature. Of course, when I use that with the CURL command, the signature matches.

Is there something else I can do to figure it out? What parameters go into the generation of the signature? Maybe that's the issue.

[romuloctba]

Check if you are in the / or some folder. If in some folder, you'll need to
check this pull request #32 and patch
it up...

Additionally, if you are triyng to oAuth authenticate using Postman, forget
it. Signature never matches. Why? Not sure. But use this to generate your
signature instead
oauth.googlecode.com/svn/code/javascript/example/signature.html

2014-10-03 8:06 GMT-03:00 crisanders notifications@github.com:

So I've been playing around with this a lot. I used the code you posted in
a different thread and it seems that the base url is fine and it outputs
the expected signature. Of course, when I use that with the CURL command,
the signature matches.

Is there something else I can do to figure it out? What parameters go into
the generation of the signature? Maybe that's the issue.

—
Reply to this email directly or view it on GitHub
#39 (comment).

[crisanders]

I used different methods to authenticate, even a CURL command that works for Twitter

And recently, this one http://sevengoslings.net/~fangel/oauth-explorer/

the blog is under public_html/ so not under a folder. It's basically public_html/ and then rest of the Wordpress folders and files.

Should I still use that patch?

[romuloctba]

I don't think you'll need to patch
BUT
if you work your way in lib/class-wp-json-authentication-oauth1.php * you
can find the error message and print the expected signature with it ( just
add . $signature with the error) and also the parameter it uses, like *
$base_request_uri

just put the vars you want to show with the error message in line 563

2014-10-03 9:12 GMT-03:00 crisanders notifications@github.com:

I used different methods to authenticate, even a CURL command that works
for Twitter

And recently, this one http://sevengoslings.net/~fangel/oauth-explorer/

the blog is under public_html/ so not under a folder. It's basically
public_html/ and then rest of the Wordpress folders and files.

Should I still use that patch?

—
Reply to this email directly or view it on GitHub
#39 (comment).

[crisanders]

I did, and it shows the expected signature which is different and shows the right URL.

OAuth signature does not match. Shoud be: lIyaKX0eL3BetfAPRmH0WN8SsI8=

Would love to show you the result maybe in a private email.

[crisanders]

Is it possible that the key I generated with that little plugin you wrote are different than the keys generated by wp oauth1 add command?

[romuloctba]

No, because it uses the own plugin function to work
did you try generate your key with
oauth.googlecode.com/svn/code/javascript/example/signature.html
remember no token key no token secret to /request

2014-10-03 10:28 GMT-03:00 crisanders notifications@github.com:

Is it possible that the key I generated with that little plugin you wrote
are different than the keys generated by wp oauth1 add command?

—
Reply to this email directly or view it on GitHub
#39 (comment).

[crisanders]

So the keys are the same then. Ok. I removed the site name.

Here is what I have there

[romuloctba]

That is it, just don't forget that you should make your POST to the url
including the oAuth parameters like
url.com/oauth/request?oauth_consumer_key=jhgsdasdjgasd&oauth_timestamp=12323123
.............. and so on

2014-10-03 10:35 GMT-03:00 crisanders notifications@github.com:

So the keys are the same then. Ok. I removed the site name.

Here is what I have there

[image: screen shot 2014-10-03 at 8 34 49 am]
https://cloud.githubusercontent.com/assets/8990934/4506393/245bc582-4b02-11e4-9d1e-623d5eec2dd2.png

—
Reply to this email directly or view it on GitHub
#39 (comment).

[crisanders]

Do I need anything in the parameters field? Now there is a default value

I changed it to POST also.

[romuloctba]

Try putting this in 563

return new WP_Error( 'json_oauth1_signature_mismatch', __( 'OAuth signature
does not match. Used: KEY ' .$key .' base url to encode: '
.$string_to_sign. ' and base_uri: ' .$base_request_uri ), array( 'status'
=> 401 ) );

2014-10-03 10:44 GMT-03:00 crisanders notifications@github.com:

Do I need anything in the parameters field? Now there is a default value

I changed it to POST also.

[image: screen shot 2014-10-03 at 8 43 47 am]
https://cloud.githubusercontent.com/assets/8990934/4506518/68073dec-4b03-11e4-8252-ef98fa2ab2c7.png

—
Reply to this email directly or view it on GitHub
#39 (comment).

[crisanders]

Ok, I did that. See output. The used key seems to be the secret not the key.

OAuth signature does not match. Used: KEY RPPUVhPqJolNJD40XCCPTbgjBP5fdIPRZr50sMZ3Ej8LL0DX& base url to encode: GET&http%3A%2F%2Fwww.site.com%2Foauth1%2Frequest&oauth_callback%3Doob%26oauth_consumer_key%3DlZIaHHktlADv%26oauth_nonce%3DorT8x9%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1412344816%26oauth_token%3D%26oauth_version%3D1.0 and base_uri: http%3A%2F%2Fwww.site.com%2Foauth1%2Frequest

[romuloctba]

take that oauth callback off and try again without it.... Also, be sure you
are sending all those params and that they are exactly like the ones
returned by the error

the key is right, it is the encription key - the secret one, that is used
to encript

2014-10-03 11:02 GMT-03:00 crisanders notifications@github.com:

Ok, I did that. See output. The used key seems to be the secret not the
key.

OAuth signature does not match. Used: KEY
RPPUVhPqJolNJD40XCCPTbgjBP5fdIPRZr50sMZ3Ej8LL0DX& base url to encode:
GET&http%3A%2F%2Fwww.site.com%2Foauth1%2Frequest&oauth_callback%3Doob%26oauth_consumer_key%3DlZIaHHktlADv%26oauth_nonce%3DorT8x9%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1412344816%26oauth_token%3D%26oauth_version%3D1.0
and base_uri: http%3A%2F%2Fwww.site.com%2Foauth1%2Frequest

—
Reply to this email directly or view it on GitHub
#39 (comment).

[crisanders]

Someone also asked in a different topic:

are you/your host company changing directory to the actual wordpress root folder?

cd /var/www/wordpress or whatever before running the wp command?

[crisanders]

So I got to the point to access and using this call which I'm not sure if it's correct

http://username:password@site.com/oauth1/authorize?oauth_token=ooz77Fe76MXWyUcOPdhfaqmG

Missing OAuth parameter oauth_verifier

[romuloctba]

This verifyer should be returned with your token in the request proccess

2014-10-04 6:01 GMT-03:00 crisanders notifications@github.com:

So I got to the point to access and using this call which I'm not sure if
it's correct

http://username:password@site.com
/oauth1/authorize?oauth_token=ooz77Fe76MXWyUcOPdhfaqmG

Missing OAuth parameter oauth_verifier

—
Reply to this email directly or view it on GitHub
#39 (comment).

[crisanders]

So where is the mistake? Do we even need that call with the username and password? Is there a call sample I can see?

[romuloctba]

No you wont send your username to authenticate with oauth...

1. You make a request to /request
2. server gives you token and secret
3. You make authorization
4. now you are authenticated and you can make signed requests

here is a good resource: https://developer.chrome.com/extensions/tut_oauth
Or here: http://tools.ietf.org/html/rfc5849#section-2

2014-10-04 9:06 GMT-03:00 crisanders notifications@github.com:

So where is the mistake? Do we even need that call with the username and
password? Is there a call sample I can see?

—
Reply to this email directly or view it on GitHub
#39 (comment).

[crisanders]

So on Step 3, what would that call look like? We already got the token and secret.

[BenjaminBarnett]

@romuloctba, any chance you can re-post the plugin .rar? The link you posted previously is offline atm. Thanks in advance, :Benjamin Barnett

[romuloctba]

Here you go, pal... But i believe someone released a better plugin, I'm not
sure where to find it, thou....
Anyway, maybe it can at least inspire you

https://gist.github.com/romuloctba/b973ff6bf87452e72f83

The .rar had this file inside a folder create-key/ and also a png located
in create-key/images/b_status.png wich was a menu icon... so
-create-key
-----/create_key.php
-----/images
-------------/b_status.png

2015-03-24 14:51 GMT-03:00 BenjaminBarnett notifications@github.com:

@romuloctba https://github.com/romuloctba, any chance you can re-post
the plugin .rar? The link you posted previously is offline atm. Thanks in
advance, :Benjamin Barnett

—
Reply to this email directly or view it on GitHub
#39 (comment).

[BenjaminBarnett]

Thanks, dude, you're an absolute life-saver. I just could NOT get wp-cli.phar to build on my server, it was driving me NUTS. A thousand thanks. :Benjamin Barnett

[wesleyxiao]

here i try so far

i use romuloctba plugin to create key and secret (thanks romuloctba )

and then i add the patch on authorization_oauth1.php

$home_url_path = parse_url(get_home_url (null,''), PHP_URL_PATH );
$request_uri_path = parse_url( $_SERVER['REQUEST_URI'], PHP_URL_PATH );
if (substr($request_uri_path, 0, strlen($home_url_path)) == $home_url_path) {
$request_uri_path = substr($request_uri_path, strlen($home_url_path));
}
$base_request_uri = rawurlencode( get_home_url( null, $request_uri_path ) );

and then i use http://oauth.googlecode.com/svn/code/javascript/example/signature.html

but the end still show signature not match, any idea why?

[romuloctba]

I believe I got as far as you.. Will try again soon, since it was long ago... I guess we are supose to PR the way out of this

[romuloctba]

@wesleyxiao hope you discovered something nice

[LudovicFauchet]

Hello,

@romuloctba "oops, sorry.. you can download it here: http://rcdev.com.br/palestraexemplos/create-key.rar"

Your link is broken ? Can i have a good one ?

Cheers

[romuloctba]

@LudovicFauchet if not yet too late https://gist.github.com/romuloctba/b973ff6bf87452e72f83

[younes0]

storing key/secret as a post meta... seriously

[rmccue]

@younes0 Thanks for your input, but this is not constructive. If you have thoughts on things we should do differently, please file an issue with constructive comments.

[younes0]

@rmccue my apologizes, but there's a lot of odd habits in the wordpress developers community, including how handling data storage is made, in a way that makes difficult database versioning and querying. And I'm not even talking about the fact they ignore the PHP Community (Composer packages, PSR).

Why would you store tokens in the post/post_meta table ? Currently it's difficult to manage tokens.
Why not creating a new table for these ? It should be much more flexible, for instance if you need to store the API usage per token (to rate limit)

[rmccue]

@younes0 Consumers are stored as post data in the backend, so it's natural to store this data as post meta. While we could create a custom table, there's a couple of good reasons we don't:

• The data fits pretty easily. Consumers have a name (post_title), a description (post_content), potentially an image (featured images), and potentially other custom data too.
• Posts automatically work with existing APIs, including post meta. This means it's pretty easy to add more data on as needed for extending it.
• This plugin is intended for WordPress core, and custom tables are very rarely added.

A better way to think about the structure is to think of posts as objects, and post meta as a key-value store for those objects. This generic object storage just happens to be unfortunately named "posts".

In your example with rate limiting, it's actually easier to achieve this with a key-value store, as you can simply add an extra property (post meta row) to the object. A custom table would require database migrations, along with the ability to reverse that migration (if you disable the plugin). This can also potentially lead to conflicts with multiple plugins that add columns, etc.

The only real issue here is that we're using a custom meta value to store the key, which is our primary key for finding the object. This makes lookups potentially expensive. That said, there is an index on meta_key, and the number of consumers is likely not too high on most sites as to be an issue.

[younes0]

@rmccue Thanks for the explanations! I should play more with the Wordpress API and not hitting directly the database.

[rmccue]

Admin UI is now available, and it displays the key and secret for you, as of #55 and #98. Sorry for the delay here folks!