WP-API / OAuth1

OAuth server implementation for WP API
http://oauth1.wp-api.org/
334 stars 112 forks source link

json_oauth1_signature_mismatch / OAuth signature does not match #200

Open brandonkramer opened 7 years ago

brandonkramer commented 7 years ago

I've authenticated with my WP API and successfully able to post a comment with Postman but posting a comment from my client gives me the following error "{code: "json_oauth1_signature_mismatch", message: "OAuth signature does not match",…}"

Can someone help me out? I've used "bettiolo/oauth-signature-js" as signature generator


  var thisTimestamp = Math.floor(Date.now() / 1000);
        var thisNonce = randomString(32);
        var thisConsumerKey = '*****';
        var thisToken = '*****';
        var thisSignatureMethod = 'HMAC-SHA1';
        var thisOauthVersion = '1.0';
        var thisParameters = {
            oauth_consumer_key : thisConsumerKey,
            oauth_token : thisToken,
            oauth_nonce : thisNonce,
            oauth_timestamp : thisTimestamp,
            oauth_signature_method : thisSignatureMethod,
            oauth_version : thisOauthVersion
        };
        var thisUrl = 'http://myclient.dev/wp-json/wp/v2/comments?author=1&author_email=your-email-address@website-address-here.com&author_name=your-name&content=your-comment&post=1265';
        var consumerSecret = '*****';
        var tokenSecret = '*****';
        var encodedSignature = oauthSignature.generate('POST', thisUrl, thisParameters, consumerSecret, tokenSecret);
        var thisSignature = oauthSignature.generate('POST', thisUrl, thisParameters, consumerSecret, tokenSecret,
            { encodeSignature: false});

        $http({
          method: 'POST',
          url: thisUrl,
          headers:{
                        'Content-Type' : 'application/x-www-form-urlencoded',
                       'Authorization' : 'OAuth oauth_consumer_key="'+thisConsumerKey+'",oauth_token="'+thisToken+'",oauth_signature_method="'+thisSignatureMethod+'",oauth_timestamp="'+thisTimestamp+'",oauth_nonce="'+thisNonce+'",oauth_version="'+thisOauthVersion+'",oauth_signature="'+thisSignature+'"'
                   }

        }).then(function (res) {
          console.info('[REST] POST request sent to "' + route + '"');
        }, function (err) {
          console.error('[REST] POST request failed. Error message: ', err);
        });
brandonkramer commented 7 years ago

Nevermind, I got it working!

rish9511 commented 7 years ago

@brandonkramer Could you please share the solution. I am facing the same problem

anuragbhai commented 7 years ago

I am also facing the same issue @brandonkramer please update with the solution.

anuragbhai commented 7 years ago

@brandonkramer are you there???

pritty12 commented 7 years ago

I am also facing the same issue ..please update with the solution.

joehoyle commented 7 years ago

For some more info here: A json_oauth1_signature_mismatch does not really have a one-fix solution. It just means the generated signature for oauth is incorrect, but that could be for a number of reasons.

Typically if you are sending "complex" data over the wire, like nested objects, arrays etc it's very possible your implementation of oauth is generating a different signature than the OAuth 1 plugin. It's unfortunately the case that the spec isn't super clear on how to generate signatures for arrays - but the point is your client-side signature generation MUST match the algorithm from the PHP side. See https://github.com/WP-API/OAuth1/blob/master/lib/class-wp-rest-oauth1.php#L629 for details (specifically https://github.com/WP-API/OAuth1/blob/master/lib/class-wp-rest-oauth1.php#L717 https://github.com/WP-API/OAuth1/blob/master/lib/class-wp-rest-oauth1.php#L730 https://github.com/WP-API/OAuth1/blob/master/lib/class-wp-rest-oauth1.php#L754). Yes, generating a signature is a pain!

I've had to walk through the generation process several times when building out https://github.com/WP-API/wordpress-rest-api-oauth-1. Check https://github.com/WP-API/wordpress-rest-api-oauth-1/blob/master/src/index.js#L160 for some nasty hacks to get the oauth-1.0a module to generate the signature how I wanted. This was because numeric arrays in the PHP side are interpreted as key[0] = value but most JavaScript clients will encode as key[] = value.

This is a tricky thing to debug, the only "good" way I've done this is to add log statements in both the client side and PHP side and compare for each step, find where the difference appears in the signature generation and work out why that is.

@rmccue might be able to chime in with why this is not specced well in the standard - however a good start might be to have some oauth library implementations that we know to be compatible and release some that don't exist.

alikhangholi commented 3 years ago

I selected x-www-form-urlencoded from Body section (for request) in Postman, and it worked for me