OAuth Signature Does Not Match

[justindmyers]

request url: http://www.example.com/oauth1/request?oauth_version=1.0&oauth_nonce=afba072131130e96b52d1063937ab472&oauth_timestamp=1464839688&oauth_consumer_key=d2JDLzmy07oI&oauth_signature_method=HMAC-SHA1&oauth_signature=8EkPuDVcTsh8cmZfoD3U2K3VHaI%3D
OAuthRequest Object
(
    [parameters:OAuthRequest:private] => Array
        (
            [oauth_version] => 1.0
            [oauth_nonce] => afba072131130e96b52d1063937ab472
            [oauth_timestamp] => 1464839688
            [oauth_consumer_key] => d2JDLzmy07oI
            [oauth_signature_method] => HMAC-SHA1
            [oauth_signature] => 8EkPuDVcTsh8cmZfoD3U2K3VHaI=
        )

    [http_method:OAuthRequest:private] => GET
    [http_url:OAuthRequest:private] => http://www.example.com/oauth1/request
    [base_string] => GET&http%3A%2F%2Fwww.example.com%2Foauth1%2Frequest&oauth_consumer_key%3Dd2JDLzmy07oI%26oauth_nonce%3Dafba072131130e96b52d1063937ab472%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1464839688%26oauth_version%3D1.0
)

I cannot figure out why I'm getting the error "OAuth Signature Does Not Match". I'm on a brand new WordPress install and I followed all of the instructions exactly for setting up the auth call.

Would anyone know why the above settings wouldn't be working? I've used both Postman and http://term.ie/oauth/example/client.php to try and check that oauth is working properly, but both return the Oauth signature error no matter what I do.

[kosso]

I have a test PHP script I put together a while ago, which (still) works.

Run it on another domain and you should be able to connect to the host (WP) domain using your credentials. There are also some other tests in there (commented out), after logging in which can create a post and upload a file.

https://gist.github.com/kosso/71c957e30a40116e5f98

HTH

ps: You may want to comment out the line at the top regarding the opcache_reset.

[scofennell]

Kosso,

Whoa! That works perfectly. I was wondering if you could help me understand if it's appropriate for my use case. I'm really at the edge of my skill set on this topic.

Let's say I have a script running on WordPress site A that needs to make authenticated http requests to WordPress site B, where site B is running the WP API and the Oauth1 plugin, and I have added site A to the roster of sites in wp-admin/users.php?page=rest-oauth1-apps. I was able to use your class here to complete the auth process in my web browser. Once that was complete, grabbed the access_token_secret and access_token from $_COOKIES and hardcoded those values into my script. I then logged that user out of the site B via the logout link that you're class renders, and for good measure I started over in an incognito window. As I hoped, I was still able to use those creds, now hard-coded into my script, to make authenticated requests from site A to site B. I'm delighted, this seems perfect.

1. Is this kosher? Can I continue using those hardcoded access_token_secret and access_token values forever? Any pitfalls I should be aware of?

2. I'm not clear on why this is more secure than basic auth at this point. Couldn't someone wire-sniff those hard-coded creds on their way from site A to site B?

3. What if at some point I want to revoke those values?

[kosso]

Glad you're getting somewhere. ;)

Definitely DO NOT hard-code any access_token_secret or access_token anywhere. That kind of defeats the purpose of OAuth, to be able to revoke those tokens and get new ones via authentication.

Revoking the tokens is done on the /wp-admin/profile.php page.

The creds never get sent over the air/wire. They're used to create the oauth_signature to 'sign' the request to the server. The server then attempts to recreate that signature, knowing the credentials required for the user and the request being made, and compares it.

I took me forever to get my head around OAuth1 ;)

[scofennell]

Fantastic explanation. Sorry for the thread drift. Going to DM you a follow-up question if you don't mind ( @scottfennell123 ) .

[fliegerfaust]

@kosso Hello! I use your OAuth test client which you posted below, but it doesn't work at the last step. When I authorized my application and redirecting to callback URL I got the following:

ERROR: Failed to get access tokens
OAuth signature does not match

Could you explain me please, what's wrong? I use WP REST API v2.0-beta13.1, WP REST API - OAuth 1.0a Server v0.2.1

[Jany-M]

Same issue here, got latest WP and OAuth server plugin.
@kosso's script doesn't work for me unfortunately.

Tested with Postman, using this guide.

I keep getting
OAuth signature does not match response and a 401 status.

My POST
http://www.site.com/oauth1/request?oauth_consumer_key=lPdqr6UQx5bd&oauth_token=&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1486519078&oauth_nonce=TlzIwKwRFUx&oauth_version=1.0&oauth_signature=A4xaFoRQwBKpb2B7%2BAn220djDQc%3D

My headers
Access-Control-Allow-Headers →Authorization Connection →keep-alive Content-Type →text/html; charset=UTF-8 Date →Wed, 08 Feb 2017 01:56:48 GMT MS-Author-Via →DAV Server →nginx Transfer-Encoding →chunked X-Powered-By →PHP/7.0.15 X-Powered-By →PleskLin

Help? :(

[scofennell]

Howdy Jany-M,

I wrote a tutorial on this subject, along with some heavily commented sample plugins. It's a pretty complex situation, but maybe it can be of some help:

https://css-tricks.com/oauth-fun-oauth1/

[ablunsum]

I got the OAuth signature does not match as well... until i realized the copy-pasted client secret from Wordpress admin has an additional space before the key... sigh! Remove the space, all good!