Unable to use oAuth Authentication on WooCommerce API over SSL

I am trying to access a V3 version of the WooCommerce REST API using oAuth for authentication over SSL.

The WordPress instance where WooCommerce is running which I am calling against is hosted using AWS Elastic Beanstalk.

Read More

When trying to use oAuth I am getting a 401 response.
The URL that the request is made against is
https://www.example.com/wc-api/v3/products?oauth_consumer_key=[my_key]&oauth_nonce=[nonce]&oauth_signature=[signature]%3D&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1453572852&oauth_token=&oauth_version=1.0&filter%5Blimit%5D=500

As part of the response I get

[WWW-Authenticate] => Array
    (
        [0] => Basic realm="WooCommerce API. Use a consumer key in the username field and a consumer secret in the password field"
    )

I know the consumer key and secret I am using are fine, as I have been able to use them within a basic authentication request to the same site successfully.

I have tested the same oAuth code against a non-ssl address in my development environment (this is not on AWS) which worked fine.

I know WooCommerce say you must use oAuth for requests on http addresses – but is the opposite the case where you cannot use oAuth for requests on https? Or is there something I need to configure server side which is likely different between my dev environment and the production environment on AWS?

Related posts

1 comment

  1. If you look at woocommerce/includes/api/class-wc-api-authentication.php the authenticate function says:

    if ( is_ssl() ) {
        $keys = $this->perform_ssl_authentication();
    } else {
        $keys = $this->perform_oauth_authentication();
    }
    

    which means you can not use oAuth for https. (According to woocommerce you need not.)

    SSL-encrypted requests are not subject to sniffing or
    man-in-the-middle attacks, so the request can be authenticated by
    simply looking up the user associated with the given consumer key and
    confirming the consumer secret provided is valid

Comments are closed.