I have website running on the Play Framework with Scala. As part of the site, I pull in content from a separately hosted WordPress instance, using the WP REST Api.
I’ve been trying to use their OAuth plugin to access authorised JSON on my WordPress instance. As part of the process, I need to be able to callback to my original website after receiving verifier. To handle OAuth1 requests in Play, I’m using the excellent Scribe library.
I can get to the stage in the OAuth1 workflow where I need to exchange my verifier and request token for an access token, however I can only get beyond this by intercepting my outgoing request and attaching a WordPress login cookie that I have previously set.
My workflow is this:
- Consumer successfully created using WP CLI
- Can hit
http://mywordpress.com/oauth1/request and receive a request token - Can hit
http://mywordpress.com/oauth1/authorize?oauth_token=mytoken&oauth_callback=http://mysite/callback - When I hit the above URL, I am redirected to
http://mywordpress.com/wp-login.php?action=oauth1_authorize&oauth_token=mytoken&oauth_callback=http://mysite/callback - From there, I authorize the token, and am redirected back to
http://mysite/callback?oauth_token=mytoken&oauth_verifier=myverifier&wp_scope=%2A - BUT when I try to post my request to get the access token, I get a 401
from http://mywordpress.com. - However, if I intercept the same
request using a debugger, and instead send the same request with my
WordPress login cookie appended in the headers, I successfully
receive the new access oauth_token and oauth_token_secret.
So I need to manually attached the cookie from the http://mywordpress.com domain, with key starting wordpress_logged_in_… to be able to get my access token.
When I manually append the wordpress_logged_in_…, I’m sending as a post via with Advanced REST Client app for Google Chrome, with the OAuth parameters as the Authorization header. As mentioned, this successfully gets me back an access token.
Has anyone else had this issue, and worked around it? Have I made some basic error in my setup or in my requests?
That’s the problem: the WP cookie, the browser won’t allow you to send it via http headers. Have you tried this instead: https://github.com/WP-API/OAuth1/issues/39#issuecomment-57620637 ?
I have successfully accessed the WP API through a JSON Web Token approach, which might be okay in this case if you set a timer on the token and then refresh it as needed.
I used this plugin: JWT Authentication for the WP REST API and it worked like a charm.
I know this isn’t OAuth1, but it definitely saved me a lot of time in securely authenticating to WordPress.