JSON REST API from Mobile App with Authentication

Hmmm – or should I just be using cookie authentication for the mobile app? ??

Have you tried OAuth Explorer

http://sevengoslings.net/~fangel/oauth-explorer/

It has a few weird quirks with JSON REST API, but works OK in stages:

1. Enter base url (http(s)://your.domain.com/oauth1
2. Access token = request
3. Authorize = authorize
4. Access_Token = access
5. Enter your consumer key and secret (leave method as HMAC-SHA1)

Now the fun begins!

Click Get Request Token and you get Call content = “No Oauth parameters supplied” – no idea why, but…

Copy the contents of “combined call (as GET)” into “CUSTOM API CALL” (delete any existing content) and press the “Call” button

Call content now = oauth_token=xxxxxxxxxxxxxxx&oauth_token_secret=xxxxxxxxxxxxxxxxxxxxx&oauth_call_back_confirmed=true

So – paste those manually into Request Token (oauth_token value goes into Request Key and oauth_token_secret value goes into Request Secret)

Now click authorize

Your browser gets redirected to the website “wp-login.php?action=…”

You then have to authorize the token manually, and you get your verification token

Go back to OAuth Explorer and click “Get Access Token” and enter the verifier code and click get access token.

Of course that produces another “No Oauth parameters supplied, so you then paste Combined call as get back into custom api call.

You then get your oauth_token and oauth_token_secret back.

The OAuth doesn’t “appear” to be set up for mobile users, but there are other authentication methods:

Cookie (but we can’t use as we are not in the domain, as far as I know)

Basic Auth (keep sending the username and password with the request)

Token (send the token – have not yet explored this in detail)

Basic Auth and Token and OAuth all require plugins – have a look at them and you might find enough code to create your own plugin with a more sensible authorisation method.

If your mobile app allows the user to create a new user ID then you need some way to give the app the ability to create the user via the API (or send the user to the website and tell them just create their own ID there)

If the above helps at all great – at least you can test out your install.

I am going to work on an auth plugin that requires basic auth the first time, and then passes a token which the token auth can use to identify the user (hopefully!!!)

Looks like the key/secret may not be set up correctly.

Below shows you how to set up the keys via client-cli

https://github.com/WP-API/client-cli

The developers are fulling committed to 4.1 launch, so I don’t see us mortals getting support this side of Christmas 🙁

ps – if the above instructions do work and you then get OAuth signature does not match on your own code then the problem is probably with the HMAC-SHA1. However, OAuth explorer should work once you have the right key and secret via WP CLI.

I hope they come up with something better before release into 4.1. It is probably too much to hope that a better OAuth mechanism for mobiles is in place (or better documentation so I know what I am doing) ?

http://wp-cli.org/ may help

ps – are you/your host company changing directory to the actual wordpress root folder?

cd /var/www/wordpress or whatever before running the wp command?

That is what the instructions say…