Install and use OAuth authentication using the WP REST API


Install and use OAuth authentication using the WP REST API - When it comes to the WordPress REST API, OAuth is the most famous authentication processing provider.

When OAuth authentication is performed, users first log in through the WordPress login form being used at the website. However, this login information also authorizes the customer to process the request on their behalf, and all subsequent requests are authenticated through the OAuth token. Those tokens are also used to manage all API access requests. This access is likely revoked at any point.

Perhaps the most important use in the OAuth authentication process is the process of handling secure REST API requests without revealing user credentials. This is especially important for production servers where login credentials are often exchanged. In such cases, OAuth authentication is used to provide a secure process to handle the request for regular login information.

Table of contents

  • Traditional OAuth authentication

  • OAuth authentication process

  • OAuth authentication settings

  • Assess the availability of the OAuth API

  • Create and manage applications

  • CLI client to create OAuth credentials

  • HTTP client for generating OAuth credentials

  • Get temporary information

  • Authorize the user

  • Exchange tokens

  • Submit request for test validation

Traditional OAuth authentication

To understand the importance of OAuth authentication, it is important to understand the traditional authentication model, what is Oauth ?.

In the traditional authentication model, two main entities; Customer with supplier of resources / services. Client is a web application, service, or user, when the Resource / Service Provider has the desired resource or service in an environment with restricted access.

When the customer requests the specified resource, it authenticates itself to the resource provider by providing the appropriate credentials. Although this is a simple process, there is also a great risk of security breaches.

In contrast, the OAuth authentication model is a bit more complicated with three entities; The client works on behalf of the user, the user requests access to the resource, the server maintains the resource.

Because of these three entities, this process is called three-factor authentication. However, in case the same client is the same entity, the authentication process becomes two-factor authentication.

OAuth authentication process


  • Client requires an authorized account to access the server.

  • If the user grants a request, the customer will have the right to continue.

  • In case of successful authentication of identity, authorization, the Authorization Server (API) grants the access code to the client. At this point, authentication is complete.

  • Next, the client approaches the server to request specific resources. At this time, the customer also sends the access token

  • If the access token is authenticated, the Server grants access to the requested resource.

Customer initiates a signed request to the Request Token. This request is also known as temporary information. The request is sent to the relevant endpoint URI. This requirement includes important parameters:

  • oauth_consumer_key: This key identifies the application initializing the request.

  • oauth_timestamp: The server uses this timestamp to optimize nonces storage.

  • oauth_nonce: This is a token that makes the application unique to every single request.

  • oauth_signature_method: The OAuth plugin provides a unique signature method: HMAC-SHA1.

  • oath_callback: The URL where the user is redirected after authorization. Request is verified, Request token with the following parameter is released.

  • oauth_token: This is the application token stripped from the proxy server response. This token is then sent to the API server.

  • oauth_token_secret: This is similar to the user password. The request is then authorized by the customer. For this, a request URI is created, oauth_token is added to the server authorization URI. The user agrees to submit this request by providing appropriate credentials.

With the oauth_callback URI available in the first step, the server redirects to the URI with the parameter added in the query string:

  • oauth_token: a token is available.

  • oauth_verifier: verify client resource owner identity.

If the oauth_callback URI is not provided in the first step, the server will send the oauth_verifier value to the resource owner to notify the customer manually.

Upon receiving oauth_verfier, the client requests the server to provide token authentication information. This takes the form of a request to the token endpoint URI. This request contains the following parameters:

  • oauth_token

  • oauth_verfier

  • oauth_consumer_key

  • oauth_signature

  • oauth_signature_method

  • oauth_nonce

  • oauth_version

OAuth authentication settings

At WordPress, OAuth authentication is implemented by installing the WordPress OAuth authentication API. This is based on OAuth 1.0a specification and actually extends this specification with additional wp_scope parameters.

The plugin is available at Github from the WP REST API team. Currently, versions 4.4 and above are supported.

Start the plugin duplication process by going to / wp-content / plugins /:


Once the download has finished, activate the plugin through the WordPress CLI:

If you do not want to use the WordPress CLI, go to the WordPress Admin >> Plugin and activate the plugin from the menu. Besides, you also enable it by navigating the browser to the WordPress admin add-on if you do not want to use WP CLI.

Assess the availability of the OAuth API

Before starting, first check if the API is enabled at the server. This is done by sending a simple GET request to / wp-json / endpoint and then analyzing the response sent from the server.

This will return the JSON response as follows:


The focus here is on the oauth1 value in the authentication attribute value. It has the following property:

  • request: the endpoint requires temporary information

  • Authorization: Authorized endpoint from the resource owner

  • access: endpoint requires token

  • version: OAuth version being used

If the OAuth API is not enabled for the website, the server response will contain a blank authorization attribute value.


Create and manage applications

The first step is to ensure that the OAuth1.0 plugin is installed and activated correctly.

Next, set up, manage applications by visiting WordPress Administrators >> Users >> Apps.


At this registered application page, I will register a new application by clicking the new add button and then filling in the following three fields:

  • Customer Name: The Customer Name appears in the Authorized Application section or during the authorization process.

  • Description: Describe the Customers option.

  • Callback URL: The callback URL is used when creating temporary login information.

Once created by clicking the save client button, the guest key parameter and client secret will appear at the bottom of the page with this particular client.


Now I copy the repository at the client by running the following command:


Now navigate to the duplicate directory and then install the package dependencies with the editor:

If all goes well, the command line will display something similar to the following:


CLI client to create OAuth credentials

In order to proceed with the OAuth authorization process, the first parameter will be received from the server:



This will be created via the terminal and then run the following WordPress CLI command:

The same secret key is oauth_consumer_key with the corresponding oauth_consumer_secret.

Now, I need to link customers to the WordPress website. At the client, navigate to the client-cli directory (previously copied) and run the following command:

wp –require = client.php api oauth1 connect to http: // Server-Dev / –key = –Secret =

Replace URL, key, secret in above command. The output should be as follows:

wp –require = client.php api oauth1 connect http: // your-server / wordpress-api / –key = –Secret =

Open in your browser: http: // your-server / wordpress-api / oauth1 / authorization? Oauth_token =

Enter the verification code:

Navigate to the URL provided by the server and then validate by clicking the Authorization button:


You are presented with a verification token (or oauth_verifier) ​​on the next screen:


Token automatically

Copy the verifier and then paste it into the terminal. You will be given the Key with the secret, basically oauth_token and oauth_token_secret:

HTTP client for generating OAuth credentials

Because the OAuth 1.0a server plugin follows a standard three-factor stream, creating OAuth credentials includes the following steps:

  • Acquire temporary credentials

  • Authorize the user

  • Exchange tokens

See more: Who has viewed my facebook

Get temporary information

We send POST request to / oauth1 / endpoint request to get temporary information. Note that this endpoint must be automatically detected because the server is likely to replace itself.

POST request should include oauth_consumer_secret. The request also includes the oauth_callback parameter, this callback URL must match the diagram, server, port, and the callback URL provided when registering the application.

In addition to oauth_consumer_key and oauth_consumer_secret parameters, the request should also include oauth_signature and oauth_signature_method parameters.

When using Postman, oauth_signature creates automatically. We just need to mention the oauth_signature_method parameter. Currently, only the HMAC-SHA1 signature method is supported by the OAuth server plugin.

I will now configure the Postman to send POST requests to the token token temporary endpoint. Next, at the authorization tab, select the OAuth 1.0 option from the drop-down list. Fill in the Consumer Key and Consumer Secret fields values ​​provided by consumers. Finally, check the vehicle option signature method set to HMAC-SHA1.

Authorize the user

For the authorization step, the end of authorizing the resource owner in the browser is opened, and then passed oauth_token with oauth_token_secret as received in the previous step as query parameters:

http: // server-dev / oauth1 / authorization? oauth_token = & oauth_token_secret =


Accept the application by clicking the authorize button. The next screen will display the verification token. This token will now serve as the oauth_verifier token in the next step.

When the user has authorized the customer, the application will appear in the authorized application in the Users> Profile page.

Exchange tokens

By reusing the OAuth 1.0 option at the authorization tab, fill in the field with Consumer Key, Consumer Secret with the value provided by the consumer. In the field with code or Secret code, insert value oauth_token, parameter oauth_token_secret (temporary certificate).

Because we can also pass parameters in the URL as query parameters, append the oauth_verifier parameter in the URL as follows:

http: // server-dev / oauth1 / access? oauth_verifier =

For all parameters in place, submit the request by clicking the Submit button. If all goes well, the server will return a status code of 200 - OK with the response containing the oauth_token and o auth_token_secret parameters.

oauth_token = & oauth_token_secret =

At this time, the temporarily obtained token that has been removed is no longer usable.

The new oauth_token and oauth_token_secret parameters are the OAuth certificates that you can use on the client to create authentication requests.

Submit a test validation request

Now that I have the token authentication information, I will send a test request to the server using a Postman. The request will require the following parameter:

  • oauth_consumer_key

  • oauth_consumer_secret

  • oauth_token

  • oauth_token_secret

Select OAuth 1.0 from the drop down menu under the authorization tab.


Once you have filled all the fields, click the button to request an update. Check the parameter in the header option to send the parameter at the request header instead of appending the query string.

If the request is successful, the server sends status code 200 - OK.


Here, we talked about how to set up the OAuth authentication API for WordPress at the server and how to use the HTTP client to get the token authentication information. If you have comments on this article, please leave a comment below.

About My name is Nguyen Manh Cuong. I was born in a poor village in Ba Vi district, HA NOI province - windy and sunny land. Currently. Mr Cuong.
Newer Posts Newer Posts Older Posts Older Posts


Post a Comment