Search code examples
c#wordpressresthmacsha1oauth-1.0a

Why does my OAuth signature not match when connecting to WordPress via OAuth 1.0 in C#?

I am trying to complete the first step in the OAuth 1.0 authentication process and retrieve an unauthorized request token.

I keep getting a 401 OAuth signature does not match error from WordPress. I know the problem is with the way I am hashing my signature because when I use Postman, the signature I calculate is different than the signature that Postman calculates. Also I can successfully retrieve and unauthorized request token via Postman.

Where I am going wrong in computing my hash? I'm using HMAC-SHA1.

    private void AuthorizeWP()
    {
        string requestURL = @"http://mywordpressurl.com/oauth1/request";
        UriBuilder tokenRequestBuilder = new UriBuilder(requestURL);
        var query = HttpUtility.ParseQueryString(tokenRequestBuilder.Query);
        query["oauth_consumer_key"] = "myWordPressKey";
        query["oauth_nonce"] = Guid.NewGuid().ToString("N");
        query["oauth_signature_method"] = "HMAC-SHA1";
        query["oauth_timestamp"] = (Math.Truncate((DateTime.UtcNow.Subtract(new DateTime(1970, 1, 1))).TotalSeconds)).ToString();
        string signature = string.Format("{0}&{1}&{2}", "GET", Uri.EscapeDataString(requestURL), Uri.EscapeDataString(query.ToString()));
        string oauth_Signature = "";
        using (HMACSHA1 hmac = new HMACSHA1(Encoding.ASCII.GetBytes("myWordPressSecret")))
        {
            byte[] hashPayLoad = hmac.ComputeHash(Encoding.ASCII.GetBytes(signature));
            oauth_Signature = Convert.ToBase64String(hashPayLoad);
        }
        query["oauth_signature"] = oauth_Signature;
        tokenRequestBuilder.Query = query.ToString();
        HttpWebRequest request = (HttpWebRequest)WebRequest.Create(tokenRequestBuilder.ToString());
        request.Method = "GET";
        HttpWebResponse response = (HttpWebResponse)request.GetResponse();
    }
Solution

  • I realize now what I was doing wrong.

    With OAuth 1.0 when you generate the bytes for your hash key, you have to concatenate your consumer/client secret and the token with an '&' in the middle even if you don't have a token.

    Source: https://oauth1.wp-api.org/docs/basics/Signing.html

    So in my code above: 

    using (HMACSHA1 hmac = new HMACSHA1(Encoding.ASCII.GetBytes("myWordPressSecret")))

    needs to be:

    using (HMACSHA1 hmac = new HMACSHA1(Encoding.ASCII.GetBytes("myWordPressSecret&"))