-
Notifications
You must be signed in to change notification settings - Fork 86
Authentication steps
The client simulates the oauth authentication by acting as a user by getting and posting forms and retrieving values from the responses. There are a couple of steps in the authentication process which are explained here in detail. If you're having trouble authenticating with the client to Magento you should use Fiddler to investigate the traffic and see if it matches with the steps below.
For all the requests you need to use the 'adminhtml' cookie that is received from the first request. When step 3 is executed successfully the cookie gets updated with a new value that you need to use for the next steps. If you don't do this, then you don't get the correct page in step 4.
We need to ask a temporary oauth token from Magento to initiate the authentication process.
POST /oauth/initiate
The request needs to contain an authorization header like
Authorization: OAuth oauth_callback="http%3A%2F%2Flocalhost%3A8888",oauth_consumer_key="YOUR-CONSUMER-KEY",oauth_nonce="t02auly6elcuthly",oauth_signature="7FMe1UducbDUgCJWQY4Avv3g3f4%3D",oauth_signature_method="HMAC-SHA1",oauth_timestamp="1371098086",oauth_version="1.0"
The oauth callback won't be used but we specify a value anyway (http://localhost:8888). Note, "oob", for Out-Of-Band may also be used.
The content from the response will contain a temporary oauth token and secret:
oauth_token=js49aqtpm41dna4ocrsz1n6xfg2yfj1g&oauth_token_secret=ugl1ywwbbk9btn1nnaamp2g4wesgyvpa&oauth_callback_confirmed=true
With the temporary token we start the authentication process. Because we are authenticating as an administrator we need to go to the admin login page. If you have set a special url for the admin section this needs to be set on the client. In my example I've set the admin url part to 'myadmin'.
GET /myadmin/oauth_authorize?oauth_token=js49aqtpm41dna4ocrsz1n6xfg2yfj1g
This will return a html page with a form to log in the admin user.
<div class="login-form">
<form method="post" action="http://YOUR-MAGENTO-URL/index.php/myadmin/oauth_authorize/index/" id="loginForm">
<fieldset>
<input name="form_key" type="hidden" value="Ed0CbLvNemoNO2yu" />
<h2>Log in to Admin Panel</h2>
<p class="description">Log in to use <strong>Admin</strong></p>
<div class="input-box input-left"><label for="username">User Name:</label><br/>
<input type="text" id="username" name="login[username]" value="" class="required-entry input-text" /></div>
<div class="input-box input-right"><label for="login">Password:</label><br />
<input type="password" id="login" name="login[password]" class="required-entry input-text" value="" /></div>
<div class="clear"></div>
<div class="form-buttons">
<button type="submit" class="form-button" title="Login" >Login</button>
<button onclick="document.location.href='YOUR-MAGENTO-URL/index.php/myadmin/oauth_authorize/reject/?oauth_token=wwv3zcmgzpywv6dq8gblzfrymy2stb3m'; return false;" title="Reject">Reject</button>
</div>
<input type="hidden" name="oauth_token" value="wwv3zcmgzpywv6dq8gblzfrymy2stb3m"/>
</fieldset>
</form>
</div>
Retrieve the url from the action attribute of the form in the html page response content.
We need to post the credentials from the admin user to the url from the previous step.
POST /index.php/myadmin/oauth_authorize/index/POST
In the content of the request are the form fields (spaces and line breaks added for clarity):
form_key=Xz0zMbgeL2hZaGep &
login%5busername%5d=Admin &
login%5bpassword%5d=ZujIDGRTinyO05uEJ1Pg &
oauth_token=js49aqtpm41dna4ocrsz1n6xfg2yfj1g
The response will not contain any content, but in the headers it will contain a location header that has the url for the post feedback.
Get the feedback from the credentials post.
GET /index.php/myadmin/oauth_authorize/?oauth_token=js49aqtpm41dna4ocrsz1n6xfg2yfj1g
If the login has succeeded there should be this section in the html:
<div class="login-form auth-confirm">
<div class="page-title">
<h1>Authorize application</h1>
</div>
<h2><strong>RestApiAdmin</strong> requests access to your account</h2>
<p>After authorization application will have access to you account.</p>
<form id="oauth_authorize_confirm" action="http://YOUR-MAGENTO-URL/index.php/myadmin/oauth_authorize/confirm/" method="get">
<input type="hidden" name="oauth_token" value="js49aqtpm41dna4ocrsz1n6xfg2yfj1g">
<button type="submit" class="button" title="Authorize"><span><span>Authorize</span></span></button>
</form>
<form id="oauth_authorize_reject" action="http://YOUR-MAGENTO-URL/index.php/myadmin/oauth_authorize/reject/" method="get">
<input type="hidden" name="oauth_token" value="js49aqtpm41dna4ocrsz1n6xfg2yfj1g">
<button type="submit" class="button" title="Reject"><span><span>Reject</span></span></button>
</form>
</div>
If the login did not succeed it will contain:
<div class="login-form">
<ul class="messages"><li class="error-msg"><ul><li><span>Invalid User Name or Password.</span></li></ul></li></ul>
<form method="post" action="http://YOUR-MAGENTO-URL/index.php/myadmin/oauth_authorize/index/" id="loginForm">
<fieldset>
<input name="form_key" type="hidden" value="Ed0CbLvNemoNO2yu" />
<h2>Log in to Admin Panel</h2>
<p class="description">Log in to use <strong>Admin</strong></p>
<div class="input-box input-left"><label for="username">User Name:</label><br/>
<input type="text" id="username" name="login[username]" value="" class="required-entry input-text" /></div>
<div class="input-box input-right"><label for="login">Password:</label><br />
<input type="password" id="login" name="login[password]" class="required-entry input-text" value="" /></div>
<div class="clear"></div>
<div class="form-buttons">
<button type="submit" class="form-button" title="Login" >Login</button>
<button onclick="document.location.href='http://YOUR-MAGENTO-URL/index.php/myadmin/oauth_authorize/reject/?oauth_token=wwv3zcmgzpywv6dq8gblzfrymy2stb3m'; return false;" title="Reject">Reject</button>
</div>
<input type="hidden" name="oauth_token" value="wwv3zcmgzpywv6dq8gblzfrymy2stb3m"/>
</fieldset>
</form>
<script type="text/javascript">
//<![CDATA[
var loginForm = new varienForm('loginForm');
//]]>
</script>
</div>
In the code there's a check if the 'oauth_authorize_confirm' form does not exist or if the text 'Invalid User Name or Password' is found.
The next step is to confirm the authorization of the application.
GET /index.php/myadmin/oauth_authorize/confirm/?oauth_token=js49aqtpm41dna4ocrsz1n6xfg2yfj1g
this will return a response without content. In the response headers there's a location header that contains the postback url. A parameter from that url is the oauthverifier that we need.
Location: http://localhost:8888?oauth_token=js49aqtpm41dna4ocrsz1n6xfg2yfj1g&oauth_verifier=bdsoe8u0eq14bk37vunzl7x7aw87udk8
With the oauth verifier we can now request an access token.
POST /oauth/token
Authorization header of request:
Authorization: OAuth oauth_consumer_key="YOUR-CONSUMER-KEY",oauth_nonce="icmouqpvyi9m5gzt",oauth_signature="QQlNjqd26UiMR1voqkfxdwpuK14%3D",oauth_signature_method="HMAC-SHA1",oauth_timestamp="1371098102",oauth_token="js49aqtpm41dna4ocrsz1n6xfg2yfj1g",oauth_verifier="bdsoe8u0eq14bk37vunzl7x7aw87udk8",oauth_version="1.0"
This will return an access token and corresponding secret.
oauth_token=9jtjlsajmgzchhdtsqqnawo058611t7j&oauth_token_secret=hxy8yjyueo6uzs99zsvjjm32q9zcj57w