-
Notifications
You must be signed in to change notification settings - Fork 86
Authentication steps
The client simulates the oauth authentication by acting as a user by getting and posting forms and retrieving values from the responses. There are a couple of steps in the authentication process which will be explained here in detail. If you're having trouble authenticating with the client to Magento you should use Fiddler to investigate the traffic and see if it matches with the steps below.
We need to ask a temporary oauth token from Magento to initiate the authentication process.
POST /oauth/initiate
The request needs to contain an authorization header like
Authorization: OAuth oauth_callback="http%3A%2F%2Flocalhost%3A8888",oauth_consumer_key="YOUR-CONSUMER-KEY",oauth_nonce="t02auly6elcuthly",oauth_signature="7FMe1UducbDUgCJWQY4Avv3g3f4%3D",oauth_signature_method="HMAC-SHA1",oauth_timestamp="1371098086",oauth_version="1.0"
The oauth callback won't be used but we specify a value anyway (http://localhost:8888)
The content from the response will contain a temporary oauth token and secret:
oauth_token=js49aqtpm41dna4ocrsz1n6xfg2yfj1g&oauth_token_secret=ugl1ywwbbk9btn1nnaamp2g4wesgyvpa&oauth_callback_confirmed=true
With the temporary token we start the authentication process. Because we are authenticating as an administrator we need to go to the admin login page. If you have set a special url for the admin section this needs to be set on the client. In my example I've set the admin url part to 'myadmin'.
GET /myadmin/oauth_authorize?oauth_token=js49aqtpm41dna4ocrsz1n6xfg2yfj1g
This will return a html page with a form to log in the admin user.
<div class="login-form">
<form method="post" action="http://YOUR-MAGENTO-URL/index.php/myadmin/oauth_authorize/index/" id="loginForm">
<fieldset>
<input name="form_key" type="hidden" value="Ed0CbLvNemoNO2yu" />
<h2>Log in to Admin Panel</h2>
<p class="description">Log in to use <strong>Admin</strong></p>
<div class="input-box input-left"><label for="username">User Name:</label><br/>
<input type="text" id="username" name="login[username]" value="" class="required-entry input-text" /></div>
<div class="input-box input-right"><label for="login">Password:</label><br />
<input type="password" id="login" name="login[password]" class="required-entry input-text" value="" /></div>
<div class="clear"></div>
<div class="form-buttons">
<button type="submit" class="form-button" title="Login" >Login</button>
<button onclick="document.location.href='YOUR-MAGENTO-URL/index.php/myadmin/oauth_authorize/reject/?oauth_token=wwv3zcmgzpywv6dq8gblzfrymy2stb3m'; return false;" title="Reject">Reject</button>
</div>
<input type="hidden" name="oauth_token" value="wwv3zcmgzpywv6dq8gblzfrymy2stb3m"/>
</fieldset>
</form>
</div>
From that html page the url in the action attribute from the form is retrieved.
We need to post the credentials from the admin user to the url from the previous step.
POST /index.php/myadmin/oauth_authorize/index/POST
In the content of the request are the form fields:
form_key=Xz0zMbgeL2hZaGep&login%5busername%5d=Admin&login%5bpassword%5d=ZujIDGRTinyO05uEJ1Pg&oauth_token=js49aqtpm41dna4ocrsz1n6xfg2yfj1g
The response will not contain any content, but in the headers it will contain a location header that has the url for the post feedback.
Get the feedback from the credentials post.
GET /index.php/myadmin/oauth_authorize/?oauth_token=js49aqtpm41dna4ocrsz1n6xfg2yfj1g
If the login has succeeded there should be this section in the html:
<div class="login-form auth-confirm">
<div class="page-title">
<h1>Authorize application</h1>
</div>
<h2><strong>RestApiAdmin</strong> requests access to your account</h2>
<p>After authorization application will have access to you account.</p>
<form id="oauth_authorize_confirm" action="http://YOUR-MAGENTO-URL/index.php/myadmin/oauth_authorize/confirm/" method="get">
<input type="hidden" name="oauth_token" value="js49aqtpm41dna4ocrsz1n6xfg2yfj1g">
<button type="submit" class="button" title="Authorize"><span><span>Authorize</span></span></button>
</form>
<form id="oauth_authorize_reject" action="http://YOUR-MAGENTO-URL/index.php/myadmin/oauth_authorize/reject/" method="get">
<input type="hidden" name="oauth_token" value="js49aqtpm41dna4ocrsz1n6xfg2yfj1g">
<button type="submit" class="button" title="Reject"><span><span>Reject</span></span></button>
</form>
</div>
If the login did not succeed it will contain:
<div class="login-form">
<ul class="messages"><li class="error-msg"><ul><li><span>Invalid User Name or Password.</span></li></ul></li></ul>
<form method="post" action="http://YOUR-MAGENTO-URL/index.php/myadmin/oauth_authorize/index/" id="loginForm">
<fieldset>
<input name="form_key" type="hidden" value="Ed0CbLvNemoNO2yu" />
<h2>Log in to Admin Panel</h2>
<p class="description">Log in to use <strong>Admin</strong></p>
<div class="input-box input-left"><label for="username">User Name:</label><br/>
<input type="text" id="username" name="login[username]" value="" class="required-entry input-text" /></div>
<div class="input-box input-right"><label for="login">Password:</label><br />
<input type="password" id="login" name="login[password]" class="required-entry input-text" value="" /></div>
<div class="clear"></div>
<div class="form-buttons">
<button type="submit" class="form-button" title="Login" >Login</button>
<button onclick="document.location.href='http://YOUR-MAGENTO-URL/index.php/myadmin/oauth_authorize/reject/?oauth_token=wwv3zcmgzpywv6dq8gblzfrymy2stb3m'; return false;" title="Reject">Reject</button>
</div>
<input type="hidden" name="oauth_token" value="wwv3zcmgzpywv6dq8gblzfrymy2stb3m"/>
</fieldset>
</form>
<script type="text/javascript">
//<![CDATA[
var loginForm = new varienForm('loginForm');
//]]>
</script>
</div>
In the code there's a check if the 'oauth_authorize_confirm' form does not exist or if the text 'Invalid User Name or Password' is found.
The next step is to confirm the authorization of the application.
GET /index.php/myadmin/oauth_authorize/confirm/?oauth_token=js49aqtpm41dna4ocrsz1n6xfg2yfj1g
this will return a response without content. In the response headers there's a location header that contains the postback url. The parameter from that url is the oauthverifier.
Location: http://localhost:8888?oauth_token=js49aqtpm41dna4ocrsz1n6xfg2yfj1g&oauth_verifier=q14bk37vunbdsoe8u0ezl7x7aw87udk8
POST /oauth/token
Authorization header of request:
Authorization: OAuth oauth_consumer_key="lqdq7pruqm4r6kl9se10c998babeyyjn",oauth_nonce="icmouqpvyi9m5gzt",oauth_signature="QQlNjqd26UiMR1voqkfxdwpuK14%3D",oauth_signature_method="HMAC-SHA1",oauth_timestamp="1371098102",oauth_token="js49aqtpm41dna4ocrsz1n6xfg2yfj1g",oauth_verifier="w87udk8q14bk37vunbdsoe8u0ezl7x7a",oauth_version="1.0"
This will return a validated token and corresponding secret.
oauth_token=9jtjlsajmgzchhdtsqqnawo058611t7j&oauth_token_secret=hxy8yjyueo6uzs99zsvjjm32q9zcj57w