json_oauth1_signature_mismatch / OAuth signature does not match

[brandonkramer]

I've authenticated with my WP API and successfully able to post a comment with Postman but posting a comment from my client gives me the following error "{code: "json_oauth1_signature_mismatch", message: "OAuth signature does not match",…}"

Can someone help me out? I've used "bettiolo/oauth-signature-js" as signature generator

  var thisTimestamp = Math.floor(Date.now() / 1000);
        var thisNonce = randomString(32);
        var thisConsumerKey = '*****';
        var thisToken = '*****';
        var thisSignatureMethod = 'HMAC-SHA1';
        var thisOauthVersion = '1.0';
        var thisParameters = {
            oauth_consumer_key : thisConsumerKey,
            oauth_token : thisToken,
            oauth_nonce : thisNonce,
            oauth_timestamp : thisTimestamp,
            oauth_signature_method : thisSignatureMethod,
            oauth_version : thisOauthVersion
        };
        var thisUrl = 'http://myclient.dev/wp-json/wp/v2/comments?author=1&author_email=your-email-address@website-address-here.com&author_name=your-name&content=your-comment&post=1265';
        var consumerSecret = '*****';
        var tokenSecret = '*****';
        var encodedSignature = oauthSignature.generate('POST', thisUrl, thisParameters, consumerSecret, tokenSecret);
        var thisSignature = oauthSignature.generate('POST', thisUrl, thisParameters, consumerSecret, tokenSecret,
            { encodeSignature: false});

        $http({
          method: 'POST',
          url: thisUrl,
          headers:{
                        'Content-Type' : 'application/x-www-form-urlencoded',
                       'Authorization' : 'OAuth oauth_consumer_key="'+thisConsumerKey+'",oauth_token="'+thisToken+'",oauth_signature_method="'+thisSignatureMethod+'",oauth_timestamp="'+thisTimestamp+'",oauth_nonce="'+thisNonce+'",oauth_version="'+thisOauthVersion+'",oauth_signature="'+thisSignature+'"'
                   }

        }).then(function (res) {
          console.info('[REST] POST request sent to "' + route + '"');
        }, function (err) {
          console.error('[REST] POST request failed. Error message: ', err);
        });

[brandonkramer]

Nevermind, I got it working!

[rish9511]

@brandonkramer
Could you please share the solution. I am facing the same problem

[anuragbhai]

I am also facing the same issue @brandonkramer please update with the solution.

[anuragbhai]

@brandonkramer are you there???

[pritty12]

I am also facing the same issue ..please update with the solution.

[joehoyle]

For some more info here: A json_oauth1_signature_mismatch does not really have a one-fix solution. It just means the generated signature for oauth is incorrect, but that could be for a number of reasons.

Typically if you are sending "complex" data over the wire, like nested objects, arrays etc it's very possible your implementation of oauth is generating a different signature than the OAuth 1 plugin. It's unfortunately the case that the spec isn't super clear on how to generate signatures for arrays - but the point is your client-side signature generation MUST match the algorithm from the PHP side. See https://github.com/WP-API/OAuth1/blob/master/lib/class-wp-rest-oauth1.php#L629 for details (specifically https://github.com/WP-API/OAuth1/blob/master/lib/class-wp-rest-oauth1.php#L717 https://github.com/WP-API/OAuth1/blob/master/lib/class-wp-rest-oauth1.php#L730 https://github.com/WP-API/OAuth1/blob/master/lib/class-wp-rest-oauth1.php#L754). Yes, generating a signature is a pain!

I've had to walk through the generation process several times when building out https://github.com/WP-API/wordpress-rest-api-oauth-1. Check https://github.com/WP-API/wordpress-rest-api-oauth-1/blob/master/src/index.js#L160 for some nasty hacks to get the oauth-1.0a module to generate the signature how I wanted. This was because numeric arrays in the PHP side are interpreted as key[0] = value but most JavaScript clients will encode as key[] = value.

This is a tricky thing to debug, the only "good" way I've done this is to add log statements in both the client side and PHP side and compare for each step, find where the difference appears in the signature generation and work out why that is.

@rmccue might be able to chime in with why this is not specced well in the standard - however a good start might be to have some oauth library implementations that we know to be compatible and release some that don't exist.

[alikhangholi]

I selected x-www-form-urlencoded from Body section (for request) in Postman, and it worked for me