Magento REST API and OAuth: A Step-by-Step Guide to Secure Access

Posted on: 28 Oct 2019 by Admin

Interested to know how to access Magento 1.X REST and oAuth settings for REST API?
Read the article below…

Magento authentication is based on OAuth, an open standard for secure API authentication. It uses a token-passing mechanism that allows users to control which applications have access to their data without revealing their passwords or other credentials. This article helps you to get consumer key, consumer secret, oAuth token, oAuth token secret which are added as Authentication headers for accessing Magento REST API’s.

 

How to get consumer key, Consumer secret and configuring Magento REST & oAuth settings for REST API access:

 

Terms and Definitions:
User

A customer who has an account with Magento and can use the services via the Magento API.

 

Consumer

A third-party application that uses oAuth to access the Magento API. This application must be registered in the Magento system to receive the Consumer Key and Consumer Secret.

 

Consumer Key

A value used by the Consumer to identify itself with Magento.

 

Consumer Secret

A secret used by the Consumer to guarantee the ownership of the Consumer Key. This value is not passed in requests.

 

Request Token

A value used by the Consumer to obtain authorization from the User (when needed). The Request Token is exchanged for an Access Token when permission is granted.

 

Access Token

A value used by the Consumer to call Magento APIs on behalf of the User.

 

Magento backend (Admin panel) configuration

 

Step 1: Creating oAuth Consumer

 

System-> Web Services-> Rest oAuth Consumers-> Add New-> Enter the consumer information queried and password if probed. Save (Note down the consumer key and consumer secret)

 

Sample Response:

  • Consumer_key: 1cc517b6cb934b5***************7a596
  • Consumer_secret: 2dfbb639a15c235***************47cf4

 

Step 2: Creating and configuring Admin roles

 

  • System-> Web Services -> Rest Roles->Add Admin-> Enter a Role Name->Select Role API
  • Resources from left tab->Set Resource Access to All. Save

 

Step 3: Assigning configured Admin REST Role to admin user

  • System-> Web Services-> Rest Attributes-> Select Admin-> Set Resource Access to All Save

 

Step 4: Configuring resource attributes and access permissions

 

  • System-> Permissions -> Users -> Select any ADMIN user->Click on REST Role from left
  • ab->Check the Radio Button for the App and save.

 

2. How to get oAuth token and final oAuth token secret using REST client

 

The authentication endpoints include the following steps:

  • /oauth/initiate – this endpoint is used for retrieving the Request Token.
  • /admin/oauth_authorize – this endpoint is used for user authorization (Admin).
  • /oauth/token – this endpoint is used for retrieving the Access Token.

All steps listed below are tested using REST CLIENTS such as MOZILLA REST CLIENT EXTENSION (Recommended), POSTMAN and ADVANCED REST CLIENT

 

1. oauth/initiate

 

Method: POST

 

  • URL: http://your-url.com/oauth/initiate?oauth_callback=http://example.com
  • Oauth 1.0 headers: Consumer key and secret obtained from step 1.

 

Sample Response:

oauth_token=ff1469e90aa*****868c8ed4865aa8ecb& 
oauth_token_secret=d11447b004681*****c86accae032cc4c& oauth_callback_confirmed=true

The below image shows generating temporary oAuth token and oAuth token secret

 

2. admin/oauth_authorize

 

URL: http://your-url.com/admin/oauth_authorize?oauth_token=oauth_token received from above step
Running the url in your browser opens Magento admin panel. Login and then authorize the request.
Once authorized note down the URL in address bar:
https://yoururl.com/?oauth_token=1419892709e9941*******8d84d7f5bb5&oauth_verifier=613de3bf584d2***8c2dd2af4fb26c0

 

*oAuth_verifier is the required value.

 

3. oauth/token

 

Method: POST

URL: http://your-url.com/oauth/token?oauth_verifier=oauth_verifier from above step.

oAuth 1.0 headers: Consumer key and secret received from backend, token and token secret from step 1.

Sample Response:

 

(Final permanent token and token secret to be used to access Magento Rest API Resources)

 

Final Tokens:

 

  • consumer_key: 1cc517b6cb*********7594c7fc5d57a596
  • consumer_secret: 2dfbb639*********db9d15bee86e47cf4
  • oauth_token: 5aac4eac990c*********c680375f4a724
  • oauth_token_secret: 0256cb*********206666e8bd7684d6da4

 

The above tokens are to be sent as Oauth1.0 Authorization Headers along Oauth_version as 1.0 and randomly generated nonce, timestamp and oauth_signature.
For example:
Method: GET
Url:http://your-url.com/api/rest/products

 

Header:

 

‘content-type’:’application/json’
Auth_headers:
‘Authorization’: ‘OAuth oauth_signature_method=”HMAC-SHA1″,
oauth_nonce=”rltCs”,
oauth_timestamp=”1533556177″,
oauth_consumer_key=”1cc517b6cb****597594c7fc5d57a596″,
oauth_token=”24471d629f7ce06ba****527fc5f520b4″,
oauth_version=”1.0″,
oauth_signature=”G0NsWh0BEeZh****wCY6xESrdfQ%3D”‘
Note: nonce and timestamp are randomly generated unique values.

 

Response: