Last updated November 5, 2015. Created on October 13, 2013.
Edited by juampynr, fgm, FMB, colan. Log in to edit this page.

Below are the steps to configure OAuth so it can authenticate requests in Drupal 8.


Read installation instructions on PECL's OAuth extension.

The easiest way to install this extension is through PEAR using the following command:

pecl install oauth

Using pear install HTTP_OAuth installs a PEAR implementation not compatible with the D8 version.


Download and install OAuth module from the project page.

If you see an error during installation regarding PECL's OAuth extension, please read the installation instructions in the Requirements section.

Set up

Follow these steps to configure OAuth Authentication for requests:

1. Set OAuth authentication for a REST resource.
2. Adjust permissions.
3. Obtain a pair of OAuth consumer and secret keys.
4. Test the resource.

Set OAuth authentication for a REST resource

The following REST configuration allows access to the node resource for OAuth requests on GET method in JSON format:

# Sample rest.settings.yml
        - json
        - oauth

For instructions on how to apply configuration changes in Drupal 8, read Managing configuration in Drupal 8. Alternatively, you can install REST UI module and use its interface to enable and configure the resource through the administration interface.

Adjust permissions

Since we just want authenticated requests to access nodes through REST, we need to adjust permissions so only authenticated users
can access. Therefore, we will check the Authenticated checkbox for the permission Access GET on Content resource:


If we want authenticated users to manage their own keys in order to access OAuth protected resources, we need to allow Access own OAuth consumers on the Authenticated role:


Finally, go to the bottom of the page and click on Save permissions.

Obtain a pair of OAuth consumer and secret keys

Now we are going to generate a pair of OAuth consumer and secret keys to be used to sign requests.

Open the account page of a user with permission to Access own OAuth consumers and click at at the OAuth consumers tab. There will be no consumers, so we will click on Add consumer and confirm the action:


Finally, we have a pair of OAuth consumer and secret keys. We will test them in the next section.


Test the resource

Create a node of type page. Assuming that its nid is 1, here is a script that uses Guzzle 6 with our pair of keys to request the node:

 * @file oauthRequest.php
 * Performs an OAuth request to retrieve a node.

require 'vendor/autoload.php';

use GuzzleHttp\Client;
use GuzzleHttp\HandlerStack;
use GuzzleHttp\Subscriber\Oauth\Oauth1;

$stack = HandlerStack::create();

$middleware = new Oauth1([
  'consumer_key'    => '3JSiwDZVEw7yHipVnAVZeuu6GdWkMzTb',
  'consumer_secret' => 'EPFRN3WQNWXA9UdRbUSUFdTdetvCVGv3',

$client = new Client([
  'base_uri' => 'http://d8.local',
  'handler' => $stack,

// Set the "auth" request option to "oauth" to sign using oauth
$response = $client->get('node/1?_format=json', ['auth' => 'oauth', 'debug' => true]);
$body = $response->getBody();
print_r(json_decode((string) $body));

And this is the response from the server:

juampy@juampy-box:~/projects/default/oauth_request $ php oauth_request.php
* Hostname was NOT found in DNS cache
*   Trying
* Connected to d8.local ( port 80 (#0)
> GET /node/1?_format=json HTTP/1.1
User-Agent: GuzzleHttp/6.1.0 curl/7.35.0 PHP/5.5.9-1ubuntu4.14
Host: d8.local
Authorization: OAuth oauth_consumer_key="3JSiwDZVEw7yHipVnAVZeuu6GdWkMzTb", oauth_nonce="b7b023e9a6fb90fc03361568bdef68b0ebb4036d", oauth_signature="3riP2rJKRHfdJo6steaudUvUJ3E%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1446730340", oauth_version="1.0"

< HTTP/1.1 200 OK
< Date: Thu, 05 Nov 2015 13:32:20 GMT
* Server Apache/2.4.7 (Ubuntu) is not blacklisted
< Server: Apache/2.4.7 (Ubuntu)
< X-Content-Type-Options: nosniff
< X-Powered-By: PHP/5.5.9-1ubuntu4.14
< Cache-Control: must-revalidate, no-cache, post-check=0, pre-check=0, private
< X-Drupal-Dynamic-Cache: MISS
< X-UA-Compatible: IE=edge
< Content-language: en
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< Expires: Sun, 19 Nov 1978 05:00:00 GMT
< X-Generator: Drupal 8 (
< X-Drupal-Cache: MISS
< Content-Length: 842
< Content-Type: application/json
* Connection #0 to host d8.local left intact

stdClass Object
    [nid] => Array
            [0] => stdClass Object
                    [value] => 1


    [uuid] => Array
            [0] => stdClass Object
                    [value] => 6fcae0f0-bba6-45a9-932a-42d4a524525d


    [vid] => Array
            [0] => stdClass Object
                    [value] => 1


    [type] => Array
            [0] => stdClass Object
                    [target_id] => article


    [langcode] => Array
            [0] => stdClass Object
                    [value] => en


    [title] => Array
            [0] => stdClass Object
                    [value] => Title

    // Rest of the node's fields.


OAuth module registers errors in requests that are signed with the OAuth protocol. Have a look at admin/reports/dblog to see if you find any hints on what can be wrong. Also, verify that the Status Report (at admin/reports/status) does not show any warnings at the OAuth section.

Selection_001.png39.48 KB
Selection_002.png49.29 KB
Selection_003.png34.73 KB
Selection_004.png14.07 KB

Looking for support? Visit the forums, or join #drupal-support in IRC.


webbymatt’s picture

I could not install HTTP_OAUTH through CLI with PEAR - I had to specify the version number:

pear install HTTP_OAuth
- did not work

pear install HTTP_OAuth-0.3.1
- did work

x7ian’s picture

Hello, great article, however i still dont understand how the client is supposed to know the consumer key to make authenticated requests. Sorry if im making dump questions, but im totally new to rest oauth and drupal 8.
I need to create a login form page in my client side (say an Angular App) where the user enters a username and a password. Now my question is where(to what URL) should i send this POST request to get the consumer key and be able to use it on next requests for the current session? or am i misunderstanding how this works?
If the consumer key is created in the sever side, and obviously the user doesn't have to know that consumer key by memory, he only knows his username and password, so i need to understand how does the session gets created and how does the authentication process actualy takes place.
Can you please point me to a link where this is better explained.
Thank you for your help!

juampynr’s picture

By setting the right permissions, you allow authenticated users in Drupal to generate a pair of keys at their profile settings. Then they can use them in their own applications.

Does this answer your question @x7ian?

sbasi’s picture

Hi, I have a restful api for drupal 8 with basic_auth and SSL. Can I add Oauth to it to make it more secure?