Below are the steps to configure OAuth so it can authenticate requests in Drupal 8.
Read installation instructions on PECL's OAuth extension.
The easiest way to install this extension is through PEAR using the following command:
pecl install oauth
pear install HTTP_OAuth installs a PEAR implementation not compatible with the D8 version.
Download and install OAuth module from the project page.
If you see an error during installation regarding PECL's OAuth extension, please read the installation instructions in the Requirements section.
Follow these steps to configure OAuth Authentication for requests:
Set OAuth authentication for a REST resource
The following REST configuration allows access to the node resource for OAuth requests on GET method in JSON format:
# Sample rest.settings.yml resources: 'entity:node': GET: supported_formats: - json supported_auth: - oauth
For instructions on how to apply configuration changes in Drupal 8, read Managing configuration in Drupal 8. Alternatively, you can install REST UI module and use its interface to enable and configure the resource through the administration interface.
Since we just want authenticated requests to access nodes through REST, we need to adjust permissions so only authenticated users
can access. Therefore, we will check the Authenticated checkbox for the permission Access GET on Content resource:
If we want authenticated users to manage their own keys in order to access OAuth protected resources, we need to allow Access own OAuth consumers on the Authenticated role:
Finally, go to the bottom of the page and click on Save permissions.
Obtain a pair of OAuth consumer and secret keys
Now we are going to generate a pair of OAuth consumer and secret keys to be used to sign requests.
Open the account page of a user with permission to Access own OAuth consumers and click at at the OAuth consumers tab. There will be no consumers, so we will click on Add consumer and confirm the action:
Finally, we have a pair of OAuth consumer and secret keys. We will test them in the next section.
Test the resource
Create a node of type page. Assuming that its nid is 1, here is a script that uses Guzzle 6 with our pair of keys to request the node:
/** * @file oauthRequest.php * Performs an OAuth request to retrieve a node. */ require 'vendor/autoload.php'; use GuzzleHttp\Client; use GuzzleHttp\HandlerStack; use GuzzleHttp\Subscriber\Oauth\Oauth1; $stack = HandlerStack::create(); $middleware = new Oauth1([ 'consumer_key' => '3JSiwDZVEw7yHipVnAVZeuu6GdWkMzTb', 'consumer_secret' => 'EPFRN3WQNWXA9UdRbUSUFdTdetvCVGv3', ]); $stack->push($middleware); $client = new Client([ 'base_uri' => 'http://d8.local', 'handler' => $stack, ]); // Set the "auth" request option to "oauth" to sign using oauth $response = $client->get('node/1?_format=json', ['auth' => 'oauth', 'debug' => true]); $body = $response->getBody(); print_r(json_decode((string) $body));
And this is the response from the server:
juampy@juampy-box:~/projects/default/oauth_request $ php oauth_request.php Command: * Hostname was NOT found in DNS cache * Trying 127.0.0.1... * Connected to d8.local (127.0.0.1) port 80 (#0) > GET /node/1?_format=json HTTP/1.1 User-Agent: GuzzleHttp/6.1.0 curl/7.35.0 PHP/5.5.9-1ubuntu4.14 Host: d8.local Authorization: OAuth oauth_consumer_key="3JSiwDZVEw7yHipVnAVZeuu6GdWkMzTb", oauth_nonce="b7b023e9a6fb90fc03361568bdef68b0ebb4036d", oauth_signature="3riP2rJKRHfdJo6steaudUvUJ3E%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1446730340", oauth_version="1.0" < HTTP/1.1 200 OK < Date: Thu, 05 Nov 2015 13:32:20 GMT * Server Apache/2.4.7 (Ubuntu) is not blacklisted < Server: Apache/2.4.7 (Ubuntu) < X-Content-Type-Options: nosniff < X-Powered-By: PHP/5.5.9-1ubuntu4.14 < Cache-Control: must-revalidate, no-cache, post-check=0, pre-check=0, private < X-Drupal-Dynamic-Cache: MISS < X-UA-Compatible: IE=edge < Content-language: en < X-Content-Type-Options: nosniff < X-Frame-Options: SAMEORIGIN < Expires: Sun, 19 Nov 1978 05:00:00 GMT < X-Generator: Drupal 8 (https://www.drupal.org) < X-Drupal-Cache: MISS < Content-Length: 842 < Content-Type: application/json < * Connection #0 to host d8.local left intact stdClass Object ( [nid] => Array (  => stdClass Object ( [value] => 1 ) ) [uuid] => Array (  => stdClass Object ( [value] => 6fcae0f0-bba6-45a9-932a-42d4a524525d ) ) [vid] => Array (  => stdClass Object ( [value] => 1 ) ) [type] => Array (  => stdClass Object ( [target_id] => article ) ) [langcode] => Array (  => stdClass Object ( [value] => en ) ) [title] => Array (  => stdClass Object ( [value] => Title ) ) // Rest of the node's fields. )
OAuth module registers errors in requests that are signed with the OAuth protocol. Have a look at admin/reports/dblog to see if you find any hints on what can be wrong. Also, verify that the Status Report (at admin/reports/status) does not show any warnings at the OAuth section.