OAuth1 problems WordPress


I’ve been trying to get OAuth1 working to let users log in with their MemberPress logins in WordPress. There are a few outdated solutions out there, but I did actually manage to get pretty far. It took some hacking in the core oauth1 package though. For some reason, all the urls and query params are built by manually concatenating strings, and this leads to massive loads of incompatibilities, and strange hacks (there are a lot of issues surrounding problems with this approach). Using a query string library which would properly encode everything would fix this, and would make the coding actually easier.

Anyway, I’m stuck at the authenticate part. The WP API OAuth1 plugin only offers 3 end points, but the Meteor Oauth packages seem to require 4 - the missing one is /oauth/authenticate. Does anyone know what the proper URL is for authenticate? Right now it forwards me to a JSON blob (/?json_route=%2F&oauth_token=dIJqnto2H36rVemete4Fr1Sv), which isn’t helpful for end users.

Here’s what I did inside the oauth1 package in oauth1_binding.js:

OAuth1Binding.prototype._getSignature = function(method, url, rawHeaders, accessTokenSecret, params) {
  var self = this;
  var headers = self._encodeHeader(_.extend({}, rawHeaders, params));

  var parameters = _.map(headers, function(val, key) {
    // :NOTE: all query params should always be encoded
    return self._encodeString(key) + '=' + self._encodeString(val);

  var signatureBase = [

  // :HACK: This is a very specific hack to get this working with WordPress OAuth1
  signatureBase = signatureBase.replace('%2525253D%26oauth_consumer_key', '%25253D%26oauth_consumer_key')

  var secret = OAuth.openSecret(self._config.secret);

  var signingKey = self._encodeString(secret) + '&';
  if (accessTokenSecret)
    signingKey += self._encodeString(accessTokenSecret);

  return crypto.createHmac('SHA1', signingKey).update(signatureBase).digest('base64');

I have no idea what that would do to other oauth1 services (if any still exist - WordPress is so old, and oauth1 is officially deprecated).