Início
API Reference
API Magento 1 Openmage
REST
Authentication (OAuth 1.0a)

Authentication (OAuth 1.0a)

magento-1

Fluxo 3-legged OAuth 1.0a, códigos de erro e configuração de consumers.

POST


                                    /oauth/initiate

OAuth 1.0a — Authentication flow

Nota (PT-BR): a REST API usa OAuth 1.0a (3-legged). Os três passos abaixo são obrigatórios.

OAuth Authentication

Magento uses OAuth 1.0a — a token-passing mechanism that allows users to control which applications have access to their data without revealing their passwords.

Key Definitions

User — the Magento user (admin or customer) granting access
Consumer — the third-party application
Consumer Key / Consumer Secret — identify the consumer
Request Token — temporary credential used to request access
Access Token — long-lived credential granted after authorization

OAuth Process — three steps

POST /oauth/initiate — get an unauthorized Request Token.
GET /oauth/authorize (customer) or /admin/oauth_authorize (admin) — user authorization.
POST /oauth/token — exchange Request Token for Access Token.

Authorization Header

Every REST request must include:

oauth_consumer_key
oauth_nonce
oauth_signature_method (HMAC-SHA1, RSA-SHA1 or PLAINTEXT)
oauth_signature
oauth_timestamp
oauth_token
oauth_version

OAuth Error Codes

1 / 400 — version_rejected
2 / 400 — parameter_absent
3 / 400 — parameter_rejected
4 / 401 — timestamp_refused
5 / 401 — nonce_used
6 / 400 — signature_method_rejected
7 / 401 — signature_invalid
8 / 401 — consumer_key_rejected
9 / 401 — consumer_key_unknown
10 / 401 — token_used
11 / 401 — token_expired
12 / 401 — token_revoked
13 / 401 — token_rejected

Exemplos de Código

session_start();

$callbackUrl = 'http://yourhost/oauth_admin.php';
$consumerKey    = 'yourconsumerkey';
$consumerSecret = 'yourconsumersecret';

$temporaryCredentialsRequestUrl = 'http://magentohost/oauth/initiate?oauth_callback=' . urlencode($callbackUrl);
$adminAuthorizationUrl          = 'http://magentohost/admin/oauth_authorize';
$accessTokenRequestUrl          = 'http://magentohost/oauth/token';
$apiUrl                         = 'http://magentohost/api/rest';

try {
    $oauth = new OAuth($consumerKey, $consumerSecret, OAUTH_SIG_METHOD_HMACSHA1, OAUTH_AUTH_TYPE_URI);
    $oauth->enableDebug();

    if (!isset($_GET['oauth_token']) && !$_SESSION['state']) {
        $requestToken = $oauth->getRequestToken($temporaryCredentialsRequestUrl);
        $_SESSION['secret'] = $requestToken['oauth_token_secret'];
        $_SESSION['state']  = 1;
        header('Location: ' . $adminAuthorizationUrl . '?oauth_token=' . $requestToken['oauth_token']);
        exit;
    } elseif ($_SESSION['state'] === 1) {
        $oauth->setToken($_GET['oauth_token'], $_SESSION['secret']);
        $accessToken = $oauth->getAccessToken($accessTokenRequestUrl);
        $_SESSION['state']  = 2;
        $_SESSION['token']  = $accessToken['oauth_token'];
        $_SESSION['secret'] = $accessToken['oauth_token_secret'];
        header('Location: ' . $callbackUrl);
        exit;
    } else {
        $oauth->setToken($_SESSION['token'], $_SESSION['secret']);
        $oauth->fetch($apiUrl . '/products', null, OAUTH_HTTP_METHOD_GET, ['Accept' => 'application/json']);
        echo $oauth->getLastResponse();
    }
} catch (OAuthException $e) {
    echo $e->getMessage();
}

Documentação oficial

GET


                                    /admin/oauth/configure

OAuth Configuration (Admin Panel)

OAuth Configuration

Working with Consumers

System > Web Services > REST - OAuth Consumers.
Click Add New and fill in Name, Callback URL and Rejected Callback URL.
Key and Secret are auto-generated and cannot be edited.

Token Management (Admin)

View authorized tokens at System > Web Services > REST - OAuth Authorized Tokens.
Mass actions: enable, revoke, delete.

Token Management (Frontend)

Customers manage their apps at My Account > My Applications.

Cleanup Configuration

Set the probability threshold and expiration period (minutes) for temporary token cleanup at System > Configuration > Services > OAuth.

Documentação oficial