Unable to use oAuth Authentication on WooCommerce API over SSL

Question

I am trying to access a V3 version of the WooCommerce REST API using oAuth for authentication over SSL.

The Wordpress instance where WooCommerce is running which I am calling against is hosted using AWS Elastic Beanstalk.

When trying to use oAuth I am getting a 401 response. The URL that the request is made against is https://www.example.com/wc-api/v3/products?oauth_consumer_key=[my_key]&oauth_nonce=[nonce]&oauth_signature=[signature]%3D&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1453572852&oauth_token=&oauth_version=1.0&filter%5Blimit%5D=500

As part of the response I get

[WWW-Authenticate] => Array
    (
        [0] => Basic realm="WooCommerce API. Use a consumer key in the username field and a consumer secret in the password field"
    )

I know the consumer key and secret I am using are fine, as I have been able to use them within a basic authentication request to the same site successfully.

I have tested the same oAuth code against a non-ssl address in my development environment (this is not on AWS) which worked fine.

I know WooCommerce say you must use oAuth for requests on http addresses - but is the opposite the case where you cannot use oAuth for requests on https? Or is there something I need to configure server side which is likely different between my dev environment and the production environment on AWS?

Answer 1

If you look at woocommerce/includes/api/class-wc-api-authentication.php the authenticate function says:

if ( is_ssl() ) {
    $keys = $this->perform_ssl_authentication();
} else {
    $keys = $this->perform_oauth_authentication();
}

which means you can not use oAuth for https. (According to woocommerce you need not.)

SSL-encrypted requests are not subject to sniffing or man-in-the-middle attacks, so the request can be authenticated by simply looking up the user associated with the given consumer key and confirming the consumer secret provided is valid