WooCommerce OAuth 1 one-legged Authentication in .NET

WooCommerce is newbie in the world of eCommerce. The platform has gained good popularity due to its ability to adapt customers need. There are huge options available in it for customizable extensions according to your business’s need. Also, you will find multiple free resources like themes, Plugins, fonts etc. Woocommerce also provides other APIs package for third party application, for better communication.

In order to make this tutorial work, you need to have WooCommerce 2.1 or current version installed within word press.

Before we start with the process of OAuth authentication in .NET let’s get pre-requirements of this:

Enable REST API under WooCommerce > Settings

  • Pretty permalinks must be enabled
  • Should already have consumer key and consumer secret for the admin user

The current API version is v2 which returns response as JSON. The v1 endpoint is also available in WooCommerce 2.1 / 2.2 / 2.3, but it will be eliminated in the future version. V1 return’s result is in xml format.

Further differentiations can be found at

http://woocommerce.github.io/ woocommerce-rest-api-docs/ #schema

APIs available can be checked using the following URL


EITHER HMAC-SHA1 or HMAC-SHA256 can be used for encryption. I have used HMAC-SHA1. Signature generation mechanism will remain the same whether you are using GET or POST. Assuming one is fetching all product data from WooCommerce.

Base URL becomes http://www.your-store.com/wc-api/v2/products

Above URL should be RFC3986 encoded which can be achieved by EscapeDataString function of URI class.

Request authentication follows three steps:

Creating the string that will be used to generate the signature:
  • If using extra parameters like filter, page etc., collect oauth parameters (oauth_consumer_key, oauth_signature_method, oauth_nonce, oauth_timestamp, oauth_signature) and extra parameters like (filter) in a single string array and sort them.

For example: If filter and page is used as extra filter then the sorted order should be like: filter, oauth_consumer_key, oauth_nonce, oauth_signature, oauth_signature_method, oauth_timestamp, and page.

NOTE: RFC Reserved characters like ‘[’,’]’ should be replaced with their special representation “%5B”,”%5D” respectively.

  • Next comes creating a string that will be used for signature generation

Note:Values of each parameter should also be RFC3986 encoded using EscapeDataString.

i) From the already sorted array, excepting oauth_signature, assign all the oauth parameters with their corresponding values using ’=’ and concatenate all parameters using ‘&’.

For example:

filter%5Bcreated_at_min%5D=2015-08-10%2011%3A44%3A09& oauth_consumer_key= ck_73b6ea56821441297 cc3e7c40a8420b0& oauth_nonce=523F69FD663D98A52B8B& oauth_signature_method=HMAC-SHA1& oauth_timestamp=1439190852& page=1

ii) Encode the above generated string again using EscapeDataString function.

iii) Concatenate request method name with
a) ‘&’
b) RFC3986 encoded base URL
c) ’&’
d) The above generated string. Your resultant string to sign will look like this

GET&http%3A%2F%2Fyour-domain.com%2Fwc-api%2Fv2%2Fproducts& filter%255Bcreated _at_min%255D%3D2015-08 -10%252011%253A44%253A09%26oauth _consumer_key%3Dck_ 73b6ea56821441297c c3e7c40a8420b0%26oauth _nonce%3D523F69FD663D9 8A52B8B%26oauth_signature _method%3DHMAC-SHA1%26oauth _timestamp%3D1439190852%26page%3D1

Signing the string with HMAC-SHA1 algorithm using consumer secret:

  • Use the below code to generate the signature with the above generated string
HMACSHA1 hmac = new HMACSHA1 (Encoding.ASCII.GetBytes (consumerSecret));
string signature =Convert.ToBase64String (hmac.ComputeHash (Encoding.ASCII.GetBytes (sigBaseString)));
return signature;
Generating header for request:
  • Assign the generated signature string to oauth_signature parameter using ‘=’ in the sorted list of (encrypted) parameters and then generate a new string with the parameters separated by ‘&’. Result will look like this:
filter%5Bcreated_at_min%5D=2015-08-10%2011%3A46%3A16&oauth_consumer_ key=ck_73b6ea56821441297 cc3e7c40a8420b0& oauth_nonce= 22D5566F51C432C353BB& oauth_signature= eExcwKdn6vEulbKJQ A6yaJ9Tscs%3D& oauth_signature_method=HMAC-SHA1 & oauth_timestamp=1439190978& page=1
  • Finally concatenate un-encoded base URL with “?” and the authorization header just generated.

All done you can make the request with the last string generated as the base URL and you will get your response!!

For more details please refer below link:

http://woocommerce.github.io/ woocommerce-rest-api-docs/ #schema

Integrate NAV with eCommerce, Marketplace and CRM