I'm trying to access my Magento store's REST API, but I can' seem to acquire the access token. I keep getting a 400 Bad Request (OAuth::Unauthorized) error.

Here's the code I'm using:

require 'oauth'
require 'mechanize'

@m = Mechanize.new

@title = @m.get('http://178.62.173.99/').title

@callback_url = 'http://178.62.173.99/'
@consumer = OAuth::Consumer.new(
  'b3ba0db944d1ad0d416329844734db54',
  '38fedbc5cdeed7803547b24a0980c834',
  :request_token_path => '/oauth/initiate',
  :authorize_path=>'/admin/oauth_authorize',
  :access_token_path=>'/oauth/token',
  :site => 'http://178.62.173.99'
)

@session = {}

@request_token = @consumer.get_request_token(:oauth_callback => @callback_url)
@session[:request_token] = @request_token
@session[:authorize_url] = @request_token.authorize_url(:oauth_callback => @callback_url)

@m.get(@session[:authorize_url]) do |login_page|
  auth_page = login_page.form_with(:action => 'http://178.62.173.99/index.php/admin/oauth_authorize/index/') do |form|
    form.elements[1].value = 'admin'
    form.elements[2].value  = 'goodfood88'
  end.submit

  authorize_form = auth_page.forms[0]

  callback_page = authorize_form.submit

  puts 'Successfully authorized application' unless callback_page.title != @title
end

@access_token = @request_token.get_access_token

It returns the following:

    Successfully authorized application
/Users/narzero/.rbenv/versions/2.1.2/lib/ruby/gems/2.1.0/gems/oauth-0.4.7/lib/oauth/consumer.rb:216:in `token_request': 400 Bad Request (OAuth::Unauthorized)
        from /Users/narzero/.rbenv/versions/2.1.2/lib/ruby/gems/2.1.0/gems/oauth-0.4.7/lib/oauth/tokens/request_token.rb:18:in `get_access_token'
        from six.rb:37:in `<main>'

I've stored the important data into a Hash, here's what it returns:

@session
# => {:request_token=>
  #<OAuth::RequestToken:0x007fe923161c00
   @consumer=
    #<OAuth::Consumer:0x007fe924083350
     @http=#<Net::HTTP 178.62.173.99:80 open=false>,
     @http_method=:post,
     @key="b3ba0db944d1ad0d416329844734db54",
     @options=
      {:signature_method=>"HMAC-SHA1",
       :request_token_path=>"/oauth/initiate",
       :authorize_path=>"/admin/oauth_authorize",
       :access_token_path=>"/oauth/token",
       :proxy=>nil,
       :scheme=>:header,
       :http_method=>:post,
       :oauth_version=>"1.0",
       :site=>"http://178.62.173.99"},
     @secret="38fedbc5cdeed7803547b24a0980c834">,
   @params=
    {:oauth_token=>"1bae7ce87f68d2090f131e7f3b98b26c",
     "oauth_token"=>"1bae7ce87f68d2090f131e7f3b98b26c",
     :oauth_token_secret=>"78921fcd23f6fa41356d56afadd8b1af",
     "oauth_token_secret"=>"78921fcd23f6fa41356d56afadd8b1af",
     :oauth_callback_confirmed=>"true",
     "oauth_callback_confirmed"=>"true"},
   @secret="78921fcd23f6fa41356d56afadd8b1af",
   @token="1bae7ce87f68d2090f131e7f3b98b26c">,
 :authorize_url=>
  "http://178.62.173.99/admin/oauth_authorize?oauth_callback=http%3A%2F%2F178.62.173.99%2F&oauth_token=1bae7ce87f68d2090f131e7f3b98b26c"}

What could I try to get an access token?

Regenerate your API tokens/secret immediately and never post them publicly again. The problem is you are making an OAuth request against your own site, not Magneto's servers. Look at your code. There isn't a single reference to an external URL. The site parameter in the OAuth::Consumer constructor call is set to your own site. This should be set to the host for the Magneto API OAuth provider.

Here's a Ruby module I've written to create an access token for the Magento REST API:

module Token
  def create_consumer
    OAuth::Consumer.new(
      CONSUMER_KEY,
      CONSUMER_SECRET,
      :request_token_path => '/oauth/initiate',
      :authorize_path=>'/admin/oauth_authorize',
      :access_token_path=>'/oauth/token',
      :site => URL
    )
  end

  def request_token(args = {})
    args[:consumer].get_request_token(:oauth_callback => URL)
  end

  def get_authorize_url(args = {})
    args[:request_token].authorize_url(:oauth_callback => URL)
  end

  def authorize_application(args = {})
    m = Mechanize.new

    m.get(args[:authorize_url]) do |login_page|
      auth_page = login_page.form_with(:action => "#{URL}/index.php/admin/oauth_authorize/index/") do |form|
        form.elements[1].value = ADMIN_USERNAME
        form.elements[2].value = ADMIN_PASSWORD
      end.submit

      authorize_form = auth_page.forms[0]

      @callback_page = authorize_form.submit
    end

    @callback_page.uri.to_s
  end

  def extract_oauth_verifier(args = {})
    callback_page = "#{args[:callback_page]}".gsub!("#{URL}/?", '')

    callback_page_query_string = CGI::parse(callback_page)

    callback_page_query_string['oauth_verifier'][0]
  end

  def get_access_token(args = {})
    args[:request_token].get_access_token(:oauth_verifier => args[:oauth_verifier])
  end

  def save_tokens_to_json(args = {})
    auth = {}

    auth[:time] = Time.now
    auth[:token] = args[:access_token].token
    auth[:secret] = args[:access_token].secret

    File.open("#{args[:path]}#{args[:filename]}.json", 'w') {|f| f.write(auth.to_json)}

    auth
  end

  def get_new_access_tokens
    new_consumer = self.create_consumer
    new_request_token = self.request_token(consumer: new_consumer)
    new_authorize_url = self.get_authorize_url(request_token: new_request_token)
    authorize_new_application = self.authorize_application(authorize_url: new_authorize_url)
    extract_new_oauth_verifier = self.extract_oauth_verifier(callback_page: authorize_new_application)
    new_access_token = self.get_access_token(request_token: new_request_token, oauth_verifier: extract_new_oauth_verifier)
    save_tokens_to_json(filename: 'magento_oauth_access_tokens', path: '/', access_token: new_access_token)

    return 'Successfully obtained new access tokens.'
  end
end

Run #get_new_access_tokens to get an access token.

Don't forget to define the following variable:

• CONSUMER_KEY
• CONSUMER_SECRET
• URL
• ADMIN_USERNAME
• ADMIN_PASSWORD