what I need to achieve is the following but am quite stuck on the correct way to go about this:
From WordPress, specifically in the admin console I need to authenticate with an external website in a secure manner
Store a token of some sort (oauth2?)
Make authenticated call form my plugin to the 3rd party rest api
What would be the best way and a couple of methods to:
Authenticate, retrieve store a token from wordpress admin (preferably Oauth2)
send this token to the external site with every api call?
Apologies on the vague nature but any direction will really help!!!
Related
So.. I've read countless articles, but still can't wrap my mind on which to use; if a simple JSON Web Token is enough..
I have a Wordpress website and a mobile application of said website.
I can login in my website using email and password and I can also login on my mobile application using email and password.
The mobile application communicates with the website through the Wordpress REST API. It (the mobile app) sends the user email and password to the API, and the API returns a JWT if both are valid.
Then, I simply store the JWT in the user's device.
My main doubts are:
For a mobile app with not much sensitive user data, is that acceptable/safe enough?
For a mobile app with sensitive user data, is that acceptable/safe enough?
Or should I use OAuth2 in both cases (which is harder to implement and will take time, but it's safer (I think..))?
Thank you and apologies if duplicated.
This is more of a security compliance decision you might have to take.
As a first thing, you should think like a product owner or ask a product owner about which one to use by explaining to them, what are the advantages of OAuth 2.0 over simple JWT.
You might have to consider the following things,
what is the size of the userbase?
how sensitive is the data you are going to store?
What is the user experience you wanted to give to your users?
Also, JWT doesn't mean it is not safe enough.
One more extra thing you could do to make it more secure is adding a expiry time for your JWT with a refresh token mechanism that way even if JWT is exposed it ll be expired later sometime.
JWT is a secure solution and is often used for mobile applications.
If you choose OAuth, you have several options for authentication, because there are several grant types:
Authorization Code grant type, which is the most popular, the advantage of this is that it uses the WordPress login interface
User Credentials grant type, which has a direct trust relationship with the application, which provides the user credentials, this is often used with mobile applications
You have the option of JWT Access Tokens at the OAuth server, which provides even more security for you.
We have created an OAuth 2.0 plugin for WordPress: https://lana.codes/product/lana-passport/
You can try it with the demo, and there is also detailed documentation for it.
I personally use the OAuth plugin to be able to log in to my WordPress websites using the Single Sign On button, which uses my primary WordPress website for authentication. OAuth is more commonly used for Single Sign On solutions.
I am not sure about the technical term for what I am looking. However, I have done this in Laravel using middleware. I am trying to achieve same in WordPress RESTApi.
I am planning to make a site as a service using WordaPress rest api. That I will use for cross platform. Since anyone can access WordPress api it is too dangerous.
I want to block it for public and only who pass the access token (not JWT or oAuth) I wan to allow only them to access API. This how I can limit the access.
So if I make android app and pass the access token, it will have access but anyone who want to make app from my api they want be able to.
I hope I have explained it properly to understand. You can see my middleware code that might help to explain more.
use wordpress jwt plugin that adds authentication for wordpress api https://wordpress.org/plugins/jwt-authentication-for-wp-rest-api/
I'm trying to implement "single sign-on" so that users of my ASP.NET site can jump to a WordPress site and automatically have their account created. There is a plug-in for WordPress called JWT Authenticator that will send unknown users to a URL you provide and then you can POST back a JWT with enough information for the plug-in to do it's thing and automatically login the user over there.
I can see how one might accomplish this just by generating a JWT using something like JOSE and then in javascript posting the token over, but I was hoping to capitalize on any existing code in the ASP.NET Identity/OAuth/JWT packages to manage the heavy lifting (especially the posting of the JWT).
Is that a standard "flow" for OAuth? I suppose in that case the ASP.NET site is sort of an Identity Server but the documentation for that sort of thing seems to suggest a structure way out of proportion for "make a JWT & post it back there".
Any ideas what subset of functions exist in the Identity & OAuth libraries for doing this?
Thanks!
James
I'm so confused about how to get authentication between an external, consumer website and a Laravel API right. What I'd like is to have a web app for which users are able to present information from the app to other people, using an external website that consumes the app's API. Here's an example of the basic setup in a bit more detail:
A Laravel 5.3 app that has a protected API endpoint api/status. Only authenticated users should be able to hit api/status, and the status returned is a particular status for the authenticated user.
An external website that consumes the Laravel API on behalf of a user, let's call her Alice. The necessary information is stored in the backend of Alice's website so that it can authenticate with the API on behalf of Alice. (The actual implementation I'm working on will be a WordPress site, and the API consumption will be done by a WordPress plugin that I am implementing; so any info stored will likely be stored in the WordPress database.)
The website has a /status page that displays Alice's status to anyone who browses to the page. (Ie, when the /status page is browsed to, an API call to the app is made on behalf of Alice. The returned status is specific to Alice, and is displayed to the person browsing the page.) People browsing to /status on Alice's website do NOT need to do any sort of authenticating to view the status on the page.
That is very simplified compared to my actual goal, but I hope it serves to keep the extraneous details to a minimum so we can focus on my actual question, which is what method of authentication should I use to achieve this?
One thing I DON'T want:
The person browsing Alice's website should NOT be able to use their browser's inspector to watch the API call and from that create further API calls on Alice's behalf on their own.
I have Passport installed on my Laravel App, but if I'm understanding things correctly I don't want to use the basic Access Token issuing workflow, as that would require the people browsing to Alice's website to authenticate using the Alices's credentials. For the same reason, I don't think I want an Implicit Grant Token.
Using a Password Grant Token would require storing Alice's password for the Laravel app on her website. Is it ok to store passwords like this in a WordPress database? It makes me nervous...
The other option available through Passport is to have Alice create a Personal Access Token and store that in her website backend as the token to use to authenticate. But the Laravel documentation seems to imply that Personal Access Tokens are meant for testing and development purposes, which makes me wary of going this route for a production plugin. Plus, doesn't using a PAT make it possible to do the thing I DON'T want above, since the PAT is simply passed in the request header? Or is that problem mitigated by the fact that the API interaction would be done over SSL?
Do I even need to go through Passport to achieve what I want here? Is there a better way?
I've been reading myself in circles trying to understand what the best practice for this kind of setup is. I'm sorry if this question isn't focused enough, but if anyone has any good advice, or can clarify things for me I would much appreciate it!
I have read a few articles on the subject, but I am just looking for some more advice really.
I have a WordPress site with a login functionality and user database on that site.
What I need to do is allow a 3rd party application to authenticate details which it receives against my WordPress database.
I was thinking the best way to do this would be by sending the data to a REST API, but security wise I cannot think how I can return a successful login without this being easily duplicated by a user.
I have read about oAuth and HMAC, but am not sure which route I should be going down.
Any help greatly appreciated, thanks.
Ian
WordPress provides the XML-RPC API for this stuff. That's what the iPad/iPhone apps use.
Check out the Codex.
http://codex.wordpress.org/XML-RPC_Extending
http://codex.wordpress.org/XML-RPC_WordPress_API
For more general info, there's the Wikipedia entry, http://en.wikipedia.org/wiki/XML-RPC.