I have read a few articles on the subject, but I am just looking for some more advice really.
I have a WordPress site with a login functionality and user database on that site.
What I need to do is allow a 3rd party application to authenticate details which it receives against my WordPress database.
I was thinking the best way to do this would be by sending the data to a REST API, but security wise I cannot think how I can return a successful login without this being easily duplicated by a user.
I have read about oAuth and HMAC, but am not sure which route I should be going down.
Any help greatly appreciated, thanks.
Ian
WordPress provides the XML-RPC API for this stuff. That's what the iPad/iPhone apps use.
Check out the Codex.
http://codex.wordpress.org/XML-RPC_Extending
http://codex.wordpress.org/XML-RPC_WordPress_API
For more general info, there's the Wikipedia entry, http://en.wikipedia.org/wiki/XML-RPC.
Related
I've had a request to provide some internal assistance with our company WordPress website. Its a public site and our marketing team would like to host a single page on there that only existing customers can gain access to. We have an internal in-house developed CRM which the devs have exposed an API to check if an email address provided is that of a customer or not and return a true/false result. The internal CRM uses identity for its auth.
I've done quite a bit of research into the possible options, but none really give a definitive path to achieve this, or offer an alternative solution.
I have a small amount of WP experience, and unfortunately am the only person internally who comes close to being able to "help", however I need some assistance please! What would be the best way to go about securing a single page on a WP site, authenticated by a user providing their email address and it checking the CRM endpoint for true/false validity?
After searching form wordpress documentation and google, i haven't find any proper way to achieve my goal : able to login to wordpress from custom third party application built with nodeJs.
The steps is check if couple username / password is administrator and process tasks on my external app.
Anyone has already used the REST API of wordpress to auth user? WITHOUT INSTALLING ANY PLUGIN , i just want to get response from server if my couple username/ password is true and is administrator, i know i can asks the database to check but i want to pass throught the built-in wp rest api.
Thank you.
The simple answer is no, and here is why
While cookie authentication is the only authentication mechanism
available natively within WordPress, plugins may be added to support
alternative modes of authentication that will work from remote
applications. Some example plugins are OAuth 1.0a Server, Application
Passwords, and JSON Web Tokens.
Source: Wordpress Official Handbook
However there is a painful and insecure way of doing it with plain HTTP authentication which is not recommended.
Recommended way of doing this securely is to get WordPress JWT or oAuth Server extension and deal with standard authentication process which is more convenient and secure, WordPress already lists them which are referenced in the quote. Hope this helps!
I'm trying to implement "single sign-on" so that users of my ASP.NET site can jump to a WordPress site and automatically have their account created. There is a plug-in for WordPress called JWT Authenticator that will send unknown users to a URL you provide and then you can POST back a JWT with enough information for the plug-in to do it's thing and automatically login the user over there.
I can see how one might accomplish this just by generating a JWT using something like JOSE and then in javascript posting the token over, but I was hoping to capitalize on any existing code in the ASP.NET Identity/OAuth/JWT packages to manage the heavy lifting (especially the posting of the JWT).
Is that a standard "flow" for OAuth? I suppose in that case the ASP.NET site is sort of an Identity Server but the documentation for that sort of thing seems to suggest a structure way out of proportion for "make a JWT & post it back there".
Any ideas what subset of functions exist in the Identity & OAuth libraries for doing this?
Thanks!
James
I'm so confused about how to get authentication between an external, consumer website and a Laravel API right. What I'd like is to have a web app for which users are able to present information from the app to other people, using an external website that consumes the app's API. Here's an example of the basic setup in a bit more detail:
A Laravel 5.3 app that has a protected API endpoint api/status. Only authenticated users should be able to hit api/status, and the status returned is a particular status for the authenticated user.
An external website that consumes the Laravel API on behalf of a user, let's call her Alice. The necessary information is stored in the backend of Alice's website so that it can authenticate with the API on behalf of Alice. (The actual implementation I'm working on will be a WordPress site, and the API consumption will be done by a WordPress plugin that I am implementing; so any info stored will likely be stored in the WordPress database.)
The website has a /status page that displays Alice's status to anyone who browses to the page. (Ie, when the /status page is browsed to, an API call to the app is made on behalf of Alice. The returned status is specific to Alice, and is displayed to the person browsing the page.) People browsing to /status on Alice's website do NOT need to do any sort of authenticating to view the status on the page.
That is very simplified compared to my actual goal, but I hope it serves to keep the extraneous details to a minimum so we can focus on my actual question, which is what method of authentication should I use to achieve this?
One thing I DON'T want:
The person browsing Alice's website should NOT be able to use their browser's inspector to watch the API call and from that create further API calls on Alice's behalf on their own.
I have Passport installed on my Laravel App, but if I'm understanding things correctly I don't want to use the basic Access Token issuing workflow, as that would require the people browsing to Alice's website to authenticate using the Alices's credentials. For the same reason, I don't think I want an Implicit Grant Token.
Using a Password Grant Token would require storing Alice's password for the Laravel app on her website. Is it ok to store passwords like this in a WordPress database? It makes me nervous...
The other option available through Passport is to have Alice create a Personal Access Token and store that in her website backend as the token to use to authenticate. But the Laravel documentation seems to imply that Personal Access Tokens are meant for testing and development purposes, which makes me wary of going this route for a production plugin. Plus, doesn't using a PAT make it possible to do the thing I DON'T want above, since the PAT is simply passed in the request header? Or is that problem mitigated by the fact that the API interaction would be done over SSL?
Do I even need to go through Passport to achieve what I want here? Is there a better way?
I've been reading myself in circles trying to understand what the best practice for this kind of setup is. I'm sorry if this question isn't focused enough, but if anyone has any good advice, or can clarify things for me I would much appreciate it!
what I need to achieve is the following but am quite stuck on the correct way to go about this:
From WordPress, specifically in the admin console I need to authenticate with an external website in a secure manner
Store a token of some sort (oauth2?)
Make authenticated call form my plugin to the 3rd party rest api
What would be the best way and a couple of methods to:
Authenticate, retrieve store a token from wordpress admin (preferably Oauth2)
send this token to the external site with every api call?
Apologies on the vague nature but any direction will really help!!!