search

WP-API / authentication

The home for design & development of a core WordPress REST API authentication solution
GNU General Public License v2.0
62 stars 2 forks source link

Add support for "verified" clients. #25

Open TimothyBJacobs opened 4 years ago

TimothyBJacobs commented 4 years ago

First pass at a basic form of verified software statements.

This checks the JWT for an "iss" header. If one is present, we fetch a public key at that host ".well-known/wp-api/oauth2.pem", and use that public key to verify the JWT.

If a client is verified we display a "verified" message on the connect screen.

This also adds a new "--sign" flag to the CLI command to generate a signed software statement.

Fixes #18.

image

Test Instructions

  1. Generate an openssl key pair. Enter a passphrase.
openssl genrsa -des3 -out private.pem 2048
  1. Then export the public key to a file.
openssl rsa -in private.pem -outform PEM -pubout -out public.pem

  1. And upload it to https://yourwebsite.com/.well-known/wp-api/oauth2.pem.

  2. Then, in your WordPress install run the WP CLI command to generate a software statement.

wp oauth2 create-software-statement https://yourwebsite.com --client_name="My App" --redirect_uri="https://yourwebsite.com/oauth" --sign=/path/to/private.pem

  1. WP CLI will prompt you for the passphrase you entered in step 1.

  2. Use your generated software statement as the client_id.

$ wp oauth2 create-software-statement https://timothybjacobs.com --client_name="My App" --redirect_uri="https://timothybjacobs.com/oauth" --sign=/path/to/private.pem
Generated software id: a0ade6fa-6b69-43ee-9bf6-7b84b26b3786
Passphrase:
Success: Generated Statement: "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJjbGllbnRfdXJpIjoiaHR0cHM6XC9cL3RpbW90aHliamFjb2JzLmNvbSIsInNvZnR3YXJlX2lkIjoiYTBhZGU2ZmEtNmI2OS00M2VlLTliZjYtN2I4NGIyNmIzNzg2IiwicmVkaXJlY3RfdXJpcyI6WyJodHRwczpcL1wvdGltb3RoeWJqYWNvYnMuY29tXC9vYXV0aCJdLCJjbGllbnRfbmFtZSI6Ik15IEFwcCIsImlzcyI6Imh0dHBzOlwvXC90aW1vdGh5YmphY29icy5jb20ifQ.mLofeFU21bcWrEjfyb4WFbLZ_2VgVLY_1_LUs9FWawMlvkBr9Taf4gstRzrN5WqHBxwpyJF7x9FI13M5BYxNlxlp1JmTkRILdo5AQGapcSrj_BMCfvrJ4wCldqEkrOarzbPxqZJVSStxEs9HYSPQc-voIgzBt4oZJ6K0mZdBC-qxK_pdshHIc9BRtfQZMdmSKpNWQ1vXH1PbLJpTGav6J-BcRv9Br30g3tLc7WZC8XLhZpDnXNndKuXBtHO_QHQpWw5gQfBBw8Sm9xrLuRhYfJvTojdrWBtC4ZmTIbZ4oGfaE7bgWirKm-FaSq4iVzqk0-LXQSgc1Fy4z2RYXxH2-A"
TimothyBJacobs commented 4 years ago

Right now we're assuming that the site has OpenSSL available. We should check that and not attempt signing if it isn't available.