search

WP-API / authentication

The home for design & development of a core WordPress REST API authentication solution
GNU General Public License v2.0
62 stars 2 forks source link

Authorization Headers #7

Open dshanske opened 4 years ago

dshanske commented 4 years ago

I have learned through my writing of the IndieAuth Authentication plugin that the largest number of filed issues around the plugin involved hosting providers not supporting the passing of authorization headers. Regardless of how we do tokens, passing them in the header is the preferred method for OAuth2.

This means we need to ensure this works on installations by testing for it(thank you site health features) etc.

georgestephanis commented 4 years ago

For what it's worth, here's a functional UI I'd written some years ago to test whether or not the current site supports Authorization headers, and displays a message to the user if not:

https://github.com/WordPress/application-passwords/commit/16af809dcaeb347baef8f3a116170eef1bca6633

It just generates a dummy username and password, and passes them as Authorization Basic base64encoded to a rest api endpoint, and check to make sure the endpoint got the username and password and returned them in turn.

It doesn't do anything with actual passwords, just dummy strings.

dshanske commented 4 years ago

@georgestephanis I have similar code in my IndieAuth plugin(https://github.com/indieweb/wordpress-indieauth). It creates a login form page and sends in a dummy payload and returns success or failure. This can then be queried by site health.