OAuth2 Authentication #46
Comments
|
Thanks @tomjn. We'll look into this internally. |
|
@tomjn Follow up question re: Oauth - will .com Oauth2 authentication also work on VIP GO sites?And does it also work on .org sites with Jetpack enabled? Thanks! |
I wouldn't expect it to unless special measures are taken, since VIP Go sites don't share the same DB/User tables. For Go I would approach it from a general WP standpoint rather than a .com VIP standpoint ( of course making sure it still passes review ), so the official WP API OAuth2 plugin would be the best starting point https://github.com/WP-API/OAuth2 , or if you'd prefer your own authentication scheme, as long as it's secure. Basic http user/pass auth won't suffice though |
|
As for Jetpack sites, .com OAuth should allow you to authenticate with .com servers, which should let you use the .com endpoints for a Jetpack site when speaking to .com servers, similar to how Calypso can talk to .com REST APIs to manage a Jetpack site without talking directly to that site. But I wouldn't expect you to be able to use that authentication when speaking to the Jetpack sites own REST endpoints |
|
Perfect, thanks for clarifying @tomjn |
|
@tomjn for VIP GO do we need to use OAuth or can we just use basic auth + application passwords - https://wordpress.org/plugins/application-passwords/ |
|
Possibly, I'd need to check with my colleagues, but OAuth would be preferable. Anybody snooping can reverse engineer the user/pass used with basic auth making it somewhat pointless |
|
We’re using JWT Auth on VIP Go as well. Might be worth checking out. There’s a REST JWT auth plugin and we have a GraphQL JWT Auth plugin as well. |
|
That should be fine, though keep in mind there are issues with the JWT standard |
|
@jasonbahl thanks for the info! I'm not quite sure JWT addresses the problem here. JWT doesn't solve how to authenticate but rather how to verify a payload came from a trusted source (after authentication). Application Passwords is great in that it allows you to assign special passwords to accounts that are traceable and revokable. @tomjn are you saying application passwords should be fine? Thanks! |
No, I still haven't ascertained if this is or is not good, it remains an open question. To be honest it does not sit well with me. Since OAuth is an unavoidable requirement of .com VIP, I'm very keen to strongly push towards using OAuth on VIP Go as it will save time. If the connection is intercepted, user/pass can be reverse engineered trivially via basic auth. I don't see how using an application password improves this outside of the post-hack cleanup step when it's revoked, eitherway compromising is just as easy |
|
I'm not sure OAuth on VIP Go will save time as the .org implementation is completely different. Tom, how is that different than if an OAuth connection were intercepted? OAuth is passing an access token via an |
|
hmm I don't follow, both use the same standard, all that's required is a .org implementation of the OAuth server? The current responses I'm getting are that basic auth is allowed in non-production environments on VIP Go, but for production we strongly recommend OAuth2 |
|
Thanks, @tomjn! We'll do some research on .org OAuth2 in Distributor. CC @adamsilverstein |
@tomjn Do you have any more information about using OAuth2 for Vip Go sites? I don't think .org/core has a canonical/non beta Oauth2 implementation. |
|
At the moment no, we don't have a recommended OAuth 2 implementation. I'm evaluating options, OAuth1 is also an option if you would prefer to use the WP API OAuth1 plugin, which I reviewed myself and is in operation on a VIP Go site already |
|
Ok, perfect - thanks for clarifying. I'm familiar with the Oath1 plugin and that makes the most sense at this point for non basic auth on .org sites as well. |
|
Fixed in #58 |
For the plugin to work on WP.com it'll need to use the OAuth2 Authentication .com uses, the basic Auth mechanism won't work/pass review
The text was updated successfully, but these errors were encountered: