-
Notifications
You must be signed in to change notification settings - Fork 282
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can't get auth working, 403 Forbidden Error #21
Comments
Finally made some progress. It seems like the cookie authentication is running after the basic authentication and then reseting the wp_current_user back to 0 if there is no nonce sent with the request. Or perhaps the basic auth plugin is not even getting hooked on during the authentication process, which seems unlikely to me. |
Did some more digging and narrowed it down to the HTTP_AUTHORIZATION variable. So try that if you use FastCGI and have trouble to get it to work. |
@ViktorPontinen Hi, i have problems with this aswell. Get 403 on POST request using Basic Auth. Do you know how to set this up in Nginx? I've added |
@urre Hi, the basic rule did not work for me, had to use You could try |
@ViktorPontinen thanks. How did you make the POST request? i'm not sure i¨'m doing it correctly. i've tried:
|
Using Postman extension for Chrome.
What kind of error do you get? |
@ViktorPontinen I made a misstake. Working now. Thanks. |
Hi Guys, I still have issues getting this working. Think it might have something to do with my .htaccess file; here is an extract from my website. There are two lines with are commented out, when they are activated the api calls responded with a 404 error. Any ideas?
|
http://stackoverflow.com/questions/17018586/apache-2-4-php-fpm-and-authorization-headers
Worked for us. |
Hi there, also run into this issue and found myself having to perform a small tweak to the plugin, I wonder if it is not something that is worth merge in, I will let you guys decide. Basically I found myself having to parse $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] to feed $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] I added the lines below just before line that reads "// Check that we're trying to authenticate"
One more, in my case both
worked for the basic auth but my site started to throw lots of 404, on the other hand
did the trick. |
does this plugin works with the V2? |
Havin a similar problem. Adding the aforementioned rules to .htaccess apparently helps in passing through the Basic Auth info. The API now returns stuff that makes me think it recognizes my login (meaning that e.g. the /wp/v2/users/me endpoint returns something sensible), but even though the user I'm logging in as has admin rights, I am getting 403 errors whenever I'm trying to access hidden posts. The code change proposed by @gmartinez doesn't help. Would be great if @ViktorPontinen could share what the problem in the WP-API exactly was (and whether the fix was vor the v1 or v2 API). Does anybody take care of this plugin? I'm working on connecting our software products with the website and Basic Auth is so much less painful in this regard (at least until a two legged OAuth 2.0 becomes available). Also since I'm controlling both sides, I can totally ensure that https is used. Wouldn't it even make sense to have a switch in the WP-API plugin that allows to only accept API calls via https and not http? OK, I'm getting off topic.... |
@tdapper I had success with WP-API1 only. V2 is still in beta anyway. |
@tdapper Im 90% sure it was on v2, which exact version I don't recall. Try to do to a var_dump on the $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] to check if the values you send get passed correctly. Sadly I don't remember much more, was long time ago I last worked with this. |
We want to discourage using this plugin heavily; even with HTTPS, it encourages the antipattern of giving your password to a different site. 99% of the the problems here are server configuration issues; the htaccess rules aren't needed with most sites, only sites that don't correctly pass the authorization header/variables to PHP. This is something we can't really handle in a generic way, so try the solutions suggested here. :) |
Hi @rmccue, thanks for taking the time to chime in. I understand the the use of Basic Auth is generally discouraged and I am totally with you, also in regard to discouraging the antipattern. However, since WP-API (gloriously) opens up a whole new world of applications, there are scenarios in which the other thing that talks to WP isn't a different site. We are planning to have a bunch of pure command line scripts and direct access to the site via our standalone C++ applications (e.g. for license activation) that don't work well, don't work at all or provide a horrible user experience (or any combination thereof) when being used with OAuth 1.1a. Again, I am totally with you when you are talking about other sites, but in standalone applications or command line scripts where browser interaction for the validation step is cumbersome or impossible will be future scenarios that people will like to tackle, even if it's just for internal purposes or testing. I also see that 99% of the problems here are server configuration problems, I'm not sure whether my problem is one of those, though. The server configuration problem I did have was that the authorization doesn't get passed through to PHP when it's running as a CGI, which is the case for our hoster. This problem could be solved, however, with the workaround info found in this (and other) issue threads. The real problem is that WP-API is apparently recognizing me as a user (since the /wp/v2/users/me endpoint produces sensible output), but still doesn't grant me the privileges to see e.g. invisible posts doesn't appear to be a configuration problem. Particularly since the problem has come up in a few places (here and there was another thread that I shall try to recover from my history) where code changes had to be applied to either the Basic Auth plugin or WP-API. I'd dig into it myself, but unfortunately web development is not my strong side so it's going to take me a while. Best |
There's a couple of ways around this; the primary one is out-of-band handling. It's not ideal, but it's not a terrible flow for command line applications in particular. That said, the team working on Two Factor Auth in WP core has looked at user access tokens (similar to how GitHub does it) previously, and I wouldn't be adverse to supporting those.
I'm not sure exactly what you mean by "invisible", but I suspect you mean draft posts? Note that authenticating with the site doesn't change responses by itself, you also need to use the |
Hi @rmccue, thanks again for the quick reply. Out-of-band handling is exactly the type of user experience I was referring to "horrible user experience" earlier. While this might be ok for our internal command line scripts, it is out of the question for the standalone applications we sell to end users. While I really value your commitment to ensuring maximum safety, my feeling is that not to support Basic Auth (or something similar or even just a two legged OAuth 2) will impose a serious practical limit on what can be done with the API beyond different web services talking to each other. Again, I totally agree with you when connecting different web services, but in this case both endpoints are under our full control (since we do the website and the standalone application) and as soon as WP-API gains more traction, these cases will keep popping up. Regarding "invisible": I was using wrong terminology. I didn't mean a Draft, but I meant a posting that was published as "private". Since it is, while being private, still published, I'd assume that the edit context isn't needed. And again, I am making the assumption that the WP-API does recognize me as a user, since the /wp/v2/users/me endpoint does show my user info, which I assume it wouldn't. And since I'm testing with my user that has admin rights, I should be able to see that private post (I can see it when using the regular WordPress web frontend. Best |
Out-of-band is definitely not the greatest, but for your other standalone applications, could you use a custom protocol as per the guide? I totally get the need for this, but Basic auth is not something that will ever be encouraged or fully supported outside of development. A simpler key-based authentication system (or OAuth 2, which is essentially a standardised spec of this) is much more likely. As you may have noticed from the OAuth 1 plugin though, we don't have a huge amount of spare time, so we need to prioritise and focus on OAuth 1 right now. Keep in mind however that the entire authentication system in WP is flexible, which is how the Basic and OAuth plugins work. If you need something different, you can always make another plugin to do what you need. Although we're stretched for time, we're always happy to review code too, :) For private posts, I think you need to specify that you actually want those back with |
I'm not locked down to any particular authentication scheme and won't shed a tear about dropping Basic Auth when there's a better alternative. However, we have a similar problem like you regarding development resources, so rolling our own appears impractical (at least currently), especially since we're not exactly security specialists so there's a good chance a custom implementation we do will have more security holes than a really large chunk of swiss cheese. I'd probably try waiting for two legged OAuth 2 to become available (or us suddenly having the time and capabilities to implement it) and try to get along with Basic Auth until then. As for the actual problem: I tried the post status filter, but it didn't change anything. Also I'm wondering whether this would also apply when I'm trying to get a post directly through an endpoint like wp-json/wp/v2/posts/88556 (which is what I did). If feels to me as if the filter would only make sense when using it on something like wp-json/wp/v2/posts. |
Hmm, strange. Can you file an issue over on the main API repo please? Tends to get more traffic than here, so someone may be able to help sooner :) |
Hi,
Basic Auth just doesn't work for me, been stuck for days and feels like I have turned over every stone there is to find a solution.
Some info about my hosting(phpinfo();):
I have added the below to .htaccess:
And doing a var_dump on below shows correct values.
Now to the issue. I get 403 Forbidden error using both postman and postman package sending the following information to the server:
The response I get:
Anyone who has any idea or can point me in the right direction?
The text was updated successfully, but these errors were encountered: