Sorry if some parts of this question seem obvious, I’m a newbie at WordPress and this is the first time I tap into oAuth workflow manually (without using a social login plugin).
There is this oAuth2 server that provides central authorization for all sites/apps of organization (let’s call it X-Org). What I want to do is allow my Woocommerce customers login/register via X-Org server and come back to Woo for checkout. What I am thinking as a procedure is:
- User clicks on “Login/Register With X-Org” button and comes back with “Authorization Code”
- My WordPress site get the code and exchange it with Access/Refresh Tokens
- My WordPress use “Access Token” to get the profile info (email, first/last name)
- Check if a user with this email address exists in the
wp_users table. If no, creates the user then login user (wp_signon)
- Also, I should save returned “Refresh Token” into db (as username?)
The rest will be handled by WordPress auth system. After calling wp_signon (cookie based, right?)
What I want to know is:
A- first of all, what I listed above is right path? and logical?
B- for 1,2 I’m thinking about using PHP cURL lib. Is there any other option via WordPress core API’s?
C- I’m not sure if I should save refresh/access tokens at db?
Using JWT you can extends the WP REST API using JSON Web Tokens Authentication as an authentication method.
WordPress REST API Authentication:
Default cookie authentication : cookie authentication is the only authentication mechanism available natively within WordPress.
Remote applications :
To support remote applications, we need to add a new REST API authentication method using a plugin.
Currently supported options are Basic Auth, OAuth, and JWT:
Basic Auth with a username and password is considered insecure and should only be used in development scenarios
OAuth is great but it can be a pain to authenticate
JWT is awesome and works great with front-end frameworks
User Sign In ([username/password]) => Authentication Server => User Authenticated, JWT Created and return to USER
USER (User passes [JWT] When making API Calls) => Application server => Application verifies and processes API Call => send data / message to USER
user first signs into the authentication server using the authentication server’s login system (e.g. username and password, Facebook login, Google login, Twitter etc). The authentication server then creates the JWT and sends it to the user. When the user makes API calls to the application, the user passes the JWT along with the API call. In this setup, the application server would be configured to verify that the incoming JWT are created by the authentication server
when the user makes API calls with the attached JWT, the application can use the JWT to verify that the API call is coming from an authenticated user.
Authentication Plugins :
Authentication that will work from remote applications.
Some plugins for Authentication:
OAuth 1.0a Server : Connect applications to your WordPress site without ever giving away your password.
This plugin only supports WordPress >= 4.4.
Application Passwords : – authenticate a user without providing that user’s password directly, instead you will use a base64 encoded string of their username and a new application password.
JSON Web Tokens – Extends the WP REST API using JSON Web Tokens Authentication as an authentication method.
WP User : Extends the WP REST API using JSON Web Tokens (JWT) Authentication as an authentication method.
WP User plugin helps you to create front end login and registration form on website as well as help to create JWT token for WP REST API with additional security Limit Login Attempts,Password Regular Expression, Blacklisting / Whitelisting IP addresses etc features.
User logins or registrations and would like to avoid the normal WordPress login pages, this plugin adds the capability of placing a login, Registration, forgot password with smooth effects in AJAX as well support REST API.
