I don’t know if I just have some kind of blind spot or what, but I’ve read the OAuth 2 spec many times over and perused the mailing list archives, and I have yet to find a good explanation of why the Implicit Grant flow for obtaining access tokens has been developed. Compared to the … Read more
I am attempting an OAuth call to a 3rd party service but having issues with my callback script. I have a file oauth.php that is within my plugin directory. First question, do I need to go to the url of this script? For example do I need my login button to link to http://example.com/wp-content/my-plugin/oauth.php? Or … Read more
Could anyone explain what’s good about OAuth2 and why we should implement it? I ask because I’m a bit confused about it — here’s my current thoughts: OAuth1 (more precisely HMAC) requests seem logical, easy to understand, easy to develop and really, really secure. OAuth2, instead, brings authorization requests, access tokens and refresh tokens, and … Read more
When I attempt an OAuth handshake, the first step is a GET call to obtain an access code like so. # Redirect to request authorization code $url = $this->get_authorization_url(); header(“Location: $url”); exit; Just before I send this I store the current URL in a $_SESSION[‘last_url’] variable so that after authentication is complete I can redirect … Read more
Let me first start with saying I’ve searched for an answer to this question for quite some time… I’m trying to setup Facebook OAuth to work with my application that is being developed locally on my machine. Everything was working perfect with Facebook authorization UNTIL I moved from using localhost to another domain name (still … Read more
One of the main purposes of an API is to allow the integration of different services/systems. Let’s consider that the WordPress REST API can have both public and protected endpoints, where public endpoints do not require any form of authentication, and protected endpoints do. Example of a public endpoint: GET https://main.loc/wp-json/wp/v2/posts Example of a protected … Read more
I set up an OAuth client for WP-API following the instructions for WP-API/OAuth1 on github. I was disappointed to realise afterwards that all of the site’s content remains available over the API, including all sorts of not-really-public metadata like user registration dates. I don’t want this. How do I restrict the JSON API to allow … Read more
With the “Implicit” flow the client (likely a browser) will get a access token, after the Resource Owner (i.e. the user) gave access. With the “Authorization Code” flow however, the client (usually a web server) does only get an authorization code after the Resource Owner (i.e. the user) gave access. With that authorization code the … Read more
Sorry if some parts of this question seem obvious, I’m a newbie at WordPress and this is the first time I tap into oAuth workflow manually (without using a social login plugin). There is this oAuth2 server that provides central authorization for all sites/apps of organization (let’s call it X-Org). What I want to do … Read more
Are there any example projects that do the same? I want to be able to login and register for accounts on my site via the API. 2 Answers 2 I know it’s a bit far fetched, but might help. For anyone looking for WP REST API implementation with JWT, here’s our solution. Add it to … Read more
