Using JWT to authenticate a user with an external system?

We have a WordPress application which is going to be linked with a parent system. We want to use JWT for authenticating with the parent. The idea is, if the user is not logged in on the parent, he should not be allowed to access the WordPress site (only the front end, always, dashboard is strictly for the admin). If the user tries to access the WordPress application via a bookmark or history, we will need to send him to the parent site for logging in. There will be no API calls made to the parent site, except for authentication, since the WP app has its own data. This brings me to the questions.

  1. Is JWT suitable for our situation?
  2. How would I integrate it with WordPress?
  3. Will I need to modify WP’s native authentication system to make it work with JWT?

My current approach is this: A user logs in to the parent system, and follows the link to the WordPress site. The JWT token will be sent as a post request to the WP site. I will parse the request, using probably the init action, and get the WP specific username and password from it. I will then set the token with an expiry time (is it really required?) and I will log the user in. If the user tries to access the application via a bookmark or history, I will redirect him to the parent site.

Is this the correct way? Is there a better way? I am happy to provide more information if required.

1 Answer
1

A recent comment brought my attention to this question, which I had posted. I had also posted another question regarding this topic, and had later solved it and posted an answer, here: JWT authentication with WP – Approach

Copying that answer here, so that it helps someone who stumbles across this implementation:

  1. The endpoint coded in the app that I am supposed to authenticate with prepares the token.
  2. The token has to be in the specified format.
  3. It then should be base 64 encoded and hash encrypted.
  4. The wp_init handler should be used to handle the POST request sent by the endpoint, to extract the token.
  5. The key will be shared via some other way, used for decryption.
  6. Once the token is extracted, compare it against a locally generated token with the same information.
  7. Store it in a cookie, and check it on every page access. You can expire it after a while or keep on increasing the time slice on every page access.

The endpoint could be in any language. Also this is the general flow of it, you can use it anywhere you want.

Leave a Comment