With the introduction of the REST API for WordPress, the possibilities are endless. I see this a bit skeptical since there is some choke points in the REST API. Everything always has its flaws and given that the REST API in core is fairly new, I hold my personal opinions close and contribute when and where I can on the project. One of those choke points is Authentication.
Hanging out in the Slack channels with the contributors of WordPress, I have seen a lot of good ideas float around about how authentication outside of cookie authentication can be added to core. The talk is to add all the authentication pieces to WordPress core while still making sure the users are not overwhelmed and the process is intuitive.
Here is the issue, Authentication is only intuitive for the front-end user. As developers, the process can be one heck of a pain to set up. Here is a list of ideas that I have seen floating around with nothing suggested or planned for core.
OAuth is a solid and proven authorization flow but can be a pain to set up. Could it be made easy enough for a user with no knowledge of OAuth? OAuth does not need secure connections because all requests are signed by the server.
OAuth2 is a solid and proven authorization flow but can be a pain to set up. Could it be made easy enough for a user with no knowledge of OAuth2? OAuth2 does require SSL/TLS connections but does not require signing
Application Passwords is a great idea but is fairly new in the world as anything standard. It is more if a custom auth flow that just recently FB started to use. App passwords DOES NOT allow users to generate tokens from another device and requires users to know how to use the flow.
There is always this option.
All of the above has its pro’s and con’s but the big thing to remember is that anything introduce into Core will need to follow some standard and allow for seamless integration effort with 3rd party software.
I wanted to get some other ideas on how people think a good authentication flow could be added to WP REST API. If you have any ideas or comments please post them below.
Of course I am going to say I like OAuth2 but that would be close minded :)….