Today, I wanted to go over how you could be connecting mobile applications to WP REST API using OAuth2. Starting with WordPress 4.7 we are able to connect any application that is able to handle HTTP requests to use the REST API. There is however an issue when it comes to making authenticated calls. The REST does not support any other type of authentication than Basic Auth.
So what is wrong with Basic Auth?
Lets say that you need to make authenticated requests to the REST API from a mobile application. For every request, you will need to pass a username and password in the header in order to authenticate. By sending a username and password in every request to the server, there is a greater chance of credentials leaking and being hijacked.
Why you should be using OAuth2
OAuth2 is specific designed to be easier to use than other authorization methods. OAuth1.0a for example can be use over an unencrypted connection due to HMAC signatures. OAuth2 utilizes the SSL/TLS connection to ensure that all connections are secure.
During an OAuth1.0a call, the process of creating, encrypting, decrypting and reading the HMAC can be a daunting task. With OAuth2 there is no need to fight with this complicated process since the authorization flow assures the connection using the SSL/TLS connection.
Another reason you should be using OAuth2 is because, OAuth2 is the foundation of may other modified authorization flows. These include, OpenID Connect and LTI authorization flows. These authorization methods are used by the biggest companies due to the flexibility and security. LTI connections are one of the only authorized connections allowed by many higher education systems.
Connecting a mobile application to WordPress
Te first step is to design your authentication/authorization process for each and every user of your WordPress site. There is a few plugins out there to accomplish this which are listed below.
- Application Password
- OAuth1.0a Server
- WP OAuth Server (OAuth2)
Application Passwords is a pretty cool idea. The user will generate a one time key and then enter it into their application. The application will then be able to interact with the REST API as that user without having to pass the username and password ever. There is a HUGE downfall to this concept though. The token is valid for a lifetime and most importantly, if the key is compromised the user has to manually create and enter a new key. The fact that the key never changes makes the concept already out-dated in my eyes. Higher usage of a single key, the higher the possibility someone could be compromised.
OAuth 1.0a is another valid option. The user will never have to deal with a token themselves. The user will simply connect once using their username and password. They will be issued an access token that can be used to interact with the REST API as the user. The process of setting up the server and the mobile application is OAuth1.0a’s big pitfall.
OAuth2 is again a valid option. The user will never have to deal with a token themselves. The user will simply connect once using their username and password. They will be issued an access token that can be used to interact with the REST API as the user. This process has been simplified and makes it a lot easier to get running.
Connecting a mobile application to WordPress awesome and OAuth2 is highly suggested as your authorization/authentication process.
Download WP OAuth Server