This method of WordPress REST API endpoints authentication involves the WordPress REST APIs access on validation against the API token generated based on the user’s username, password or on the basis of client credentials. Each time a request to access the WordPress REST API endpoint will be made, the authentication will be done against that token, and on the basis of the verification of the API token, the resources for that API request will be allowed to access. The token will be encrypted hence the security is not compromised.
1. By User credentials:
Suppose you have one Android/IOS Blog Application and you have given capabilities to your users to post their personal feeds or blogs using mobile applications. In this case, your mobile application requests should be authenticated. WordPress Basic Authentication REST API with username and password method is appropriate for this situation where your user credentials will be in the Authorization Header. The user session will be created and on the basis of that user WordPress capabilities, he/she will be allowed to access the REST API content or perform the desired operations. WordPress Basic Authentication with username and password is the most common authentication method and this method will be helpful in case you want to perform WordPress operations via REST APIs which involve user permissions or capabilities.
2. By Client credentials:
Suppose you have one Android/IOS Blog Application and you want to access the WordPress content using its REST API endpoints but do not want to involve the WP user credentials as it may have a chance for exposing and allowing the intruder to access the WP site using those credentials. In that case, you should use WordPress Basic Authentication with a client ID and client secret where your WP user credentials are also safe, and at each request, you just need to pass the Client ID and Client Secret provided by the plugin. Hence security is not a concern. The Client ID and Secret are in fact passed in encrypted format in the Basic Authorization header of each API request, these are validated and on successful validation WP API Basic Auth will allow these APIs to access.
REST API Basic Auth using UserName & Password :
Request: GET https://<domain-name>/wp-json/wp/v2/posts
Header: Authorization: Basic base64encoded <username:password>
Sample Request Format-
Example => username : testuser and password : password@123
Sample curl Request Format-
curl -H "Authorization:Basic base64encoded <username:password>"
-X POST http://<wp_base_url>/wp-json/wp/v2/posts -d "title=sample post&status=publish"
base64_encode(‘testuser:password@123’) will results into ‘eGw2UllOdFN6WmxKOlNMRWcwS1ZYdFVrbm5XbVV2cG9RV FNLZw==’ as output.
Sample request: GET https://<domain-name>/wp-json/wp/v2/posts
Header: Authorization : Basic eGw2UllOdFN6WmxKOlNMRWcwS1ZYdFVrbm5XbVV2cG9RVFNLZw==
Code samples in programming languages
var client = new RestClient("http://<wp_base_url>/wp-json/wp/v2/posts ");
client.Timeout = -1;
var request = new RestRequest(Method.POST);
request.AlwaysMultipartFormData = true;
request.AddParameter("title", "Sample Post");
request.AddParameter("status", "publish");
IRestResponse response = client.Execute(request);
Console.WriteLine(response.Content);
OkHttpClient client = new OkHttpClient().newBuilder().build();
MediaType mediaType = MediaType.parse("text/plain");
RequestBody body = new MultipartBody.Builder().setType(MultipartBody.FORM)
.addFormDataPart("title","Sample Post")
.addFormDataPart("status", "publish")
.build();
Request request = new Request.Builder()
.url("http://<wp_base_url>/wp-json/wp/v2/posts ")
.method("POST", body)
.build();
Response responseclient.newCall(request).execute();
var form = new FormData();
form.append("title","Sample Post");
form.append("status", "publish");
var settings = {
"url": "http://<wp_base_url>/wp-json/wp/v2/posts ",
"method": "POST",
"timeout": 0,
"processData": false,
"mimeType": "multipart/form-data",
"contentType": false,
"data": form
};
$.ajax(settings).done(function (response) {
console.log(response);
});
<?php
$curl = curl_init();
curl_setopt_array($curl, array
(
CURLOPT_URL => 'http://%3Cwp_base_url%3E/wp-json/wp/v2/posts%20',
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => '',
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => 0,
CURLOPT_FOLLOWLOCATION => true,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => 'POST',
CURLOPT_POSTFIELDS => array('title' => 'Sample Post','status' => 'publish'),
));
$response = curl_exec($curl);
curl_close($curl);
echo $response;
import http.client
import mimetypes
from codecs import encode
conn = http.client.HTTPSConnection("<wp_base_url>")
dataList= []
boundary = 'wL36Yn8afVp8Ag7AmP8qZ0SA4n1v9T'
dataList.append(encode('--' + boundary))
dataList.append(encode('Content-Disposition: form-data; name=title;'))
dataList.append(encode('Content-Type: {}'.format('text/plain')))
dataList.append(encode(''))
dataList.append(encode("Sample Post"))
dataList.append(encode('--' + boundary))
dataList.append(encode('Content-Disposition: form-data; name=status;'))
dataList.append('Content-Type: {}'.format('text/plain')))
dataList.append(encode(''))
dataList.append(encode("publish"))
dataList.append(encode('--'+boundary+'--'))
dataList.append(encode(''))
body = b'\r\n'.join(dataList)
payload= body
headers = {
'Content-type': 'multipart/form-data; boundary={}'.format(boundary)
}
conn.request("POST", "/wp-json/wp/v2/posts ", payload, headers)
res= conn.getresponse()
data = res.read()
print (data.decode("utf-8"))
Follow the steps below to make REST API request using Postman:
a) For Username-Password
Example:
For Username: testuser and password: password@123 the base64 encoded value will be ‘dGVzdHVzZXI6cGFzc3dvcmRAMTIz’
b) For Client ID and Client Secret
Feature DescriptionThis feature allows restricting the REST API access based on the user roles. You can whitelist the roles for which you want to allow access to the requested resource for the REST APIs. So whenever a REST API request is made by a user, his role will be fetched and only allowed to access the resource if his role is whitelisted.
How to configure it?
Note: The Role based restriction feature is valid for Basic authentication(Username: password), JWT method, and OAuth 2.0 (Password grant).
This feature provides an option to choose a custom header rather than the default ‘Authorization’ header.
It will increase the security as you have the header named with your ‘custom name’, so if someone makes the REST API request with a header as ‘Authorization’ then he won’t be able to access the APIs.
How to configure it?
This feature allows you to whitelist your REST APIs so these can be accessed directly without any authentication. Hence all these whitelisted REST APIs are publicly available.
How to configure it?
This feature is available with the Basic Authentication method in which by default the token is encrypted using Base64 encoding technique but with the advanced feature, the token can be encrypted with highly secure HMAC encryption which is
very secure.
Mail us on oauthsupport@xecurify.com for quick guidance(via email/meeting) on your requirement and our team will help you to select the best suitable solution/plan as per your requirement.
Need Help? We are right here!
