OAuth 2.0 is the most opted method for authenticating access to the APIs. OAuth 2.0 allows authorization without the need providing user's email address or password to external application. This method of WordPress REST API OAuth 2.0 Authentication involves the use of OAuth 2.0 protocol flow to obtain the security access token or id token (JWT token) and that token will be used to authenticate the WordPress REST API endpoints. Each time a request to access the WordPress REST API endpoint will be made, the authentication will be done against that access token/id token (JWT token), and on the basis of the verification of that API Bearer token, the resources for that API request will be allowed to access.
The token provided using the OAuth 2.0 Authentication Method is highly encrypted and secure, hence security is not compromised. It is the most secure method to authenticate/ protect WordPress REST API endpoints. This method is somewhat similar to the JWT authentication method but far more secure due to various benefits of OAuth 2.0 protocol.
Pre-requisites : Download And Installation
UseCase: Securing REST API with OAuth 2.0 Authentication Method
Use Case: Register WordPress user or Authenticate /login users in external platforms based on WordPress credentials via WordPress REST API
Suppose you have a login form in your application and want to authenticate
the user on the basis of their WordPress login credentials, then OAuth 2.0
Authentication in REST API method will help you in achieving that. The
plugin provides a WordPress login API. You can easily pass the WordPress
credentials of that user to this API and based on the validation, you will
receive the authentication and response.
Also, Implementing OAuth 2.0 Authentication in REST API method can also be
used to register users in WordPress using the admin credentials of
WordPress user. Using the plugin OAuth 2.0 token endpoint, you can pass
WordPress user credentials which have administrator capabilities such that
token generated will have admin capabilties can be used to perform
operations like user registration for which administrative privileges are
required. Once you have the token, you can use this token with wordPress
‘/users’ API to register users in WordPress via REST API request.
Use Case: Authenticate/ protect WordPress REST API Endpoints securely or register users in WordPress without using admin user credentials.
If you want to access the WordPress REST API without passing the WordPress
user credentials or want to register the users in WordPress securely
without need to pass the admin user credentials of WordPress and instead
pass the client credentials provided by the plugin, then this method is
the perfect solution such that there won’t be any chance of user
credentials getting compromised.
The plugin acts both as a OAuth 2.0 Identity provider(Server) which
provides the token and REST APIs authenticator for authentication of these
WordPress REST API endpoints on the basis of the token. Hence it provides
utmost security to obtain the token and that token can be used to
authenticate the REST API request.
1. The REST API request will be made with appropriate parameters to obtain the token for our plugin. Our plugin will act as an OAuth 2.0 Identity provider and provides the access token.
2. The actual REST API request to access the resource will be made with the access token received from the last step passed in the Authorization header with token type as Bearer. The plugin now acts as Authenticator to authenticate the API on the basis of token validity. If the token is validated successfully then the API requester will be allowed to access the resource else on the failed validation the error response will be returned.
Related Usecase:
Read Use Cases for the following Rest API Authentication Methods:
WordPress REST API OAuth 2.0 using Password Grant:
1. Refresh Token - You can enable this option if you want to receive the refresh token as well along with access-token or JWT token in the token endpoint request. With this token you can regenerate the access-token/JWT token as they are meant to expire shortly to increase security.
The sample example of regenerating the access token/JWT token from a refresh token using the refresh token grant is explained further below.
2. Revoke Token - You can enable this option if you want to enable the facility to revoke the existing generated access-token/JWT token to make a token as invalid and hence can not be able to authenticate the WP REST APIs further.
Now the plugin setup part has been done successfully. Below comes the part in which the actual security access/JWT token will be obtained and used further for accessing the WordPress REST APIs.
Request: POST https://<domain-name>/wp-json/api/v1/token
Body:
grant_type =<password>
&username =<wordpress username>
&password = <wordpress password>
&client_id =<client id>
Sample curl Request Format-
curl -d "grant_type=password&username=<wordpress_username>&password=<wordpress_password>&client_id=<client_id>"
-X POST http://<wp_base_url>/wp-json/api/v1/token
Request: POST https://<domain-name>/wp-json/api/v1/token
Body:
grant_type = <refresh_token>
&refresh_token = <Refresh Token>
Sample curl Request Format-
curl -d "grant_type=refresh_token&refresh_token=<refresh_token>&client_id=<client_id>&client_secret=<client_secret>"
-X POST http://<wp_base_url>/wp-json/api/v1/token
Request: GET https://<domain-name>/wp-json/wp/v2/posts
Header: Authorization :Bearer <access_token /id_token>
Request: POST https://<domain-name>/wp-json/api/v1/token
Body:
grant_type = <client_credentials>
&client_id = <client id>
&client_secret = <client secret>
Sample curl Request Format-
curl -d "grant_type=client_credentials&client_id=<client_id>&client_secret=<client_secret>"
-X POST http://<wp_base_url>/wp-json/api/v1/token
Request: POST https://<domain-name>/wp-json/api/v1/token
Body:
grant_type = <refresh_token>
&refresh_token = <Refresh Token>
Sample curl Request Format-
curl -d "grant_type=refresh_token&refresh_token=<refresh_token>&client_id=<client_id>&client_secret=<client_secret>"
-X POST http://<wp_base_url>/wp-json/api/v1/token
Request: GET https://<domain-name>/wp-json/wp/v2/posts
Header: Authorization : Bearer <access_token /id_token>a) OAuth 2.0 password Grant method:
b) OAuth 2.0 Client Credentials Grant Method:
c) REST API request to obtain the actual resource:
Feature Description
This feature allows restricting the REST API access based on the user roles. You can whitelist the roles for which you want to allow access to the requested resource for the REST APIs. So whenever a REST API request is made by a user, his role will be fetched and only allowed to access the resource if his role is whitelisted.
How to configure it?
Note: The Role based restriction feature is valid for Basic authentication (Username: password), JWT method, and OAuth 2.0 (Password grant).
This feature provides an option to choose a custom header rather than the default ‘Authorization’ header.
It will increase the security as you have the header named with your ‘custom name’, so if someone makes the REST API request with a header as ‘Authorization’ then he won’t be able to access the APIs.
How to configure it?
This feature allows you to whitelist your REST APIs so these can be accessed directly without any authentication. Hence all these whitelisted REST APIs are publicly available.
How to configure it?
This feature is applicable for JWT and OAuth 2.0 methods which uses time based tokens to authenticate the WordPress REST API endpoints. This feature allows you to set the custom expiry for the tokens such that the token will no longer be valid once the token expires.
How to configure it?
Mail us on apisupport@xecurify.com for quick guidance(via email/meeting) on your requirement and our team will help you to select the best suitable solution/plan as per your requirement.
Need Help? We are right here!
