WordPress REST API OAuth 2.0 Authentication Method



WordPress REST API OAuth 2.0 Authentication Method involves the use of OAuth protocol to obtain the access or Id token and that token will be used to authenticate the REST APIs. Each time a request to access the API will be made, the authentication will be done against that access token/id token, and on the basis of the verification of that API token, the resources for that API request will be allowed to access.

Download And Installation

  • Log into your WordPress instance as an admin.
  • Go to the WordPress Dashboard -> Plugins and click on Add New.
  • Search for a WordPress REST API Authentication plugin and click on Install Now.
  • Once installed click on Activate.

Use Case: How to protect/secure WordPress REST API endpoints using OAuth 2.0 method.

    1. Password Grant:

    Use Case: Authenticate/ protect WordPress REST API Endpoints securely using user credentials obtained on user registration or login into WordPress

    Suppose you have a login form in your application and want to authenticate the WordPress REST API endpoints on the basis of the user credentials and their capabilities, then you can easily authenticate the REST API endpoints very securely using this method. This method follows the standard OAuth 2.0 flow/protocol and our plugin acts both as a OAuth 2.0 Identity provider(Server) that will be used to provide the access/id token REST API request and REST API authenticator for authentication of the REST APIs endpoints on the basis of the token.

    2. Client Credentials:

    Use Case: Authenticate/ protect WordPress REST API Endpoints securely without using user credentials.

    If in case you do not want to send user credentials in the WordPress REST API endpoint request to obtain method then you can opt for this method as it follows the OAuth 2.0 client credentials flow/protocol and our plugin acts both as a OAuth 2.0 Identity provider(Server) which provides the token and REST APIs authenticator for authentication of these WordPressREST API endpoints on the basis of the token. Hence it provides utmost security to obtain the token and that token can be used to authenticate the REST API request.

  • The flow for WordPress REST API authentication can be achieved using the OAuth 2.0 method is explained below:
    • 1. The REST API request will be made with appropriate parameters to obtain the token for our plugin. Our plugin will act as an OAuth 2.0 Identity provider and provides the access token.

      2. The actual REST API request to access the resource will be made with the access token received from the last step passed in the Authorization header with token type as Bearer. The plugin now acts as Authenticator to authenticate the API on the basis of token validity. If the token is validated successfully then the API requester will be allowed to access the resource else on the failed validation the error response will be returned.

WordPress REST API OAuth 2.0 using Password Grant:

  • Select yourAuthentication method → OAuth 2.0 and OAuth 2.0 Grant Type → Password Grant and Token Type → Access Token/JWT Token based on your choice and click on Save Configuration.
  • WordPress REST API OAuth 2.0 Authentication method
  • Once you click on the save configuration, you will get the Client ID, Client Secret and Token Endpoint.
  • Here you would need to make two calls:
  • I : Get the Token

    • To get the access token/JWT Token, you would need to make an API Call to Token endpoint as below
    • Request: POST https://<domain-name>/wp-json/api/v1/token
      Body:
      grant_type = <password>
      username = <wordpress username>
      password = <wordpress password>
      client_id = <client id>
      
    • Using Refresh Token
    • Request: POST https://<domain-name>/wp-json/api/v1/token
      Body:
      grant_type = <password>
      refresh_token = <Refresh Token>
      

    II : Send API Request

    • Once you get the access_token / id_token, you can use it to request the access to the WordPress REST APIs as shown below:
    • Request: GET https://<domain-name>/wp-json/wp/v2/posts
      
      Header: 
      Authorization : Bearer <access_token /id_token>
      
    • NOTE:Above token is valid for 1 hour by default. Users have to create a token each time they want to request the API access.

WordPress REST API OAuth 2.0 using Client Credentials Grant:

  • Select yourAuthentication method → OAuth 2.0 and OAuth 2.0 Grant Type → Client Credentials Grant and Token Type → Access Token/JWT Token based on your choice and click on Save Configuration.
  • WordPress REST API OAuth 2.0 Authentication method using jwt
  • Once you click on the save configuration, you will get the Client ID, Client Secret and Token Endpoint.
  • Here you would need to make two calls:
  • I : Get the Token

    • To get the access token/JWT Token, you would need to make an API Call to Token endpoint as below
    • Request: POST https://<domain-name>/wp-json/api/v1/token
      Body:
      grant_type = <client_credentials>
      client_id = <client id>
      client_secret = <client secret>
      
    • Using Refresh Token
    • Request: POST https://<domain-name>/wp-json/api/v1/token
      Body:
      grant_type = <refresh_token>
      refresh_token = <Refresh Token>
      

    II : Send API Request

    • Once you get the access_token / id_token, you can use it to request the access to the WordPress REST APIs as shown below:
    • Request: GET https://<domain-name>/wp-json/wp/v2/posts
      
      Header: 
      Authorization : Bearer <access_token /id_token>
      
    • NOTE:Above token is valid for 1 hour by default. Users have to create a token each time they want to request the API access.
  • Check out the developer documentation for more details.

Postman Samples:

  • OAuth 2.0 password Grant method:
    • Sample request to obtain token:
    • You can download the postman request sample from here.
    • Now extract the zip file and import the extracted json file into the postman application.
    • WordPress REST API OAuth 2.0 Authentication method postman implementation
    • Example
    • WordPress REST API OAuth 2.0 Authentication method postman replace url actual resource
  • Sample request format to request resources using the token obtained in the last step.
  • You can download the postman request sample from here.
  • Now extract the zip file and import the extracted json file into the postman application.
  • WordPress REST API OAuth 2.0 Authentication method postman implementation
  • Example
  • WordPress REST API OAuth 2.0 Authentication method postman replace url actual resource
  • OAuth 2.0 Client Credentials Grant Method:
    • Sample request to obtain token:
    • You can download the postman request sample from here.
    • Now extract the zip file and import the extracted json file into the postman application.
    • WordPress REST API OAuth 2.0 Authentication method postman implementation
    • Example
    • WordPress REST API OAuth 2.0 Authentication method postman replace url actual resource
  • REST API request to obtain the actual resource:
    • You can download the postman request sample from here.
    • Now extract the zip file and import the extracted json file into the postman application.
    • WordPress REST API OAuth 2.0 Authentication method postman implementation
    • Example
    • WordPress REST API OAuth 2.0 Authentication method postman url actual resource

Need Help?

Mail us on oauthsupport@xecurify.com for quick guidance(via email/meeting) on your requirement and our team will help you to select the best suitable solution/plan as per your requirement.


Hello there!

Need Help? We are right here!

support
Contact miniOrange Support
success

Thanks for your inquiry.

If you dont hear from us within 24 hours, please feel free to send a follow up email to info@xecurify.com