OAuth support #102
Comments
|
@CaptainN OAuth isn't currently supported by this library -- the basic process, if I understand it (and I'll be honest, I've never used OAuth successfully without confusion) is that you'd use the plugin to generate a key, then we'd need to add a facility to this API to make a request with that key to get the token used to authenticate. It's definitely something I'd like to add, but I haven't had the time to get to it yet and adding media support (and more robustly supporting/testing against the WP-API 2.0 betas) are the priorities right now. If you've got OAuth experience, or interest, I'd love to get some help putting this in though |
|
I doubt anyone has used OAuth without confusion :) I've managed to get OAuth working though, so I should be able to help out |
|
@mzalewski if you're interested, that would be excellent in the extreme! |
|
Getting there slowly, I've got OAuth 1.0a working now. The only issue is that it requires user/browser authorization, so haven't quite figured out the best way to handle that. At the moment, I'm assuming that part will be done by the time the API is called so we already have an access token - but I have example code that does the actual authentication. I'm planning to push it up tomorrow anyway so I'll let you know when it's up |
|
👍 |
|
I've added OAuth 1.0A support to my fork here: I'm not 100% happy with it yet, but should hopefully give everyone a basic understanding of the direction I'm going. I've added some example code to the readme, so (hopefully) should be easy to understand if anyone wants to try it out |
|
Thanks, @mzalewski , I will check it out next week. I appreciate your sharing your efforts! |
|
I discussed the currently-supported OAuth flows with @rmccue today in slack; transcript below
|
|
That server-side plugin sounds interesting, would you consider that? oAuth 2.0 appears offer a few more options though - combined with the oAuth 2 plugin on WP.org (https://wp-oauth.com/knowledge-base/grant-types/), it might be possible to connect via oAuth without requiring a redirect. |
|
What about simply exposing a way to hook into the Auth function and passing off authentication to third-party code/modules? It could be the easiest option given the number of possible uses of this plugin (eg: web-based, desktop, library) |
|
Oauth support's the most common question we've gotten, so ideally I'd like to have something set up within the package itself. Lots of ways to move toward that, though! I finally reviewed the implementation you linked to, it's interesting -- could you walk me through the process of using it within your application's code? |
|
@mzalewski forgot to respond to the other part of your comment: I would 100% be interested in an add-on to provide https://wp-oauth.com/ compatibility for this client library, but I'm hesitant to implement support for a non-WP-native, paid plugin into the core wordpress-rest-api package. I feel it would be better to hold out for the core-passwords team's app passwords, or to investigate writing a companion WP plugin to extend the 1.0a server to give access to the node client in the way discussed in the chat above. |
|
Fair enough - it definitely makes sense to support the official WP authentication methods out of the box. I'm happy to walk through my fork, but it's been a pretty busy week - I'll free up some time to go through it properly within the next 1-2 days I'll give a basic overview (from memory): Both Client ID and Client Secret are required parameters and are configured in WP. These, along with the oAuth URLs provided by the API, are used to construct an OAuth object ( new WP.OAuth ) oauth.getAuthorizeUrlSends a request WP API and receives a "request" token which is used to sign the Authorize URL (URL provided to promise callback). User RedirectThe User is then required to log in on the site at the provided URL oauth.getAccessTokenThe getAccessToken function can then be used by passing the OAuth Token and verification code. This function is responsible for sending the access/verify tokens to the server, and finally receiving an authenticated token. Once we have that authenticated token, it is stored for future use and will be used to authenticate outgoing requests. It uses the OAuth Node (node-oauth) library behind the scenes, so the documentation there may help - the code I've written simply wraps node-oauth and attempts to integrate it into your functions. Hopefully that helps understand what I've done. I also came across this while working on it: http://passportjs.org/ - It doesn't solve any of the issues around redirecting users, but from what I can tell it is a popular library for working with oAuth and could possibly save a lot of time? |
|
Sorry if it's confusing, even I am having trouble reading what I've just written. |
|
@mzalewski no problem whatsoever, I appreciate it. I'm going to have some concerted time to work on this in conjunction with the WP-API team at the feelingrestful.com event next week, so if you get a chance to go through it in more detail by Wednesday or so that'd be very helpful; but as time permits this weekend or on the flight I'll take what you've given me already and see what I can make of it! Thanks a ton. |
|
Ok great - looks like it'll be a great event :) I'll definitely put some On Thu, Jan 21, 2016 at 4:51 PM, K.Adam White [email protected]
|
|
Sorry - hope I'm not too late.. Here is a basic overview of the process (found on another site). The dashed lines represent server-to-server communication, and the solid lines are user/browser redirects. I'll go through the steps in the image and try to match it up with the code I added. Step B: The user must navigate to the signed URL generated in Step A - either by redirect, or manual browser navigation. Step C: The server (WP) will verify the Request token and generate a verification Token Step D: Now we have a verification Token, it needs to be passed back to the Node App - either by redirect, or by asking the user to copy+paste it. Step E: oauth1.getAccessToken will use the verification token to ask the server for an Access Token. Step F+: Access Token is granted by the server and is used to sign all future requests. |
|
I've also updated my repository with 2 examples (examples folder) - one is an express app which will redirect the user to WP to obtain authorization, the other asks the user to copy and paste URLs/tokens via the console |
|
I wanted to stop by and put in 2 cents! I am going to be putting a full strip down native WP version of WP OAuth Server which will be a bare bones server with no license or paid version. DB Structure will be merged to handle consumers just as the OAuth1.0a plugin does. I am open for helping out where I can. |
|
Tagging https://github.com/joehoyle/wordpress-rest-api-oauth-1 as a potential source of inspiration or code for this situation |
|
Picked this back up today and wrote this script, which (if combined with the fix in WP-API/OAuth1#155) will follow the out-of-band three-legged OAuth1.0a flow to get the verification code needed to authorize requests. It is the starting point for further work to actually sign the requests within WPRequest. A challenge for OAuth handling is going to be how we can design the transport/library seam to make the code library-independent; that may be out of scope for 1.0 however. 'use strict';
var opn = require( 'opn' );
var prompt = require('prompt');
var OAuth = require( 'oauth' );
var oauth = new OAuth.OAuth(
// reqURL
'http://wpapi.loc/oauth1/request',
// accessURL
'http://wpapi.loc/oauth1/access',
// Key
'OL5EIwSTQyPr',
// Secret
'YDBGBezQPDd51DwDIDhBfrYeSOUJqCQwcHwRnVYebGAmFtU1',
// Version
'1.0A',
// authorize_callback (null in example)
'oob',
// Signature method
'HMAC-SHA1'
// nonceSize
// customHeaders
);
// console.log( auth );
function getRequestToken() {
return new Promise( ( resolve, reject ) => {
oauth.getOAuthRequestToken(function( err, token, secret, results ) {
if ( err ) {
return reject( err );
}
console.log( results );
resolve({
token: token,
secret: secret
});
});
});
}
function getAccessToken(config) {
return new Promise( ( resolve, reject ) => {
oauth.getOAuthAccessToken( config.token, config.secret, config.verifier, function( err, token, secret, results ) {
if ( err ) {
return reject( err );
}
resolve({
token: token,
secret: secret
});
});
});
}
getRequestToken()
.then(function(config) {
opn(`http://wpapi.loc/oauth1/authorize?oauth_token=${config.token}&oauth_callback=oob`);
prompt.start();
return new Promise( ( resolve, reject ) => {
prompt.get([
'verifier'
], ( err, result ) => {
if ( err ) {
return reject( err );
}
resolve({
token: config.token,
secret: config.secret,
verifier: result.verifier
});
});
});
})
.then(function( config ) {
console.log( config );
return getAccessToken( config );
})
.then(function( result ) {
console.log( result );
})
.catch( err => console.error( err ) ); |
|
Related reading:
|
|
Great - If we can handle leg 1/3 without user interaction, is making leg 2 pluggable an option, defaulting to OOB/prompt? eg: https://gist.github.com/mzalewski/2b2ff2de0d88a5c3194c407b796695df What are the main issues you're having?
Unless I misunderstood what you meant, wouldn't it be easier to just focus on superagent since it's used by the rest of the library anyway (assuming the library will be handling leg1/3 behind the scenes). It isn't required in the second leg (where the user will need to perform the authorization) so shouldn't make any difference to users? |
|
@kadamwhite @mzalewski This is exactly what I needed. We have moved from basic to oauth on our Wordpress domain. Please help me out in implementing the above. |
|
@shiva-avula-nuk Basically, what you need is an Access Token. Once you have that, you can sign requests via the Auth HTTP header. The main issue is: to get that OAuth Access token, there 3 legs/processes we have to go through and the second one requires user interaction (from a user that has authorized access to WP). As this is a UI/platform agnostic JS library, it's (almost?) impossible to handle that 2nd leg in a way that makes sense in all scenarios. Start with the code that @kadamwhite posted: #102 (comment) - that'll get you the access token. Then you can start signing requests - I've been meaning to get back into WP API stuff again, so I'll post a blog post over the weekend that should hopefully give some ideas. |
|
@mzalewski Looked at the code, but did not execute yet. However I already have all the credentials required for Wordpress API, all I need is to make WP to use those OAuth credentials in making API call to Wordpress API. What is the easiest way to implement this ? |
|
Apologies for the delay on this, been pretty heads-down on working on the underlying API itself—as we come up for air this is the next priority. One open question is what interface is most useful for navigating through the initial three-legged handshake, from supplying the initial token and secret, to getting the URL (to open or to redirect to), to then provide a path to capture the returned values from the callback or the OOB flow. If you have methods or flows you are using that are working for you, please share them! |
|
Hey, I've been following this thread for the suggestions people have been making. I've actually been working on my own Python OAuth1a 3leg flow client, and it works! (sort of) I've managed to succesfully bypass getting the user to type their password in by using a scraper to fill in the form automatically, and I can succesfully grab access tokens from the site and authenticate requests! Unfortunately there's something up with Wordpress' implementation of the server and how it expects you to sign query parameters which is different from the spec I'm using (RFC 5849) so query parameters like ?page=2 don't work with authenticated requests yet but i'm working on a fix. Check out the OAuth_3Leg class in oauth.py to see how I did the automated user authentication and let me know what you think! https://github.com/derwentx/wp-api-python |
|
@derwentx Let me know if you solve the query parameter thing. Does adding "?context=edit" work? @Script-Shiva - I've got an implementation that seems to work ok here (though I've only done very basic testing). It completely overrides the http transport. Unfortunately I couldn't find another way to do it (without modifying node-wpapi source). So, basically a hacky workaround until OAuth support is added to the node-wpapi library. It also only does the signing of requests - it assumes that the access token has already been generated. |
|
@kadamwhite Here are a few examples of some possible interfaces/workflows. The first requires OAuth-specific methods to be built into node-wpapi (which I think was your preferred option?) The other 2 simply allow an authentication handler to be injected, but ends up being slightly cleaner since node-wpapi doesn't need to worry about the verification. I think the best option might be a combination of 1 and 3 (ie: built-in, but allow overriding via oauthHandler) - I'm happy to get some basic implementation going in a fork, but figured I should get an idea of the direction you want to go first. https://gist.github.com/mzalewski/eaccd40e048102712af76dacac742415 |
|
Decided to try getting an implementation going anyway, basically combines the three-legged OAuth1.0a flow gist with the architecture/pattern used by the httpTransport functions https://github.com/mzalewski/node-wpapi/tree/oauth-option-1 Comparison: |
|
Thanks Matthew, I managed to get a totally working implementation of oauth 3 leg which automatically generates the access token if you don't have it. I just had some bug in the sorting algorithm somewhere :P It's all up and ready to try out if you want to give it a go!
|
|
Couldn't be possible to simply inject access token, if we used Passport as Express Middlware ? |
|
@ludoo0d0a Currently, your best (probably only) option is to write a new http transport (eg: https://github.com/mzalewski/wpapi-oauth-example-transport) Bear in mind that the example above doesn't cover redirects (ie: auth is lost when redirected from users/me to users/1) Hopefully we'll see some support built in soon, but I imagine things are pretty hectic with the 4.7 release coming up Any code you manage to come up with would be helpful too :) |
|
@derwentx Interesting approach, so it basically handles the auth step/submits the form for the user? How does the user specify their username/password? (Sorry, not that familiar with python :)) |
|
@mzalewski yep, that's right, it's the same way that you specify the consumer_token and consumer_secret. They are passed as arguments to the oauth constructor. If people actually end up using my client I'll probably find some way of storing the oauth token locally on disk so that it persists through multiple sessions and so that the password is only needed once, to generate the token, then while the token is valid it just re-uses the old one |
|
I tried to introduce oauth2 in @mzalewski http transport. |
|
If you're using the official OAuth plugin, note that it is OAuth 1.0a, not OAuth 2.0. |
|
Sure, but I use a real oauth2 : https://fr.wordpress.org/plugins/oauth2-provider/ |
|
Could anyone give some input in #312? @mzalewski You mentioned that getting the token is the hard part (which I've managed). How would I then go about signing the requests with the jwt? |
|
I'd like to use this library in a client application for making REST API calls to a WP instance (add, update, delete). To do this I need to use Basic authorization or OAuth in the client application to authorize REST API calls, correct? Seeing this issue is open what is the recommended path forward? |
Hi!
What's involved with making oauth work (either oauth1, for which there is a WP API plugin plugin, or OAuth 2 for which there is a standalone plugin) with this plugin instead of standard HTTP authentication?
Kevin N.
The text was updated successfully, but these errors were encountered: