As an astute follower of the REST API project may have noticed, authentication with the API has been difficult and incomplete. While cookie authentication solves the issue for JavaScript code running on the site, external sites have a much harder time. In particular, connecting a client to multiple sites is near-impossible, as the distributed nature of WordPress would require registering on every site. To solve the decentralised registration problem, we’re introducing the Authentication Broker system. Our initial default broker is at https://apps.wp-api.org/ and we’ve published the specification for the system. Authentication Challenges There are primarily two challenges when it comes to authentication: the protocol and application discovery. The protocol we have broadly settled on is OAuth 1, as the simpler OAuth 2 requires HTTPS. OAuth 1 builds in a cryptographic signing process to avoid replay attacks, while OAuth 2 relies on the security provided by SSL/TLS instead. As there are client libraries available for OAuth 1 in virtually every language, the additional cryptography is simple enough to not worry about too much. The second challenge is application discovery. OAuth
Share This