Trouble authenticating Android http request to WordPress

I have a WordPress site that uses auth0 for authentication. There is
also an accompanying Android app that uses auth0. The two of them share
a single auth0 client who’s type is Native. The WP site and Android app are each
able to log users on correctly. But when the Android app sends an HTTP REST
request to the WordPress site, it fails to authenticate. The Android app
is generating a JWT idtoken that looks correct. The WordPress site is using
wp-json via the extensible WP REST now in WordPress. The JWT plug-in is
installed. I have confirmed that the authentication header passed through.

But the WP site requires authentication using the rest_authentication_errors
hook, and is_user_logged_in() is returning false.

add_filter(‘rest_authentication_errors’, function( $result ) {
if ( ! empty( $result ) ) {
return $result;
}
if ( ! is_user_logged_in() ) {
return new WP_Error( ‘rest_not_logged_in’, ‘You are not currently logged in.’,
array( ‘status’ => 401 ) );
}
return $result;
});

These same errors happen if I generate a request with the Authorization: Bearer
filled out and send it via either curl or Postman.

Do you have any idea what I’ve done wrong? Thanks for your help.

There are a couple of things to consider here, in particular:

  • the Android (native) application should not be sharing a client identifier with the Wordpress (web) application. They have different characteristics and capabilities in the matter of performing OIDC/OAuth2 grants so they should use separate clients. The Android application should use one that sets client type to Native and Wordpress should use one that sets client type to Regular Web Application.
  • it seems that you’re using the ID token received by the Android client application as means to try to authorize a REST call to the Wordpress API. If true, then this is incorrect; see (https://auth0.com/docs/api-auth/why-use-access-tokens-to-secure-apis) for more information.

With the above in mind and assuming you enabled the Wordpress REST API and then proceeded to install a plugin that validates calls to the REST API by validating a JWT then there are a few more things to consider:

  • the Wordpress instance is now acting as client application (the web application you can access through the browser) and also acting as a resource server (the REST API). In terms of OAuth 2.0 these have very different implications which means the Wordpress instance should be represented in Auth0 both as a client application in the Clients section and also as a resource server in the APIs section.
  • the plugin you install to process the JWT needs to be able to process JWT access tokens issued by Auth0. Have in mind that the Wordpress Auth0 plugin is meant for end-user authentication and not for API authorization so to my knowledge you would need a separate plugin.

From a quick look at the documentation for Wordpress REST API we could be inclined to try this JWT plugin, but looking at the description of that plugin it seems it would be able only to consume JWT access tokens that were issued by the same plugin. That is, the plugin is acting as to what could be compared to an OAuth 2.0 authorization server that issues the tokens based on the end-user credentials and that specific token can then be used to call the REST API.

The plugin landing page also has an example JWT issued by the plugin which exhibits the following payload:

{
  "iss": "http://jwt.dev",
  "iat": 1438571050,
  "nbf": 1438571050,
  "exp": 1439175850,
  "data": {
    "user": {
      "id": "1"
    }
  }
}

The data claim is a proprietary claim and not a standard one so you would not be able to have a JWT access token issued by Auth0 in association with a resource server you registered in the APIs section to contain a similar structure. In conclusion, although I don’t have much knowledge on Wordpress REST API it seems there’s a missing piece that would be required to allow your requirements; a JWT authorization plugin that would translate an Auth0 issued access token to what Wordpress REST API is expecting (I did a quick search, but could not find a suitable plugin for this task).