This is a follow up to a post from earlier today about authenticating a REST call in WordPress that comes from an Android app.
Short question now - I added some logging, and I think the Android app is sending
a RS256 token, but that the WP side requires a HS256 token. I switched the auth0
client on the dashboard, but the Android is still getting tokens in the RS256 encoding.
Is there something more I need to do?
Longer treatise follows: I decided to write up everything I’ve learned over the the
past 5 days into a form that might help the next person. Since I’ve been stumbling
through in the dark, though, some of this might be wrong. However, if it seems helpful
to you, please feel free to improve your documentation.
Thanks!
Troubleshooting REST API authorization HTTP calls in WordPress
This is specifically for http requests coming from an external source
(e.g., a mobile app) and being recieved in WordPress. If it’s not working for you,
check through these possible failure points. This is the process I’ve gone
through, and while it hasn’t worked for me yet, maybe it will save a little time
for the next person.
-
Do you have the WordPress auth0 plug-in instlled?
-
Do you have the auth0 JWT plug-in installed? Install and let it set up automatically
using the plug-in installed in step 0. -
Does your api use wp-json or the old wp-admin/admin-ajax? If it is not using wp-json,
you will need to switch it over. See REST API Handbook | WordPress Developer Resources. -
Is the caller of your API getting a JWT token and adding to the http message using
the Authorization header (i.e. what in curl would be
-H "Authorization: Bearer )? -
On the WordPress side, are the headers of the http getting stripped out? You can
see if they are stripped by adding this code (for instance, to functions.php):
add_filter( ‘rest_pre_dispatch’, ‘prefix_show_request_headers’, 10, 3 );
function prefix_show_request_headers( $result, $server, $request ) {
$result = $request->get_headers();
write_log($result);
return $result;
}
If they are being stripped out, you will need to figure out why, and fix it, possibly
by updating your .htaccess file in the wp directory and adding this line:
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
I know really nothing about this, so take this point in particular with some
consideration.
-
Is the auth0 client you are using configured to use HS256 or RS256 encoding?
The WordPress JWT plug-in only supports HS256, so you may need to switch the setting
in the Client on the auth0 website. -
When all else files, add some logging to the JWT to see why it is failing. See the
file in the plugins directory wp-jwt-auth/lib/php-jwt/Authentication/JWT.php. Find the
function decode, which for me is on line 44. Instrument it with calls to error_log.
Does it get a token? Does the token get discarded somewhere along the way because of
some problem? If so, add logging to each of the throw instructions to figure out which
one it was. -
Are you requiring REST authentication in WordPress? You can require it for your
entire API with this hook:
/* Require authentication for REST calls.
See: Authentication | REST API Handbook | WordPress Developer Resources
*/
add_filter(‘rest_authentication_errors’, function( $result ) {
if ( ! empty( $result ) ) {
return $result;
}
if ( ! is_user_logged_in() ) {
return new WP_Error( ‘rest_not_logged_in’, ‘You are not currently logged in.’, array( ‘status’ => 401 ) );
}
return $result;
});