Support » Plugin: JWT Authentication for WP REST API » Fix: Basic Authentication -> jwt_auth_bad_auth_header error

  • Hey,

    Just wanted to share my experience with using this plugin recently, and some challenges that arose in doing so.

    First off, I discovered that I was having issues prior to using this plugin with Basic Authentication failing due to using PHP-FPM / FastCGI(with PHP 7.2) (using https), and that I had to add the following to my Apache config (or .htaccess file):

    SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

    Without this, the Authorization headers weren’t being passed to the php pages because having PHP-FPM enabled prevents this.

    Secondly, I discovered that when I had the JWT Authentication for WP REST API plugin enabled (along with PHP-FPM), I was getting this jwt_auth_bad_auth_header (Authorization header malformed.) error when simply using Basic Authentication.

    If I disabled PHP-FPM, this error was gone, but I would rather have this enabled, so I did a little debugging… I found that if I also passed the Bearer token with the Basic Authentication, then this error was gone.

    So, I opted to edit the /jwt-authentication-for-wp-rest-api/public/class-jwt-auth-public.php file to automatically set the Bearer token if Basic Authentication was being performed and the token was missing, simply by adding the following if statement after the list($token) = sscanf($auth, 'Bearer %s'); at line 250:

    if (!$token) {
                // Get token using basic auth
                list($username, $password) = explode( ':', base64_decode( substr( $auth, 6 ) ) );
                $request = new WP_REST_Request( 'POST', '/wp-json/jwt-auth/v1/token' );
                $request->set_param( 'username', $username );
                $request->set_param( 'password', $password );
                $JWT = new Jwt_Auth_Public('jwt-auth', '1.1.0');
                $token = $JWT->generate_token( $request );
                if (is_array($token) && isset($token['token'])) $token = $token['token'];

    Note that I did NOT replace the original if (!$token) statement at this line, but added this additional statement before it, which will set the token for you IF/WHEN Basic Authentication is being performed, so that you don’t have to pass a token as well when doing so.

    This fixed the jwt_auth_bad_auth_header error that I was getting when using Basic Auth without passing a token, which again does work when I have FastCGI / PHP-FPM (libapache2-mod-fcgid) disabled, so I don’t think this is a security risk, but let me know your thoughts if you feel otherwise? 🙂

    I’m just happy to have found a solution to re-enable Basic Authentication while also supporting JWT / Bearer Tokens as well.

    Hope this helps anyone else looking to achieve the same thing!

    Which may be a solution to: and

    • This topic was modified 4 months, 4 weeks ago by ouija.
Viewing 1 replies (of 1 total)
  • Thanks Ouija! That solved the same issue for me. I would love the opinion of the plugin author or others with better security chops than I to chime in on this.

Viewing 1 replies (of 1 total)
  • You must be logged in to reply to this topic.