Support » Plugin: Login by Auth0 » How to access WP REST API?

  • Resolved Benbodhi

    (@benbodhi)


    Hi there,

    Curious how we’re supposed to connect to and pull data from our WordPress site using the WP REST API with Auth0 handling the authentication.

    We’ve asked support (in a paid account) and received some very vague and unhelpful information on how to achieve this. It isn’t clear in the documentation either.

    To put it simply, we installed and set up Auth0 to handle logins for WordPress, a web app and a desktop app, using the same users from the WP database. All is well with the logins, then when trying to connect to WP REST API to pull data from WordPress into the web app and desktop app, no luck.

    Any info would be greatly appreciated.

    Thanks
    Ben

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Contributor Josh C

    (@auth0josh)

    Hi @benbodhi! There is nothing in the plugin, currently, to handle authorization to the WP REST API. The core way to authenticate is using cookies, as explained here:

    https://developer.wordpress.org/rest-api/using-the-rest-api/authentication/

    So, if you’re logging in using this plugin, you will get the core WP cookie necessary to make authenticated calls directly from the site. All of that should work out of the box.

    What you’re talking about here, if I understand, is getting authorization on that API from an external app. Auth0 as a platform can definitely help there, here is the general documentation page on that:

    https://auth0.com/docs/authorization

    So, in this case, generally, you would need to:

    1. Add an API in Auth0 that modeled what you wanted to do with the WP API. 1:1 permission mapping is probably not necessary, just the permissions that your external applications will ask for.
    2. Add the API identifier as an audience parameter and the scope(s) needed to the authorize URL when logging in. Use the auth0_authorize_url_params (example) and auth0_auth_scope (example) filters, respectively, if you are requesting this access token from WP.
    3. Extend the WP REST API to authenticate incoming requests using the Auth0 JWT. I don’t have a great example to point to here but this plugin (last commit 2 years ago) is a good place to start. It looks like the determine_current_user method is hooked into the right place and calls validate_token, which does the token checking. You would need to pull in the PHP SDK to do that validation (this class).

    Hopefully this is enough to get you started. If you need additional guidance, let me know where you’re getting stuck. We don’t have any plans to support this in the plugin but it might be a good topic for a blog tutorial, assuming enough folks are interested.

    Thread Starter Benbodhi

    (@benbodhi)

    Thanks for this detailed response Josh!
    By far the best answer we’ve got on all fronts.

    It’s looking like a lot of work that might not be necessary for our situation. We’re likely to just remove Auth0 and make our external apps login using the WordPress authentication. And then sync users across WordPress databases for single sign on of multiple WordPress sites.

    I really appreciate this answer though, and it will surely be helpful to be here for anyone else facing this issue.

    Thank you!

    Plugin Contributor Josh C

    (@auth0josh)

    Happy to help! I was curious how it would come together myself and glad I looked!

Viewing 3 replies - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.