Unless you’re using the GitHub Updater plugin and installed Authorizer through that, you should be on version 2.10.0, released in September 2020. (Version 3.0.4 isn’t publicly released yet, pending feedback from some folks testing out its new OAuth2 integration.)
Regardless, we’ll take a look at REST API access. I remember reading that WordPress core added some additional authentication methods for REST, so that may be the culprit.
REST API Changes in WordPress 5.6
Application Passwords: Integration Guide
Yes, 2.10.0 on WordPress 5.6.
Aloha, I verified that Authorizer blocks authenticated requests (e.g., using the new app passwords feature) if set to “only logged in users can see the site.”
We’ll work on fixing this and get a release out shortly. Do note that your external site will need to authenticate to get access to the REST API, but you should be able to easily use app passwords for that:
Application Passwords: Integration Guide
(I’m adding some historical context below for reference, you can safely ignore it!)
In version 2.4.0 (Feb 2016), we locked down REST API calls if Authorizer was set to “only logged in users can see the site.” See:
https://github.com/uhm-coe/authorizer/issues/4
In version 2.6.0 (Sep 2016), we tweaked Authorizer to only prevent unauthenticated GET calls if it was set to “only logged in users can see the site” (non-GET requests, such as POST
, DELETE
, etc., are already protected by WordPress’s own authentication). See:
https://github.com/uhm-coe/authorizer/issues/11
Aloha, we have refactored the way Authorizer handles REST API requests, so it should honor existing authentication routines now (when Authorizer is set to “only logged in users can see the site”).
https://github.com/uhm-coe/authorizer/commit/798c48dfd1d03a232ae4fa8a8d3e7053b62f3c5f
Version 3.0.5 is out now with the fix. Let us know if you run into problems!