Make WordPress Core

Opened 23 months ago

Last modified 9 months ago

#42790 new feature request

Permit basic authentication to the REST API over SSL

Reported by: kadamwhite Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: REST API Keywords:
Focuses: Cc:
PR Number:


The only REST API authentication scheme currently supported in core is cookie/nonce authentication. This is sufficient for front-end usage within wp-admin, themes, and plugins, but prohibits full consumption of the REST API from external applications, particularly the WordPress mobile apps.

After discussion with the WordPress mobile app team, we propose adding core support for REST API authentication via basic auth for SSL-enabled environments.

These mobile apps currently use basic authentication to connect via the XML-RPC API. The XML-RPC API is disabled in some hosting environments, but discussion with the hosting team suggests this is usually to avoid amplification attacks via pingbacks rather than anything related to basic authentication itself. Using this scheme only over secured connections mitigates the primary security criticism of basic authentication. As an example, the Github API (among many others) supports basic authentication: https://developer.github.com/v3/auth/ without any clear drawbacks. These APIs also preference basic auth because it is substantially simpler to use than OAuth schemes, even with a central broker.

From the perspective of a mobile app developer, preventing REST API access via that same authentication scheme on the grounds that we are simultaneously pursuing alternatives unfairly disenfranchises the mobile app team and blocks significant potential code improvements.

Attachments (2)

42790.diff (1.0 KB) - added by georgestephanis 23 months ago.
42790.1.diff (1.5 KB) - added by georgestephanis 11 months ago.

Download all attachments as: .zip

Change History (12)

#2 @kadamwhite
23 months ago

Fast to the punch @georgestephanis ! As you note another implementation would be the json_basic_auth_handler method from https://github.com/WP-API/Basic-Auth -- the technical approach is similar, just with additional filters and error handling. (While that plugin has never made it into the plugin directory it has been used in production in a number of sites over the past few years, in some cases by having that method in-lined into the application code.)

I'm interested in the loop-back to determine whether auth headers are forwarded; how prevalent is that issue across hosts?

Further discussion with @nacin and others at the WCUS contributor day has pointed out that Github's solution permits the use of authentication tokens, which would be preferable to the direct use of user passwords as they can be individually registered and revoked. We'd want to do some design work to find a token generation & registration flow that works for mobile app users if we go that route.

#3 @georgestephanis
23 months ago

It's prevalent enough, my personal site on DreamHost needs the workaround.

#4 @georgestephanis
23 months ago

And re: token generation flow, this isn't merged yet to application passwords, but should handle what you intend, I expect:


Vizrec on the pull.

#5 @dd32
23 months ago

  • Type changed from defect (bug) to feature request

This ticket was mentioned in Slack in #core-restapi by kadamwhite. View the logs.

23 months ago

#7 @rmccue
23 months ago

We discussed this a bunch in today's Slack meeting.

#8 @georgestephanis
11 months ago

New patch gets around the fastcgi mode by accepting the Basic authorization via a WP-Authorization header instead of the Authorization header that is occasionally not passed along.

#9 @pento
9 months ago

  • Version trunk deleted

This ticket was mentioned in Slack in #core-restapi by kadamwhite. View the logs.

9 months ago

Note: See TracTickets for help on using tickets.