OAuth2 Authentication about distributor HOT 18 CLOSED

Thanks @tomjn. We'll look into this internally.

from distributor.

@tomjn Follow up question re: Oauth - will .com Oauth2 authentication also work on VIP GO sites?And does it also work on .org sites with Jetpack enabled?

Thanks!

from distributor.

Follow up question re: Oauth - will .com Oauth2 authentication also work on VIP GO sites?

I wouldn't expect it to unless special measures are taken, since VIP Go sites don't share the same DB/User tables.

For Go I would approach it from a general WP standpoint rather than a .com VIP standpoint ( of course making sure it still passes review ), so the official WP API OAuth2 plugin would be the best starting point https://github.com/WP-API/OAuth2 , or if you'd prefer your own authentication scheme, as long as it's secure. Basic http user/pass auth won't suffice though

from distributor.

As for Jetpack sites, .com OAuth should allow you to authenticate with .com servers, which should let you use the .com endpoints for a Jetpack site when speaking to .com servers, similar to how Calypso can talk to .com REST APIs to manage a Jetpack site without talking directly to that site. But I wouldn't expect you to be able to use that authentication when speaking to the Jetpack sites own REST endpoints

from distributor.

Perfect, thanks for clarifying @tomjn

from distributor.

@tomjn for VIP GO do we need to use OAuth or can we just use basic auth + application passwords - https://wordpress.org/plugins/application-passwords/

from distributor.

Possibly, I'd need to check with my colleagues, but OAuth would be preferable. Anybody snooping can reverse engineer the user/pass used with basic auth making it somewhat pointless

from distributor.

We’re using JWT Auth on VIP Go as well. Might be worth checking out. There’s a REST JWT auth plugin and we have a GraphQL JWT Auth plugin as well.

from distributor.

That should be fine, though keep in mind there are issues with the JWT standard

from distributor.

@jasonbahl thanks for the info!

I'm not quite sure JWT addresses the problem here. JWT doesn't solve how to authenticate but rather how to verify a payload came from a trusted source (after authentication).

Application Passwords is great in that it allows you to assign special passwords to accounts that are traceable and revokable. @tomjn are you saying application passwords should be fine?

Thanks!

from distributor.

@tomjn are you saying application passwords should be fine?

No, I still haven't ascertained if this is or is not good, it remains an open question. To be honest it does not sit well with me. Since OAuth is an unavoidable requirement of .com VIP, I'm very keen to strongly push towards using OAuth on VIP Go as it will save time.

If the connection is intercepted, user/pass can be reverse engineered trivially via basic auth. I don't see how using an application password improves this outside of the post-hack cleanup step when it's revoked, eitherway compromising is just as easy

from distributor.

I'm not sure OAuth on VIP Go will save time as the .org implementation is completely different.

Tom, how is that different than if an OAuth connection were intercepted? OAuth is passing an access token via an Authorization header.

from distributor.

hmm I don't follow, both use the same standard, all that's required is a .org implementation of the OAuth server? The current responses I'm getting are that basic auth is allowed in non-production environments on VIP Go, but for production we strongly recommend OAuth2

from distributor.

Thanks, @tomjn! We'll do some research on .org OAuth2 in Distributor. CC @adamsilverstein

from distributor.

Since OAuth is an unavoidable requirement of .com VIP, I'm very keen to strongly push towards using OAuth on VIP Go as it will save time.

@tomjn Do you have any more information about using OAuth2 for Vip Go sites? I don't think .org/core has a canonical/non beta Oauth2 implementation.

from distributor.

At the moment no, we don't have a recommended OAuth 2 implementation. I'm evaluating options, OAuth1 is also an option if you would prefer to use the WP API OAuth1 plugin, which I reviewed myself and is in operation on a VIP Go site already

from distributor.

Ok, perfect - thanks for clarifying. I'm familiar with the Oath1 plugin and that makes the most sense at this point for non basic auth on .org sites as well.

from distributor.

Fixed in #58

from distributor.