Comments (18)
Thanks @tomjn. We'll look into this internally.
from distributor.
@tomjn Follow up question re: Oauth - will .com Oauth2 authentication also work on VIP GO sites?And does it also work on .org sites with Jetpack enabled?
Thanks!
from distributor.
Follow up question re: Oauth - will .com Oauth2 authentication also work on VIP GO sites?
I wouldn't expect it to unless special measures are taken, since VIP Go sites don't share the same DB/User tables.
For Go I would approach it from a general WP standpoint rather than a .com VIP standpoint ( of course making sure it still passes review ), so the official WP API OAuth2 plugin would be the best starting point https://github.com/WP-API/OAuth2 , or if you'd prefer your own authentication scheme, as long as it's secure. Basic http user/pass auth won't suffice though
from distributor.
As for Jetpack sites, .com OAuth should allow you to authenticate with .com servers, which should let you use the .com endpoints for a Jetpack site when speaking to .com servers, similar to how Calypso can talk to .com REST APIs to manage a Jetpack site without talking directly to that site. But I wouldn't expect you to be able to use that authentication when speaking to the Jetpack sites own REST endpoints
from distributor.
Perfect, thanks for clarifying @tomjn
from distributor.
@tomjn for VIP GO do we need to use OAuth or can we just use basic auth + application passwords - https://wordpress.org/plugins/application-passwords/
from distributor.
Possibly, I'd need to check with my colleagues, but OAuth would be preferable. Anybody snooping can reverse engineer the user/pass used with basic auth making it somewhat pointless
from distributor.
We’re using JWT Auth on VIP Go as well. Might be worth checking out. There’s a REST JWT auth plugin and we have a GraphQL JWT Auth plugin as well.
from distributor.
That should be fine, though keep in mind there are issues with the JWT standard
from distributor.
@jasonbahl thanks for the info!
I'm not quite sure JWT addresses the problem here. JWT doesn't solve how to authenticate but rather how to verify a payload came from a trusted source (after authentication).
Application Passwords is great in that it allows you to assign special passwords to accounts that are traceable and revokable. @tomjn are you saying application passwords should be fine?
Thanks!
from distributor.
@tomjn are you saying application passwords should be fine?
No, I still haven't ascertained if this is or is not good, it remains an open question. To be honest it does not sit well with me. Since OAuth is an unavoidable requirement of .com VIP, I'm very keen to strongly push towards using OAuth on VIP Go as it will save time.
If the connection is intercepted, user/pass can be reverse engineered trivially via basic auth. I don't see how using an application password improves this outside of the post-hack cleanup step when it's revoked, eitherway compromising is just as easy
from distributor.
I'm not sure OAuth on VIP Go will save time as the .org implementation is completely different.
Tom, how is that different than if an OAuth connection were intercepted? OAuth is passing an access token via an Authorization
header.
from distributor.
hmm I don't follow, both use the same standard, all that's required is a .org implementation of the OAuth server? The current responses I'm getting are that basic auth is allowed in non-production environments on VIP Go, but for production we strongly recommend OAuth2
from distributor.
Thanks, @tomjn! We'll do some research on .org OAuth2 in Distributor. CC @adamsilverstein
from distributor.
Since OAuth is an unavoidable requirement of .com VIP, I'm very keen to strongly push towards using OAuth on VIP Go as it will save time.
@tomjn Do you have any more information about using OAuth2 for Vip Go sites? I don't think .org/core has a canonical/non beta Oauth2 implementation.
from distributor.
At the moment no, we don't have a recommended OAuth 2 implementation. I'm evaluating options, OAuth1 is also an option if you would prefer to use the WP API OAuth1 plugin, which I reviewed myself and is in operation on a VIP Go site already
from distributor.
Ok, perfect - thanks for clarifying. I'm familiar with the Oath1 plugin and that makes the most sense at this point for non basic auth on .org sites as well.
from distributor.
Fixed in #58
from distributor.
Related Issues (20)
- Fatal error due to using `array_key_exists` on a non-array value
- upgrading from 1.91 to 2.01 is causing issues with Elementor
- Inquiry about Automatically Syndicating Posts in Distributor Plugin HOT 2
- Deprecation notice (PHP 8.1 and above) in PullListTable when distributed posts are not allowed to be edited
- auto sync of linked posts Not Working HOT 2
- Show which posts are synced to other sites HOT 2
- Featured image pulled but not linked in post HOT 1
- Does Distributor Saves the Images on Custom Field were is it
- error 503 sever down HOT 2
- Change post category HOT 2
- Issue on adding a External Connection HOT 3
- Deprecation notice (PHP >= 8.1) in includes/settings.php when "admin_notices" action is triggered early in WP admin
- Method for assembling list of internal connections does not work well on large installations HOT 3
- Working with multisite? HOT 7
- Duplicate patterns
- Change the price of a product HOT 1
- Custom taxonomy not being distributed
- Bypass custom post ordering by plugins and order posts only by publish date ?
- Add more info about posts like categories, tags, author etc. HOT 3
- authentication failed on ALL admin users and ALL app passwords HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from distributor.