Since the beginning of the REST API project, authentication has been one of its biggest challenges. Although cookie-based authentication solves issues for JavaScript code running on the site, external sites have a more difficult time, which makes authentication in the REST API project inadequate.
Co-founder of Human Made Joe Hoyle on Sunday announced the Authentication Broker System, a solution that aims to solve the decentralized registration problem. The broker can be found at https://apps.wp-api.org/, where you can sign up as a developer and create your app directly. In addition, the specifications for the system can be found at https://apps.wp-api.org/spec/.
The two biggest roadblocks to authentication are protocol and application discovery.
“The protocol we have broadly settled on is OAuth 1, as the simpler OAuth 2 requires HTTPS,” Hoyle said. “OAuth 1 builds in a cryptographic signing process to avoid replay attacks, while OAuth 2 relies on the security provided by SSL/TLS instead.”
There are extensive client libraries available in OAuth 1, which means that users don’t need to worry. The second problem is application discovery, which is similar in concept to Twitter or Facebook’s application.
“OAuth requires pre-registration of the application on the site, which then issues you a key and secret,” Hoyle said. “The basic principle here is that you register your application with Facebook, which means the two parties (your app and Facebook) both have the “shared” secret. This is then used for the cryptographic signing.”
This isn’t a problem for developers creating something specifically for their own site, but anyone wanting to connect to any WordPress site is going to have a more difficult time.
The Authentication Broker System addresses this issue head on.
“The broker is a separate registry of applications that WordPress installs can use as the authority on what applications can connect to it,” Hoyle said. “This means a developer can create their application with the broker (similar to how they would on Facebook) and then they can use their key and secret to connect to all WordPress installs that delegate to the broker.”
The broker can also remove bad applications from the registry and remove it from all sites using it.
“The WordPress ecosystem is very decentralized, allowing site owners to control who and what has access to their data,” Hoyle said. “The broker adopts this philosophy by allowing anyone to run a broker service which WordPresses can delegate to. Brokers need only to be mutually recognised by the application and site to be used; our initial primary broker is simply a default broker built into the connection plugin.”
Of course, the broker isn’t accessing data directly but instead using the normal OAuth process to solve the decentralized registration problem.
The broker is currently available at https://apps.wp-api.org/. Try it out and give feedback on GitHub.
“The goal is to merge the broker plugin into the OAuth plugin, and eventually into core.,” Hoyle said. “This is the path we see to being able to authenticate with any WordPress site on the web!”
No Comments