Best way to authenticate WP REST API requests from a mobile app

  • Our organization currently has a robust webapp that leverages the WP REST API v2. Most of our site front-end already communicates with the wordpress core and our custom functions using this interface, and authentication of such requests is easy using the built in cookie authentication. Now we want to build a mobile app that replicates some of the webapp functions, and adds a few more features, and it seems the most logical development route to use the REST interface we already having running.

    My question is this: what’s the best way to authenticate the RESTful requests? Even though our site is on HTTPS, it seems like bad practice to send the username and password with every request. I thought about creating my own authentication method by sending the user’s username/password to the server, the server returns a key, and that key is used in each REST request, but that seems as bad as sending the username and password – because it would still give anyone who intercepted the key full access to a user’s account over REST.

    So what’s the safest way to handle authentication of REST API requests from an untrusted third-party?

Viewing 2 replies - 1 through 2 (of 2 total)

  • Hi, plaidpowered. Have you learned anything more? We’re also facing this issue. I’ve done a fair amount of research and found 2 plugins, WP REST API – OAuth 1.0a Server and JSON API User which provide authentication. Not sure if there are any vulnerabilities or problems not noted since there’s not a huge amount of documentation. Any update on what you learned would be appreciated.

    Thread Starter plaidpowered

    (@plaidpowered)

    No, I never did find any best practices or guides. OAuth was too complicated for our implementation, so we ended up with a custom implementation that works on top of the “Application passwords” plugin.

    Essentially, a login request is sent to the WP REST server with a username/password in plaintext, the RESTful endpoint then returns an application password that is stored on the device. The application password is then used to authenticate all other API calls. All requests are encrypted over HTTPS, so in theory, this should be secure. But HTTPS is not infallible, and I’d love to entertain other ideas or improvements.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Best way to authenticate WP REST API requests from a mobile app’ is closed to new replies.