[wp-trac] [WordPress Trac] #42790: Permit basic authentication to the REST API over SSL
WordPress Trac
noreply at wordpress.org
Sun Dec 3 21:53:39 UTC 2017
#42790: Permit basic authentication to the REST API over SSL
--------------------------+-----------------------------
Reporter: kadamwhite | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: REST API | Version: trunk
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
The only REST API authentication scheme currently supported in core is
cookie/nonce authentication. This is sufficient for front-end usage within
wp-admin, themes, and plugins, but prohibits full consumption of the REST
API from external applications, particularly the WordPress mobile apps.
After discussion with the WordPress mobile app team, we propose adding
core support for REST API authentication via basic auth for SSL-enabled
environments.
These mobile apps currently use basic authentication to connect via the
XML-RPC API. The XML-RPC API is disabled in some hosting environments, but
discussion with the hosting team suggests this is usually to avoid
amplification attacks via pingbacks rather than anything related to basic
authentication itself. Using this scheme only over secured connections
mitigates the primary security criticism of basic authentication. As an
example, the Github API (among many others) supports basic authentication:
https://developer.github.com/v3/auth/ without any clear drawbacks. These
APIs also preference basic auth because it is substantially simpler to use
than OAuth schemes, even with a central broker.
From the perspective of a mobile app developer, preventing REST API access
via that same authentication scheme on the grounds that we are
simultaneously pursuing alternatives unfairly disenfranchises the mobile
app team and blocks significant potential code improvements.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/42790>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list