[wp-trac] [WordPress Trac] #52066: Application Passwords are unusable in combination with password protected /wp-admin
WordPress Trac
noreply at wordpress.org
Mon Dec 14 10:54:25 UTC 2020
#52066: Application Passwords are unusable in combination with password protected
/wp-admin
-----------------------------------+-----------------------------
Reporter: SeBsZ | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Application Passwords | Version: 5.6
Severity: major | Keywords:
Focuses: |
-----------------------------------+-----------------------------
We've been using the Application Passwords for years to allow our REST-API
to make use of authentication using basic auth. This worked perfectly
fine.
Now, in WordPress 5.6.0 Application Passwords seems to have been merged
into the main code, and suddenly we can't create new passwords because
basic Auth has been detected in use on the site. The discussion and
changeset that caused this are here: #51939
I totally understand that site-wide basic auth using .htaccess clashes
with Application Passwords - but we only use .htaccess basic auth
protection on the /wp-admin folder. There's absolutely not reason we
should be blocked from creating new Application Passwords.
I don't know how you could solve this - either allow us to dismiss the
warning and use AP anyway - or you might need another method to only
detect conflicting basic auth on the REST API side - which may be
impossible to do.
I've set the severity to major because we have upgraded to 5.6 and can now
no longer create new authentication tokens for our REST API users.
Many thanks for your help.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/52066>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list