[wp-trac] [WordPress Trac] #51939: Basic Auth staging protections conflicts with App Passwords

WordPress Trac noreply at wordpress.org
Sun May 29 02:04:26 UTC 2022

#51939: Basic Auth staging protections conflicts with App Passwords
 Reporter:  TimothyBlynJacobs                    |       Owner:
                                                 |  TimothyBlynJacobs
     Type:  defect (bug)                         |      Status:  closed
 Priority:  highest omg bbq                      |   Milestone:  5.6
Component:  Application Passwords                |     Version:  5.6
 Severity:  blocker                              |  Resolution:  fixed
 Keywords:  has-patch has-unit-tests dev-        |     Focuses:  rest-api
  reviewed                                       |

Comment (by mrahmadawais):

 Hi folks,

 I have yet another use case that has become problematic because of this.

 While trying to use OAuth 2 — https://www.npmjs.com/package/openid-client
 — which requires `clientId` and `clientSecret` to be sent in an
 `Authorization: Basic urlSafeBase64('clientId:clientSecret')` header — I
 keep hitting 401: Not Authorized error from WordPress since WP thinks I'm
 trying to use App Passwords.

 Now, I do want to use App Passwords for another use case and don't want to
 disable them, but I'm stuck on how to handle `Authorization: Basic XYZ`
 Header-based requests as this global feature doesn't even let me run my

 Any thoughts?

 On another note, WP also doesn't use URL safe decoder for base64'd
 user:pass params — which is how openid-client specs and sends data. This
 means, even if I use user:pass in place of clientId:clientSecret — it
 doesn't work due to clientId:clientSecret using URL safe base64'd strings.

Ticket URL: <https://core.trac.wordpress.org/ticket/51939#comment:25>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list