[wp-trac] [WordPress Trac] #55870: WP App Passwords Should be URL Decoded
WordPress Trac
noreply at wordpress.org
Sun May 29 19:25:28 UTC 2022
#55870: WP App Passwords Should be URL Decoded
-----------------------------------+------------------------------
Reporter: mrahmadawais | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Application Passwords | Version: 5.6
Severity: normal | Resolution:
Keywords: reporter-feedback | Focuses: rest-api
-----------------------------------+------------------------------
Changes (by TimothyBlynJacobs):
* keywords: => reporter-feedback
* version: trunk => 5.6
Old description:
> Using OAuth 2 based. authentication IETF recommends for [client
> id/secrets](https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1)
> URL [encoded](https://datatracker.ietf.org/doc/html/rfc6749#appendix-B)
> forms.
>
> Which means, by using some node OpenID clients, we always get
> `Authorization: Basic urlSafeEncodedBase64String('user:pass')`.
>
> This fails to authenticate as [WordPress doesn't
> decode](https://github.com/WordPress/wordpress-
> develop/blob/0a6c37ceb0a86bebf0b287ac12d200e67bbf948f/src/wp-
> includes/user.php#L474) the `user` and `pass` which could also be
> clientId and clientSecret in OAuth2.
>
> This could be solved by using `urldecode( string $str )`.
>
> BEFORE
>
> {{{#!php
> <?PHP
> $authenticated = wp_authenticate_application_password( null,
> $_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'] );
> }}}
>
> AFTER
>
> {{{#!php
> <?php
> $authenticated = wp_authenticate_application_password( null,
> urldecode($_SERVER['PHP_AUTH_USER']), urldecode($_SERVER['PHP_AUTH_PW'])
> );
> }}}
>
> Would you folks be up for a patch for this?
New description:
Using OAuth 2 based. authentication IETF recommends for
[https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1 client
id/secrets] URL [https://datatracker.ietf.org/doc/html/rfc6749#appendix-B
encoded] forms.
Which means, by using some node OpenID clients, we always get
`Authorization: Basic urlSafeEncodedBase64String('user:pass')`.
This fails to authenticate as [https://github.com/WordPress/wordpress-
develop/blob/0a6c37ceb0a86bebf0b287ac12d200e67bbf948f/src/wp-
includes/user.php#L474 WordPress doesn't decode] the `user` and `pass`
which could also be clientId and clientSecret in OAuth2.
This could be solved by using `urldecode( string $str )`.
BEFORE
{{{#!php
<?PHP
$authenticated = wp_authenticate_application_password( null,
$_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'] );
}}}
AFTER
{{{#!php
<?php
$authenticated = wp_authenticate_application_password( null,
urldecode($_SERVER['PHP_AUTH_USER']), urldecode($_SERVER['PHP_AUTH_PW'])
);
}}}
Would you folks be up for a patch for this?
--
Comment:
Hi @mrahmadawais,
Thanks for the ticket!
I'm not sure why an OpenID client would be used with App Passwords. One of
the benefits of App Passwords using Basic Authentication is that it is
built in to many HTTP clients by simply passing a `username` and
`password` field. For instance ''Axios'' and ''Guzzle'' both have an
`auth` field.
The OAuth specification requires following that encoding process. However,
Application Passwords is not OAuth, so I'm not sure why we'd be following
the OAuth specification here.
If we did want to match the OAuth specification, changing the encoding
format could potentially cause a backward compatibility break. Though it
would be unlikely due to the selection of characters that WordPress Core
generates.
All that being said, I'm not sure what the practical benefit here is. If
the values passed to App Passwords are an OAuth `client_id` and
`client_secret` they won't be successfully authenticated by
`wp_authenticate_application_password` regardless of the encoding method
chosen because they aren't App Passwords.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/55870#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list