We're using JWT (JSON Web Token) for authenticating our WordPress application with an external service. The current flow we're thinking of is like this:
- The user signs in on the the parent site
- The parent site sends a POST request with the user information and the JWT token to the WordPress site
- The WP site stores the JWT token
- The token is checked for expiry every time the user visits a new page, and if the token is expired, the user will be redirected to the parent site for logging in again.
My questions:
- Is this the right approach?
- How do I store the JWT token? A cookie? Or in the database, with the user's information as a unique identifier? Note: The users will not be registered on the WP site.
- How do I check for expiry?
There is a WP plugin for JWT but no documentation for it, hence I am not sure if it will serve my purpose.
We're using JWT (JSON Web Token) for authenticating our WordPress application with an external service. The current flow we're thinking of is like this:
- The user signs in on the the parent site
- The parent site sends a POST request with the user information and the JWT token to the WordPress site
- The WP site stores the JWT token
- The token is checked for expiry every time the user visits a new page, and if the token is expired, the user will be redirected to the parent site for logging in again.
My questions:
- Is this the right approach?
- How do I store the JWT token? A cookie? Or in the database, with the user's information as a unique identifier? Note: The users will not be registered on the WP site.
- How do I check for expiry?
There is a WP plugin for JWT but no documentation for it, hence I am not sure if it will serve my purpose.
Share Improve this question edited Oct 5, 2015 at 11:35 Rutwick Gangurde asked Oct 5, 2015 at 10:23 Rutwick GangurdeRutwick Gangurde 8,6245 gold badges43 silver badges55 bronze badges 4- 1 hmmm wtf is jwt? – Mark Kaplun Commented Oct 5, 2015 at 10:42
- Added relevant links. Check. – Rutwick Gangurde Commented Oct 5, 2015 at 10:58
- ok, now I know what is JWT I still don't understand the question and why is it specific to wordpress. Isn't there a best practice guide for it? Anyway plugin/library recommendations are off-topic.... – Mark Kaplun Commented Oct 5, 2015 at 11:22
- 1 I don't want a plugin recommendation, I am writing my own code. Removed the last line which led you to think so. – Rutwick Gangurde Commented Oct 5, 2015 at 11:34
2 Answers
Reset to default 8This showed up as a notification due to the upvote. Here's how I solved it.
- The endpoint coded in the app that I am supposed to authenticate with prepares the token.
- The token has to be in the specified format.
- It then should be base 64 encoded and hash encrypted.
- The
wp_inithandler should be used to handle the POST request sent by the endpoint, to extract the token. - The key will be shared via some other way, used for decryption.
- Once the token is extracted, compare it against a locally generated token with the same information.
- Store it in a cookie, and check it on every page access. You can expire it after a while or keep on increasing the time slice on every page access.
The endpoint could be in any language. Also this is the general flow of it, you can use it anywhere you want.
Enabling Single-Sign-On in WordPress took me 18+ hours of struggle but might take you only a few minutes:
Basically, you'll want to use https://wordpress/plugins/wp-force-login/ and a modified version of https://as.wordpress/plugins/jwt-authenticator/ and then create an auth-protected endpoint on your main site that generates a JWT (JSON Web Token) and redirects back to the special URL of your WordPress site.
See full code here.