We're using JWT (JSON Web Token) for authenticating our WordPress application with an external service. The current flow we're thinking of is like this:
The user signs in on the the parent site
The parent site sends a POST request with the user information and the JWT token to the WordPress site
The WP site stores the JWT token
The token is checked for expiry every time the user visits a new page, and if the token is expired, the user will be redirected to the parent site for logging in again.
My questions:
Is this the right approach?
How do I store the JWT token? A cookie? Or in the database, with the user's information as a unique identifier? Note: The users will not be registered on the WP site.
How do I check for expiry?
There is a WP plugin for JWT but no documentation for it, hence I am not sure if it will serve my purpose.
We're using JWT (JSON Web Token) for authenticating our WordPress application with an external service. The current flow we're thinking of is like this:
The user signs in on the the parent site
The parent site sends a POST request with the user information and the JWT token to the WordPress site
The WP site stores the JWT token
The token is checked for expiry every time the user visits a new page, and if the token is expired, the user will be redirected to the parent site for logging in again.
My questions:
Is this the right approach?
How do I store the JWT token? A cookie? Or in the database, with the user's information as a unique identifier? Note: The users will not be registered on the WP site.
How do I check for expiry?
There is a WP plugin for JWT but no documentation for it, hence I am not sure if it will serve my purpose.
authentication
single-sign-on
Share
Improve this question
edited Oct 5, 2015 at 11:35Rutwick Gangurde
asked Oct 5, 2015 at 10:23
Rutwick GangurdeRutwick Gangurde8,62455 gold badges4343 silver badges5555 bronze badges4
1hmmm wtf is jwt?
– Mark Kaplun
CommentedOct 5, 2015 at 10:42
ok, now I know what is JWT I still don't understand the question and why is it specific to wordpress. Isn't there a best practice guide for it? Anyway plugin/library recommendations are off-topic....
– Mark Kaplun
CommentedOct 5, 2015 at 11:22
1I don't want a plugin recommendation, I am writing my own code. Removed the last line which led you to think so.
– Rutwick Gangurde
CommentedOct 5, 2015 at 11:34
Add a comment
|
2 Answers
2
Reset to default
8
This showed up as a notification due to the upvote. Here's how I solved it.
The endpoint coded in the app that I am supposed to authenticate with prepares the token.
The token has to be in the specified format.
It then should be base 64 encoded and hash encrypted.
The wp_init handler should be used to handle the POST request sent by the endpoint, to extract the token.
The key will be shared via some other way, used for decryption.
Once the token is extracted, compare it against a locally generated token with the same information.
Store it in a cookie, and check it on every page access. You can expire it after a while or keep on increasing the time slice on every page access.
The endpoint could be in any language. Also this is the general flow of it, you can use it anywhere you want.
Enabling Single-Sign-On in WordPress took me 18+ hours of struggle but might take you only a few minutes:
Basically, you'll want to use https://wordpress/plugins/wp-force-login/ and a modified version of https://as.wordpress/plugins/jwt-authenticator/ and then create an auth-protected endpoint on your main site that generates a JWT (JSON Web Token) and redirects back to the special URL of your WordPress site.
