I have two websites, one is wordpress and other is angular/node. How to login wordpress site useing same credentials as angular site. We don't want the user to create another account in wordpress. We should manage this for angular site. How to implemented this scenario.
You can use JSON Web Tokens. The JWT Authentication plugin will allow you to log in from your JS app.
You make a POST request to /WP-JSON/JWT-AUTH/V1/TOKEN with the username and password to get the token (if the credentials are correct), and each time you make a request to the WordPress site you add Authorization : Bearer [token] to your request header.
Related
I am building a web app in which I have implemented Oauth using GitHub.
when user clicks sign in with Oauth, user is redirected to GitHub for sign in and authorization
and when authorized again redirected to the the callback path(Auth server) with access token in parameters.
using access token when I get needed information from GitHub I want to send information cookie to the frontend domain but when I send cookie, it is getting stored to auth server domain instead of frontend domain on browser.
frontend-(redirect)->GitHub Oauth-(redirect)->Oauth server send cookie and redirect to frontend
I want frontend to have cookie which will have user info.
I have a setup of Mongo, Express, ReactJS, NodeJS. My app requires users to log in and then they can do certain actions. Each user get a temporary JWT token.
I want to allow an external WordPress website to send me an array using a POST request.
I've figured out how to do this (using CURL) but my app rejects any requests without a JWT token.
Thing is, I don't want users from WordPress to log in so they have a token. I need a token for the wordpress site. I need some "secret key" so that the WordPress site will be authorized to speak to my app.
So, In my app I created new routes like so:
app.use('/api/external', externalRoutes)
const { getExternalOrder } = require('../controllers/external')
router.post('/', getExternalOrder)
but right now, anyone get send POST to /api/external. So I want to add a "secret key" to make sure it's a verified request.
If the communication between the WordPress site and your application is server-to-server communication; can you use client credential flow where the WordPress site obtains an access token from your IDP using client credentials i.e. client id and client secret...
Other options:
HMAC & shared secret - I've actually done this approach with
WordPress talking to protected external routes.
basic auth
client certificates
I'm making web app using node.js express with Restful API.
And, to use my web app, the user must login. If user doesn't login, he always stays in login page.
But, I heard that restful api doesn't use session or cookie information to maintain user login.
So, I heard that it use JWT. So, I want to use this. But, I saw that it has to compare token information when user access Restful API.
Then, in my case, should the user always have to request token information to the web app server to use my web service? (I mean add token in request header when user request every page)
you can use
HTML Local Storage
When you get JWT token save some value at local storage localStorage.setItem("logenin", "yes");
and check at every page or where you need this infomation localStorage.getItem("logenin");
I have creating a website running on Node.js and Express. For logging into my website I use passport.js based social login with Google, Facebook and Live.
I need to expose user data via authenticated REST services so that website's Chrome & Firefox browser extension can do CRUD operations.
When user clicks on a button injected via browser extension, I need to check if user is already logged in to website. If user is not logged in then I will do a redirect for login and return back to original page.
I am clueless after this. Which token do I use for REST API calls ?
Any Advice ?
After the social login, when the user is redirected to the callback url, you can create your own token, e.g. using uuid, and then send it to the client.
For all the consequent requests the client needs to use that token for authentication and you have to manage its expiration.
I am writing an API to be used by both my JavaScript app (same domain, API is at api.example.com and site at example.com and 3rd party developers (mobile, desktop, etc). Now I want to use OAuth but I have no idea how the workflow is when using both OAuth and using my application with the same origin policy.
How do I authenticate the user in my web app? When I send the username and password, can I check if the request came from my domain and then return the token? The token will be stored in a cookie and sent back to the server on every request. So there are 2 parts:
If the request came from my domain, just check for token else throw HTTP exception.
If not my domain, do OAuth authentication.
Is this possible? How do I go about setting this up in asp.net web API? (mainly the part about checking if the request is in the same domain)
I am guessing that to log into your web app you're not using OAuth, but simply accept username and password and start a session? If so you don't really have to bother with OAuth for your own site.
Set up the session cookie to be valid across *.example.com and you should be able to validate that cookie both on site.example.com and api.example.com.
Example:
Request comes in to api.example.com/verify_credentials.json
Serve response if OAuth validation is successful.
If not, attempt Cookie validation - serve if successful
Return 402 Unauthorized if both fail.
Here's a thread about sharing a cookie across sub domains: ASP.NET Subdomain Cookie (parent and one subdomain)