JavaScript for WordPress JavaScript for WordPress

Decoupled Authentication with WordPress

Check out a free preview of the full JavaScript for WordPress course:
The "Decoupled Authentication with WordPress" Lesson is part of the full, JavaScript for WordPress course featured in this preview video. Here's what you'd learn in this lesson:

Zac reviews Basic Auth, JSON Web Tokens (JWT) Auth, OAuth 1 & 2, and WordPress API Broker as methods for setting up authentication. Zac walks through setting up decoupled authentication. - https://apps.wp-api.org/

Get Unlimited Access Now

Transcript from the "Decoupled Authentication with WordPress" Lesson

[00:00:00]
>> Zac Gordon: When it comes to decoupled authentication, so that means we're running on a site or instance separate from the WordPress one. We're not in a theme, we're not in a plugin. We have a few options for authentication. First one is BasicAuth, and with BasicAuth what you do is you have to install a BasicAuth plugin on your WordPress site.

[00:00:20] And then you basically pass over SSL, your username, and password with every request, and so that would be saved and passed over again and again. This is not really the preferred method, although you're trying to get something testing. It could be an option, but remember, you need a BasicAuth plugin on your site and then your code can use it.

[00:00:42] The next option and the one that we're going to be looking at, and we even have a course on, are JSON web tokens. This is still using your username and password, but a slightly different architecture behind the scenes to pass it back and forth and using tokens In addition to just passing a straight password every time.

[00:01:00] So that means that you don't have to send it over and over again, slightly more secure. And guess what? Frontend Masters has a course on JWT, so go check that out and that's what we'll be using. But again with JWT you also need a JWT plugin installed on your site to create the endpoint and process all the data when we try to hit it By default right now WordPress does not have decoupled authentication baked into course.

[00:01:25] So all of these thing that we look at or going to involve some sort of plug in. Then we have OAuth one and two and they are options for both of these. Again you need stuff setup on your WordPress site, the plug in install And in your code you need to write all the code to handle that and there's a few plug ins that are available for that, and if you look at the main WordPress rest API it recommends some specific one's.

[00:01:52] Then there's a whole another system called, The WordPress API Broker. So, if you are building an app or you built a site that you want people to be able to ping with an API, and you're creating that username and password and you know your credentials to do it, that's one thing.

[00:02:11] But what happens when you want other people to create credentials on the fly and interact with your site On their own. What you introduce at that point is a broker that will kind of sit between your site and allow people to get access and credentials that are still secure and processed.

[00:02:29] So you can check out this URL for more on that, it's definitely an advanced thing, so you want to know what you're doing. With OAuth to begin. But the W API Broker is a really powerful thing. And if we wanted to someday see something like how you could use GitHub or Google Account to login to different other accounts, you could potentially set up your WordPress site To work that way.

[00:02:55] Now, you need a lot of distribution, so it's likely to happen. There will maybe be a case where somebody needs this for a project or something, so that's why I'm mentioning it. And then finally, I also wanna point out that there is another API client. So we're doing all of this by hand.

[00:03:13] We're using and we're hardcoding in the requests we wanna do every time. If we didn't want to do that there is a really great client called the Node Word Press API Client and it's just Java Script it can run node but it doesn't have to be nodes. So, you can use it just any client side.

[00:03:30] And I kinda debated between having a whole example be in this client versus not. And the reason I chose is not to do or demo with this. Is that if we only rely on clients and then the client can't so something we want, we're kind of in hot water.

[00:03:46] So if we learn how to do it the most flexible way from the start and then we learn and approach later on, it makes everything easier for 90 to 99% of the cases, then this is a way better scenario. So, in the final repo, I haven't put it up there.

[00:04:00] I'll give you a whole app that's built with the node API client. So you can see, and it's similar to the backbone one, but it's even cleaner in how stuff works, it's got a really great syntax. And it has a little bit of authentication baked into it, but not everything.

[00:04:17] So you can't do OAuth and JWT, but if you wanted to do BasicAuth, it has the support to be able to handle that. And I do believe that It will continue to be supported and grown, and have other authentication methods going forward. So this is what we need to know, to basically have the frame of reference to be able to start working with this authentication.

[00:04:40] Remember SSL on your WordPress site, SSL on your decoupled app. Plugin to handle whatever authentication. So BasicOAuth plugin, JWT plugin, OAuth 1 OAuth 2 plugin, whatever. And then you call that from your site.