JWT authentication with WP - Approach

We're using JWT (JSON Web Token) for authenticating our WordPress application with an external service. The current flow we're thinking of is like this:

  1. The user signs in on the the parent site
  2. The parent site sends a POST request with the user information and the JWT token to the WordPress site
  3. The WP site stores the JWT token
  4. The token is checked for expiry every time the user visits a new page, and if the token is expired, the user will be redirected to the parent site for logging in again.

My questions:

  1. Is this the right approach?
  2. How do I store the JWT token? A cookie? Or in the database, with the user's information as a unique identifier? Note: The users will not be registered on the WP site.
  3. How do I check for expiry?

There is a WP plugin for JWT but no documentation for it, hence I am not sure if it will serve my purpose.

Topic authentication single-sign-on Wordpress

Category Web

1
answered at

Enabling Single-Sign-On in WordPress took me 18+ hours of struggle but might take you only a few minutes:

Basically, you'll want to use https://wordpress.org/plugins/wp-force-login/ and a modified version of https://as.wordpress.org/plugins/jwt-authenticator/ and then create an auth-protected endpoint on your main site that generates a JWT (JSON Web Token) and redirects back to the special URL of your WordPress site.

See full code here.

1
answered at

This showed up as a notification due to the upvote. Here's how I solved it.

  1. The endpoint coded in the app that I am supposed to authenticate with prepares the token.
  2. The token has to be in the specified format.
  3. It then should be base 64 encoded and hash encrypted.
  4. The wp_init handler should be used to handle the POST request sent by the endpoint, to extract the token.
  5. The key will be shared via some other way, used for decryption.
  6. Once the token is extracted, compare it against a locally generated token with the same information.
  7. Store it in a cookie, and check it on every page access. You can expire it after a while or keep on increasing the time slice on every page access.

The endpoint could be in any language. Also this is the general flow of it, you can use it anywhere you want.

About

Geeks Mental is a community that publishes articles and tutorials about Web, Android, Data Science, new techniques and Linux security.