Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for "verified" clients. #25

Open
wants to merge 1 commit into
base: dynamic-client-registration
Choose a base branch
from
Open

Add support for "verified" clients. #25

wants to merge 1 commit into from

Conversation

TimothyBJacobs
Copy link
Member

First pass at a basic form of verified software statements.

This checks the JWT for an "iss" header. If one is present, we fetch a public key at that host ".well-known/wp-api/oauth2.pem", and use that public key to verify the JWT.

If a client is verified we display a "verified" message on the connect screen.

This also adds a new "--sign" flag to the CLI command to generate a signed software statement.

Fixes #18.

image

Test Instructions

  1. Generate an openssl key pair. Enter a passphrase.
openssl genrsa -des3 -out private.pem 2048
  1. Then export the public key to a file.
openssl rsa -in private.pem -outform PEM -pubout -out public.pem

  1. And upload it to https://yourwebsite.com/.well-known/wp-api/oauth2.pem.

  2. Then, in your WordPress install run the WP CLI command to generate a software statement.

wp oauth2 create-software-statement https://yourwebsite.com --client_name="My App" --redirect_uri="https://yourwebsite.com/oauth" --sign=/path/to/private.pem

  1. WP CLI will prompt you for the passphrase you entered in step 1.

  2. Use your generated software statement as the client_id.

$ wp oauth2 create-software-statement https://timothybjacobs.com --client_name="My App" --redirect_uri="https://timothybjacobs.com/oauth" --sign=/path/to/private.pem
Generated software id: a0ade6fa-6b69-43ee-9bf6-7b84b26b3786
Passphrase:
Success: Generated Statement: "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJjbGllbnRfdXJpIjoiaHR0cHM6XC9cL3RpbW90aHliamFjb2JzLmNvbSIsInNvZnR3YXJlX2lkIjoiYTBhZGU2ZmEtNmI2OS00M2VlLTliZjYtN2I4NGIyNmIzNzg2IiwicmVkaXJlY3RfdXJpcyI6WyJodHRwczpcL1wvdGltb3RoeWJqYWNvYnMuY29tXC9vYXV0aCJdLCJjbGllbnRfbmFtZSI6Ik15IEFwcCIsImlzcyI6Imh0dHBzOlwvXC90aW1vdGh5YmphY29icy5jb20ifQ.mLofeFU21bcWrEjfyb4WFbLZ_2VgVLY_1_LUs9FWawMlvkBr9Taf4gstRzrN5WqHBxwpyJF7x9FI13M5BYxNlxlp1JmTkRILdo5AQGapcSrj_BMCfvrJ4wCldqEkrOarzbPxqZJVSStxEs9HYSPQc-voIgzBt4oZJ6K0mZdBC-qxK_pdshHIc9BRtfQZMdmSKpNWQ1vXH1PbLJpTGav6J-BcRv9Br30g3tLc7WZC8XLhZpDnXNndKuXBtHO_QHQpWw5gQfBBw8Sm9xrLuRhYfJvTojdrWBtC4ZmTIbZ4oGfaE7bgWirKm-FaSq4iVzqk0-LXQSgc1Fy4z2RYXxH2-A"

@TimothyBJacobs
First pass at a basic form of verified software statements.
ab1c964 
This checks the JWT for an "iss" header. If one is present,
we fetch a public key at that host ".well-known/wp-api/oauth2.pem",
and use that public key to verify the JWT.

If a client is verified we display a "verified" message on the connect screen.

This also adds a new "--sign" flag to the CLI command to generate a signed
software statement.

Fixes #18.
@TimothyBJacobs
Copy link
Member Author

Right now we're assuming that the site has OpenSSL available. We should check that and not attempt signing if it isn't available.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@TimothyBJacobs