[wp-trac] [WordPress Trac] #51939: Basic Auth staging protections conflicts with App Passwords
WordPress Trac
noreply at wordpress.org
Sun May 29 02:04:26 UTC 2022
#51939: Basic Auth staging protections conflicts with App Passwords
-------------------------------------------------+-------------------------
Reporter: TimothyBlynJacobs | Owner:
| TimothyBlynJacobs
Type: defect (bug) | Status: closed
Priority: highest omg bbq | Milestone: 5.6
Component: Application Passwords | Version: 5.6
Severity: blocker | Resolution: fixed
Keywords: has-patch has-unit-tests dev- | Focuses: rest-api
reviewed |
-------------------------------------------------+-------------------------
Comment (by mrahmadawais):
Hi folks,
I have yet another use case that has become problematic because of this.
While trying to use OAuth 2 — https://www.npmjs.com/package/openid-client
— which requires `clientId` and `clientSecret` to be sent in an
`Authorization: Basic urlSafeBase64('clientId:clientSecret')` header — I
keep hitting 401: Not Authorized error from WordPress since WP thinks I'm
trying to use App Passwords.
Now, I do want to use App Passwords for another use case and don't want to
disable them, but I'm stuck on how to handle `Authorization: Basic XYZ`
Header-based requests as this global feature doesn't even let me run my
code.
Any thoughts?
On another note, WP also doesn't use URL safe decoder for base64'd
user:pass params — which is how openid-client specs and sends data. This
means, even if I use user:pass in place of clientId:clientSecret — it
doesn't work due to clientId:clientSecret using URL safe base64'd strings.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/51939#comment:25>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list