Title: Authentication Last modified: August 21, 2016 --- # Authentication * Resolved [juandbb](https://wordpress.org/support/users/juandbb/) * (@juandbb) * [11 years, 11 months ago](https://wordpress.org/support/topic/authentication-5/) * Hello, * Congratulations for the plugin, I’m really looking forward to seeing it in core! * My main problem is that I cannot authenticate. I’m trying to do it using PHP and curl, but I have not succeeded so far. * For example, if I try: * ``` $username='username'; $password='password'; $url='http://example.com/wp-json/users'; $ch = curl_init(); curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, FALSE); curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, FALSE); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_VERBOSE, 1); curl_setopt($ch, CURLOPT_URL,$url); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($ch, CURLOPT_HTTPHEADER, array("Content-Type:application/json", "Accept:application/json", 'Authorization:Basic '. base64_encode($username.":".$password))); curl_setopt($ch, CURLOPT_USERAGENT, $_SERVER['HTTP_USER_AGENT']); curl_setopt($ch, CURLINFO_HEADER_OUT, true); $result=curl_exec($ch); curl_close($ch); var_dump(json_decode($result, true)); ``` * I get “Sorry, you are not allowed to list users”. * Same if I try: * ``` $ch = curl_init(); curl_setopt($ch, CURLOPT_URL,$URL); curl_setopt($ch, CURLOPT_TIMEOUT, 30); //timeout after 30 seconds curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_ANY); curl_setopt($ch, CURLOPT_USERPWD, "$username:$password"); $status_code = curl_getinfo($ch, CURLINFO_HTTP_CODE); //get status code $result=curl_exec ($ch); curl_close ($ch); return $result; ``` * Anybody may help please? * Thanks a lot in advance! * [https://wordpress.org/plugins/json-rest-api/](https://wordpress.org/plugins/json-rest-api/) Viewing 8 replies - 1 through 8 (of 8 total) * [aryanduntley](https://wordpress.org/support/users/dunar21/) * (@dunar21) * [11 years, 11 months ago](https://wordpress.org/support/topic/authentication-5/#post-4989080) * The plugin author has removed any in code authentication methods and simply put a filter hook; json_authentication_errors. So, handling authentication is up to you. If you want to use oAuth, there is a plugin/extension for this json rest api that handles most of the code for you. [https://github.com/WP-API/WP-API/blob/master/docs/authentication.md](https://github.com/WP-API/WP-API/blob/master/docs/authentication.md) * I use the basic auth like so: * `curl_setopt($ch, CURLOPT_HTTPHEADER, array("Content-Type:application/json", " Accept:application/json", 'Authorization:Basic '. base64_encode($username.":". $password)));` * To hook into the filter, you would do something like this: * ``` function MineCheckAuth(){ //do check auth stuff, basic authentication in the headers will be //stored in either the //$_SERVER["REMOTE_AUTHORIZATION"] global or //$_SERVER["REDIRECT_REMOTE_AUTHORIZATION"] //log user in if good return true; //or return wp_error //neither will do anything but he states that these are the two valid return values. } add_filter('json_authentication_errors', 'MineCheckAuth'); ``` * [aryanduntley](https://wordpress.org/support/users/dunar21/) * (@dunar21) * [11 years, 11 months ago](https://wordpress.org/support/topic/authentication-5/#post-4989081) * Author does hook into the auth errors filter, but only to verify nonce in wp cookie auth. * ``` /** * Check for errors when using cookie-based authentication * * WordPress' built-in cookie authentication is always active for logged in * users. However, the API has to check nonces for each request to ensure users * are not vulnerable to CSRF. * * @param WP_Error|mixed $result Error from another authentication handler, null if we should handle it, or another value if not * @return WP_Error|mixed|boolean */ function json_cookie_check_errors( $result ) { if ( ! empty( $result ) ) { return $result; } global $wp_json_auth_cookie; // Are we using cookie authentication? // (If we get an auth error, but we're still logged in, another // authentication must have been used.) if ( $wp_json_auth_cookie !== true && is_user_logged_in() ) { return $result; } // Do we have a nonce? $nonce = null; if ( isset( $_REQUEST['_wp_json_nonce'] ) ) { $nonce = $_REQUEST['_wp_json_nonce']; } elseif ( isset( $_SERVER['HTTP_X_WP_NONCE'] ) ) { $nonce = $_SERVER['HTTP_X_WP_NONCE']; } if ( $nonce === null ) { // No nonce at all, so act as if it's an unauthenticated request wp_set_current_user( 0 ); return true; } // Check the nonce $result = wp_verify_nonce( $nonce, 'wp_json' ); if ( ! $result ) { return new WP_Error( 'json_cookie_invalid_nonce', __( 'Cookie nonce is invalid' ), array( 'status' => 403 ) ); } return true; } add_filter( 'json_authentication_errors', 'json_cookie_check_errors', 100 ); ``` * Thread Starter [juandbb](https://wordpress.org/support/users/juandbb/) * (@juandbb) * [11 years, 11 months ago](https://wordpress.org/support/topic/authentication-5/#post-4989082) * Thanks a lot dunar 21. * [aryanduntley](https://wordpress.org/support/users/dunar21/) * (@dunar21) * [11 years, 11 months ago](https://wordpress.org/support/topic/authentication-5/#post-4989092) * Your welcome. If this works for you, you can mark as resolved. * Thread Starter [juandbb](https://wordpress.org/support/users/juandbb/) * (@juandbb) * [11 years, 11 months ago](https://wordpress.org/support/topic/authentication-5/#post-4989097) * Yes, thank you dunar21. Anyway I feel that the basic auth is not so secure for production, isn’t it? I’m more like trying the OAuth one, let’s see if I succeed in this as documentation is not very clear (at least for me!) * Thread Starter [juandbb](https://wordpress.org/support/users/juandbb/) * (@juandbb) * [11 years, 11 months ago](https://wordpress.org/support/topic/authentication-5/#post-4989098) * Marked as resolved. * [aryanduntley](https://wordpress.org/support/users/dunar21/) * (@dunar21) * [11 years, 11 months ago](https://wordpress.org/support/topic/authentication-5/#post-4989099) * Yeah, basic Auth probably should be avoided. You should do some google searching on how how OAuth works before trying to delve into it. I just provided you the basic because that is what your original post was doing. Here is a well laid out, easy to understand explanation of OAuth: [http://marktrapp.com/blog/2009/09/17/oauth-dummies/](http://marktrapp.com/blog/2009/09/17/oauth-dummies/) Good luck. * Thread Starter [juandbb](https://wordpress.org/support/users/juandbb/) * (@juandbb) * [11 years, 11 months ago](https://wordpress.org/support/topic/authentication-5/#post-4989100) * Thanks a lot again, you have been really helpfull. Viewing 8 replies - 1 through 8 (of 8 total) The topic ‘Authentication’ is closed to new replies. * ![](https://s.w.org/plugins/geopattern-icon/json-rest-api_2e3641.svg) * [WP REST API (WP API)](https://wordpress.org/plugins/json-rest-api/) * [Frequently Asked Questions](https://wordpress.org/plugins/json-rest-api/#faq) * [Support Threads](https://wordpress.org/support/plugin/json-rest-api/) * [Active Topics](https://wordpress.org/support/plugin/json-rest-api/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/json-rest-api/unresolved/) * [Reviews](https://wordpress.org/support/plugin/json-rest-api/reviews/) * 8 replies * 2 participants * Last reply from: [juandbb](https://wordpress.org/support/users/juandbb/) * Last activity: [11 years, 11 months ago](https://wordpress.org/support/topic/authentication-5/#post-4989100) * Status: resolved