Title: Fix: Basic Authentication -> jwt_auth_bad_auth_header error Last modified: November 4, 2019 --- # Fix: Basic Authentication -> jwt_auth_bad_auth_header error * [ouija](https://wordpress.org/support/users/ouija/) * (@ouija) * [6 years, 6 months ago](https://wordpress.org/support/topic/fix-basic-authentication-jwt_auth_bad_auth_header-error/) * Hey, * Just wanted to share my experience with using this plugin recently, and some challenges that arose in doing so. * First off, I discovered that I was having issues prior to using this plugin with Basic Authentication failing due to using PHP-FPM / FastCGI(with PHP 7.2) (using https), and that I had to add the following to my Apache config (or .htaccess file): * `SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1` * Without this, the Authorization headers weren’t being passed to the php pages because having PHP-FPM enabled prevents this. * Secondly, I discovered that when I had the JWT Authentication for WP REST API plugin enabled (along with PHP-FPM), I was getting this **jwt_auth_bad_auth_header( Authorization header malformed.)** error when simply using Basic Authentication. * If I disabled PHP-FPM, this error was gone, but I would rather have this enabled, so I did a little debugging… I found that if I also passed the Bearer token with the Basic Authentication, then this error was gone. * So, I opted to edit the **/jwt-authentication-for-wp-rest-api/public/class-jwt- auth-public.php** file to automatically set the Bearer token **if** Basic Authentication was being performed and the token was missing, simply by adding the following if statement after the `list($token) = sscanf($auth, 'Bearer %s');` at line 250: * ``` if (!$token) { // Get token using basic auth list($username, $password) = explode( ':', base64_decode( substr( $auth, 6 ) ) ); $request = new WP_REST_Request( 'POST', '/wp-json/jwt-auth/v1/token' ); $request->set_param( 'username', $username ); $request->set_param( 'password', $password ); $JWT = new Jwt_Auth_Public('jwt-auth', '1.1.0'); $token = $JWT->generate_token( $request ); if (is_array($token) && isset($token['token'])) $token = $token['token']; return; } ``` * Note that I did NOT replace the original `if (!$token)` statement at this line, but added this additional statement before it, which will set the token for you IF/WHEN Basic Authentication is being performed, so that you don’t have to pass a token as well when doing so. * This fixed the **jwt_auth_bad_auth_header** error that I was getting when using Basic Auth without passing a token, which again does work when I have FastCGI/ PHP-FPM (libapache2-mod-fcgid) disabled, so I don’t think this is a security risk, but let me know your thoughts if you feel otherwise? 🙂 * I’m just happy to have found a solution to re-enable Basic Authentication while also supporting JWT / Bearer Tokens as well. * Hope this helps anyone else looking to achieve the same thing! * Which may be a solution to: [https://wordpress.org/support/topic/error-with-authorization-header-malformed/](https://wordpress.org/support/topic/error-with-authorization-header-malformed/) and [https://wordpress.org/support/topic/error-authorization-header-malformed-jwt_auth_bad_auth_header/](https://wordpress.org/support/topic/error-authorization-header-malformed-jwt_auth_bad_auth_header/) - This topic was modified 6 years, 6 months ago by [ouija](https://wordpress.org/support/users/ouija/). Viewing 1 replies (of 1 total) * [ColinD](https://wordpress.org/support/users/colind/) * (@colind) * [6 years, 5 months ago](https://wordpress.org/support/topic/fix-basic-authentication-jwt_auth_bad_auth_header-error/#post-12231999) * Thanks Ouija! That solved the same issue for me. I would love the opinion of the plugin author or others with better security chops than I to chime in on this. Viewing 1 replies (of 1 total) The topic ‘Fix: Basic Authentication -> jwt_auth_bad_auth_header error’ is closed to new replies. * ![](https://ps.w.org/jwt-authentication-for-wp-rest-api/assets/icon-256x256.jpg? rev=3372068) * [JWT Authentication for WP REST API](https://wordpress.org/plugins/jwt-authentication-for-wp-rest-api/) * [Frequently Asked Questions](https://wordpress.org/plugins/jwt-authentication-for-wp-rest-api/#faq) * [Support Threads](https://wordpress.org/support/plugin/jwt-authentication-for-wp-rest-api/) * [Active Topics](https://wordpress.org/support/plugin/jwt-authentication-for-wp-rest-api/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/jwt-authentication-for-wp-rest-api/unresolved/) * [Reviews](https://wordpress.org/support/plugin/jwt-authentication-for-wp-rest-api/reviews/) ## Tags * [apache](https://wordpress.org/support/topic-tag/apache/) * [authentication](https://wordpress.org/support/topic-tag/authentication/) * [fastcgi](https://wordpress.org/support/topic-tag/fastcgi/) * [HTTPS](https://wordpress.org/support/topic-tag/https/) * [php-fpm](https://wordpress.org/support/topic-tag/php-fpm/) * 1 reply * 1 participant * Last reply from: [ColinD](https://wordpress.org/support/users/colind/) * Last activity: [6 years, 5 months ago](https://wordpress.org/support/topic/fix-basic-authentication-jwt_auth_bad_auth_header-error/#post-12231999) * Status: not resolved