Skip to content

Add support for "verified" clients.#25

Open
TimothyBJacobs wants to merge 1 commit intodynamic-client-registrationfrom
verified-clients
Open

Add support for "verified" clients.#25
TimothyBJacobs wants to merge 1 commit intodynamic-client-registrationfrom
verified-clients

Conversation

@TimothyBJacobs
Copy link
Member

@TimothyBJacobs TimothyBJacobs commented May 21, 2020

First pass at a basic form of verified software statements.

This checks the JWT for an "iss" header. If one is present, we fetch a public key at that host ".well-known/wp-api/oauth2.pem", and use that public key to verify the JWT.

If a client is verified we display a "verified" message on the connect screen.

This also adds a new "--sign" flag to the CLI command to generate a signed software statement.

Fixes #18.

image

Test Instructions

  1. Generate an openssl key pair. Enter a passphrase.
openssl genrsa -des3 -out private.pem 2048
  1. Then export the public key to a file.
openssl rsa -in private.pem -outform PEM -pubout -out public.pem

  1. And upload it to https://yourwebsite.com/.well-known/wp-api/oauth2.pem.

  2. Then, in your WordPress install run the WP CLI command to generate a software statement.

wp oauth2 create-software-statement https://yourwebsite.com --client_name="My App" --redirect_uri="https://yourwebsite.com/oauth" --sign=/path/to/private.pem

  1. WP CLI will prompt you for the passphrase you entered in step 1.

  2. Use your generated software statement as the client_id.

$ wp oauth2 create-software-statement https://timothybjacobs.com --client_name="My App" --redirect_uri="https://timothybjacobs.com/oauth" --sign=/path/to/private.pem
Generated software id: a0ade6fa-6b69-43ee-9bf6-7b84b26b3786
Passphrase:
Success: Generated Statement: "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJjbGllbnRfdXJpIjoiaHR0cHM6XC9cL3RpbW90aHliamFjb2JzLmNvbSIsInNvZnR3YXJlX2lkIjoiYTBhZGU2ZmEtNmI2OS00M2VlLTliZjYtN2I4NGIyNmIzNzg2IiwicmVkaXJlY3RfdXJpcyI6WyJodHRwczpcL1wvdGltb3RoeWJqYWNvYnMuY29tXC9vYXV0aCJdLCJjbGllbnRfbmFtZSI6Ik15IEFwcCIsImlzcyI6Imh0dHBzOlwvXC90aW1vdGh5YmphY29icy5jb20ifQ.mLofeFU21bcWrEjfyb4WFbLZ_2VgVLY_1_LUs9FWawMlvkBr9Taf4gstRzrN5WqHBxwpyJF7x9FI13M5BYxNlxlp1JmTkRILdo5AQGapcSrj_BMCfvrJ4wCldqEkrOarzbPxqZJVSStxEs9HYSPQc-voIgzBt4oZJ6K0mZdBC-qxK_pdshHIc9BRtfQZMdmSKpNWQ1vXH1PbLJpTGav6J-BcRv9Br30g3tLc7WZC8XLhZpDnXNndKuXBtHO_QHQpWw5gQfBBw8Sm9xrLuRhYfJvTojdrWBtC4ZmTIbZ4oGfaE7bgWirKm-FaSq4iVzqk0-LXQSgc1Fy4z2RYXxH2-A"

@TimothyBJacobs
First pass at a basic form of verified software statements.
ab1c964 
This checks the JWT for an "iss" header. If one is present,
we fetch a public key at that host ".well-known/wp-api/oauth2.pem",
and use that public key to verify the JWT.

If a client is verified we display a "verified" message on the connect screen.

This also adds a new "--sign" flag to the CLI command to generate a signed
software statement.

Fixes #18.
@TimothyBJacobs
Copy link
Member Author

TimothyBJacobs commented May 21, 2020

Right now we're assuming that the site has OpenSSL available. We should check that and not attempt signing if it isn't available.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@TimothyBJacobs