HTTP BASIC authentication (Wikipedia) is a form of client / server authentication where the username and password are base64 encoded in the request header. However, because these credentials can be easily decoded, BASIC authentication requires SSL for the request to be secured.
HTTP DIGEST authentication (Wikipedia) permits more secure communication between the client and server over insecure HTTP. It’s also a fair bit more challenging to implement, for a couple of reasons:
- Every API call actually requires two HTTP requests. Although the first request will fail with 401 Unauthorized, it returns a
www-authenticateresponse header with values critical for signing the second request. - Sending the second request requires creating a signature with several variables where the order matters. Because of the number of variables (pun intended), debugging authentication failures can be very frustrating.
To make HTTP DIGEST authentication requests easier in WordPress, here’s a function you can use:
6 Comments
Unfortunately this throws an error because $request is not declared. I’m trying to work out a solution to this.
For anyone wanting to just implement this via https, just checkout the tutorial by John Blackbourne. It’s a lot simpler when you don’t need to handle the security side of things yourself 🙂
https://johnblackbourn.com/wordpress-http-api-basicauth/
Hi Ryan, this is a late reply, but your comment is related to HTTP Basic Auth. In this case you are right, it is a lot simplier. But if you need to deal with HTTP Digest Auth as stated in this article, you need to create the auth header by yourself,
Hi! And where is the $request variable defined on the 23rd row?
Hm, great question. I think that’s whatever query arguments you’re passing in the initial request. This code snippet was prepared from some existing production code, but I don’t recall the exact details at this point.
Hi Daniel, your article still solve a problem in my wordpress plugin. Thanks for sharing.
Your regexp #(([\w]+)=[“]?([^\s”]+))# is not able to deal with auth headers with spaces in the header fields. An example header is ‘Digest realm=”myown authentication”,qop=”auth”,nonce=”61…f9a552″,opaque=”a707ae2edc22….a9af0fd335″‘. The algorithm will fetch realm=”myown”, which is wrong. Based on your script I commented on an update on github: https://github.com/WordPress/Requests/issues/245#issuecomment-901773002