How to get token without passing username and pass in url parameters?

Question

In order to get token i post following request:

http://example.com/wordpress/wp-json/jwt-auth/v1/token?username=MYLOGIN&password=MYPASSWORD and in response i get token - that's nice, but... what if i don't want to show username and login in requested URL, even a single time.

Everyone who can see my computer requests can catch my login and password easily. Can I somehow hide this sensitive data in request headers instead of url parameters? I'm using "Chrome Insomnia" App to test REST api and next to PARAMS and HEADERS there is an AUTH tab where i can type username and password - maybe that is the place i could use to send user data to get access token without beeing seen easily?

I tried to login using AUTH tab, but in response:

{
    "code": "jwt_auth_bad_auth_header",
    "message": "Authorization header malformed.",
    "data": {
        "status": 403
    }
}

Please don't send me back to wp-api documentaion because i couldn't find a clear answer by reading the docs there.

score 1 · Answer 1 · answered Jun 05 '16 at 11:21

1

Use OAuth.

It is a secure way to authorize yourself on a REST-Api without having to send your username and password as plain text.

The WP-API documentation has a section called OAuth Authentication. The API uses OAuth 1.0. Basically you have to install the OAuth-Plugin, then generate a Client which automatically gets a Key and a Secret assigned. You can use this pair for a secure authentification.

You can find more detailed information in the link I gave above, it is fairly simple to implement.

answered Jun 05 '16 at 11:21

Bobface

2,782
4
24
61

yes i have oAuth plugin already installed. What it gives is a new panel to generate Client Secret and Client Key. How should I use this two to allow any user log with their username and password through Http request? By Client i understand the external application, not external users, I guess i shouldn't publish this secret keys to every user. – Dariusz Sikorski Jun 05 '16 at 11:39
I have never used it with wordpress but there should be a possibility for every user to generate their own client (when they have logged in over the webpage) and then use the key and secret to log in. – Bobface Jun 05 '16 at 11:54

score 1 · Answer 2 · answered Aug 24 '16 at 00:23

To answer your original question on how you can keep people from seeing your passwords in Insomnia, it is recommended that you put sensitive data in an environment variable and reference it in your request.

You can define your environment JSON like this...

{
  "username": "MyUsername",
  "password": "MyPassword"
}

And reference them in the params tab (or anywhere else) using Nunjucks template syntax like {{ username }} and {{ password }}.

Here's a link to the docs on Environment Variables inside Insomnia.

~ Gregory

Wow, I didn't expect that answer but it's interesting. I needed to hide user credentials sent to a public network, not to hide it in rest client apps, but thx anyway. — Dariusz Sikorski, Aug 25 '16 at 08:51

score -1 · Accepted Answer · edited Apr 13 '18 at 10:11

-1

Although I agree OAuth (Really OpenID Connect) is a better solution, USE HTTPS.

Since the SSL/TLS is performed before you make the request, it will be encrypted over the network.

edited Apr 13 '18 at 10:11

Vadim Kotov

8,084
8
48
62

answered Jun 05 '16 at 12:18

jwilleke

10,467
1
30
51

Note: While the parameters (query string) will be encrypted but will probably show up in the server logs. To avoid this sent the username and password as a POST. – zaph Jun 05 '16 at 13:46
Accepted. Hiding behind HTTPS connection is what i needed without taking effort to configure oAuth redirection process to get logged in. – Dariusz Sikorski Aug 25 '16 at 08:53

How to get token without passing username and pass in url parameters?

3 Answers3