As from version 0.4, WP-AppKit supports secure WordPress user authentication from apps.
WP-AppKit’s authentication security is based on :
- RSA private/public key encryption for handshake and all sensible data exchanges,
- HMAC control tokens based on user secret key to authenticate web services.
To add user authentication to your app, you’ll need to :
- Generate a RSA private key using OpenSSL and associate this key to your app in the WordPress Back Office,
- Use an existing WP-AppKit theme that implements the User Login feature : for example the User Authentication Demo version of the Q for Android theme,
- Or build your own implementation using the WP-AppKit Theme Authentication Javascript API to log users in and out from your app theme.
Generate the private key
Prerequisite :
- PHP install must have the “openssl” extension activated
- to generate the RSA private key (that will have to be copied into the App’s authentication settings in WordPress Back Office) :
- On Unix : the “openssl” (https://www.openssl.org/) command must be installed.
- On Windows : download the PuTTY generator (puttygen.exe) from here. (The openssl command can also be installed on Windows, however we find its installation process more complicated than using PuTTY).
Generate the RSA private key :
Windows :
- Open puttygen.exe (Downloaded in the “Prerequisite” section)
- For “Type of key to generate” : Choose “SSH-2 RSA”
- For “Number of bits in a generated key” : set “1024” (and not “2048”) (Note that the key must be 1024 bits RSA key for WP-AppKit apps, because the “jsencrypt” library is only compatible with 1024 bits encryption)
- Click “Generate”, then move the mouse randomly over the “Key” panel.
- When the key is generated, no need to save it, go to Menu > Conversions > “Export OpenSSH key” > Answer yes to “Are you sure you want to save this key without a passphrase to protect it”
- Save the private key file as “my-app-private-key.pem”
- Open this file in a text editor (note that carriage returns must be kept, don’t use Windows “Bloc Note” but a “real” text editor that doesn’t trim them)
- copy all the text (INCLUDING the wrapping text —–BEGIN RSA PRIVATE KEY—– and —–END RSA PRIVATE KEY—–)
- that’s what you can paste in the “App Private Key” of the “Authentication Settings” box in the app edit panel in WordPress, as explained in the following “App setup” section.
Unix / iOS :
- In prompt : generate the private key with :
openssl genrsa -out rsa_1024_priv.pem 1024 - this creates a “rsa_1024_priv.pem” private key file. (Note that the key must be 1024 bits RSA key, because jsencrypt is only compatible with 1024 bits encryption)
- open the private key file in a text editor (note that carriage returns must be kept, check that the text editor you’re using does not remove them)
- copy all the text (INCLUDING the wrapping text —–BEGIN RSA PRIVATE KEY—– and —–END RSA PRIVATE KEY—–)
- that’s what you can paste in the “App Private Key” of the “Authentication Settings” box in the app edit panel in WordPress, as explained in the following “App setup” section.
Private key example :
If you just want to make a quick test locally, you can use the following key that we generated for TESTS purposes only : this is NOT SECURE as anybody can know this key!!
-----BEGIN RSA PRIVATE KEY----- MIICWgIBAAKBgQCoLQvcggQflUc5ug9Ti10tcrKr9DVn/huAZquQ+XrjLBdJMXC/ l3mcL+J7svjbr0+f+JAPrUeSFB3yiGiIISLDxsbQmDaujKkZT+yTXfJ3uJFjppNP Bdbk626MbPnRUKoWgMPlAxjYemoBV6Tg9AFcC2q8oCUD+SDbpKR2rfddHwIBJQKB gCRcxEtaYcGjvF+CLNPLGxC+2oYLSdFLsutUeB9YiUXgBQjoGGDGzi+bppdJSpBd QaYMOtL1CI5Jie9AFpn5U5+ZRSobz4v3RgCHBkvZsbAP1ararV1yCuDFyYIbQRg/ +pYltCfctB0teRiIq6j8fz07/gh/bElTdPA5mT2dJLGtAkEA6ZkqhIN4MOp9SGSZ pqJPrR8qZ3NBNM04LlHg4rrnk7kZJfjWeS2iuKX4e8RfsAEhV5ZuRnpGxRs7vntg ba5+PwJBALhNw1MTTwQa2ZcK2uh6WcI2Awu+PaGXXSpYscwx2ZUKBuxp1i0qLs9z 92PGk7Qzv35dZwxV6hIIyNvEWUl/KSECQEvC+Qhh/Xel/x5l0PfF8FPSwaUCyQo0 uEZfvo65KILv7HsEmJYA9oETO9UdGB1oJn1Fi4x6rysrbVKI4QD6UnUCQHeMYwV0 Tu3n5xXdhxNWSA9FoRxfuUY4qyJjC4temvjj6NCzWn4pMx7HwxBJdJCQRNxYQteR rJYTiTSbCXvIGq0CQQDVnF8XYGUGjL16R0VbSOjmpizAtEQNDguLTPpHPP6w8UC3 m8NgYZ+Ht3+D1YsQ7zbc9M0J8XrfU1tiXnoQZZrl -----END RSA PRIVATE KEY-----
App setup (WordPress side)
We now need to link the generated private key to our app :
- Create or edit a WP-AppKit app in WordPress BO
- Set app components / navigation
- Choose a WP-AppKit theme that is compatible with User Login : for example the User Authentication Demo version of the Q for Android theme at https://github.com/mleroi/q-android/tree/feat-authentication
- Paste the private key generated in the previous section to the “Authentication Settings” > “App Private Key” field. Then save the app.
- Preview the app : if your using the “Q for Android (User Authentication Demo)” theme which is implementing a post access restriction, you should now have (and be able!) to log in from the app using your WordPress credentials to see posts and pages.
- This user authentication demo theme is only an example of how to implement login feature in a WP-AppKit app. You can use it as is, or as a base for your own implementation. If you do so you may want to take a look at the “authentication” directory of the theme and at the detailed documentation about WP-AppKit authentication API here.