As from version 0.4, WP-AppKit supports secure WordPress user authentication from apps.

WP-AppKit’s authentication security is based on :

  • RSA private/public key encryption for handshake and all sensible data exchanges,
  • HMAC control tokens based on user secret key to authenticate web services.

To add user authentication to your app, you’ll need to :

Generate the private key

Prerequisite :

  • PHP install must have the “openssl” extension activated
  • to generate the RSA private key (that will have to be copied into the App’s authentication settings in WordPress Back Office) :
    • On Unix : the “openssl” (https://www.openssl.org/) command must be installed.
    • On Windows : download the PuTTY generator (puttygen.exe) from here. (The openssl command can also be installed on Windows, however we find its installation process more complicated than using PuTTY).

Generate the RSA private key :

Windows :

  • Open puttygen.exe (Downloaded in the “Prerequisite” section)
  • For “Type of key to generate” : Choose “SSH-2 RSA”
  • For “Number of bits in a generated key” : set “1024” (and not “2048”) (Note that the key must be 1024 bits RSA key for WP-AppKit apps, because the “jsencrypt” library is only compatible with 1024 bits encryption)
  • Click “Generate”, then move the mouse randomly over the “Key” panel.
  • When the key is generated, no need to save it, go to Menu > Conversions > “Export OpenSSH key” > Answer yes to “Are you sure you want to save this key without a passphrase to protect it”
  • Save the private key file as “my-app-private-key.pem”
  • Open this file in a text editor (note that carriage returns must be kept, don’t use Windows “Bloc Note” but a “real” text editor that doesn’t trim them)
  • copy all the text (INCLUDING the wrapping text —–BEGIN RSA PRIVATE KEY—– and —–END RSA PRIVATE KEY—–)
  • that’s what you can paste in the “App Private Key” of the “Authentication Settings” box in the app edit panel in WordPress, as explained in the following “App setup” section.

Unix / iOS :

  • In prompt : generate the private key with :
    openssl genrsa -out rsa_1024_priv.pem 1024
  • this creates a “rsa_1024_priv.pem” private key file. (Note that the key must be 1024 bits RSA key, because jsencrypt is only compatible with 1024 bits encryption)
  • open the private key file in a text editor (note that carriage returns must be kept, check that the text editor you’re using does not remove them)
  • copy all the text (INCLUDING the wrapping text —–BEGIN RSA PRIVATE KEY—– and —–END RSA PRIVATE KEY—–)
  • that’s what you can paste in the “App Private Key” of the “Authentication Settings” box in the app edit panel in WordPress, as explained in the following “App setup” section.

Private key example :

If you just want to make a quick test locally, you can use the following key that we generated for TESTS purposes only : this is NOT SECURE as anybody can know this key!!

-----BEGIN RSA PRIVATE KEY-----
MIICWgIBAAKBgQCoLQvcggQflUc5ug9Ti10tcrKr9DVn/huAZquQ+XrjLBdJMXC/
l3mcL+J7svjbr0+f+JAPrUeSFB3yiGiIISLDxsbQmDaujKkZT+yTXfJ3uJFjppNP
Bdbk626MbPnRUKoWgMPlAxjYemoBV6Tg9AFcC2q8oCUD+SDbpKR2rfddHwIBJQKB
gCRcxEtaYcGjvF+CLNPLGxC+2oYLSdFLsutUeB9YiUXgBQjoGGDGzi+bppdJSpBd
QaYMOtL1CI5Jie9AFpn5U5+ZRSobz4v3RgCHBkvZsbAP1ararV1yCuDFyYIbQRg/
+pYltCfctB0teRiIq6j8fz07/gh/bElTdPA5mT2dJLGtAkEA6ZkqhIN4MOp9SGSZ
pqJPrR8qZ3NBNM04LlHg4rrnk7kZJfjWeS2iuKX4e8RfsAEhV5ZuRnpGxRs7vntg
ba5+PwJBALhNw1MTTwQa2ZcK2uh6WcI2Awu+PaGXXSpYscwx2ZUKBuxp1i0qLs9z
92PGk7Qzv35dZwxV6hIIyNvEWUl/KSECQEvC+Qhh/Xel/x5l0PfF8FPSwaUCyQo0
uEZfvo65KILv7HsEmJYA9oETO9UdGB1oJn1Fi4x6rysrbVKI4QD6UnUCQHeMYwV0
Tu3n5xXdhxNWSA9FoRxfuUY4qyJjC4temvjj6NCzWn4pMx7HwxBJdJCQRNxYQteR
rJYTiTSbCXvIGq0CQQDVnF8XYGUGjL16R0VbSOjmpizAtEQNDguLTPpHPP6w8UC3
m8NgYZ+Ht3+D1YsQ7zbc9M0J8XrfU1tiXnoQZZrl
-----END RSA PRIVATE KEY-----

App setup (WordPress side)

We now need to link the generated private key to our app :

  • Create or edit a WP-AppKit app in WordPress BO
  • Set app components / navigation
  • Choose a WP-AppKit theme that is compatible with User Login : for example the User Authentication Demo version of the Q for Android theme at https://github.com/mleroi/q-android/tree/feat-authentication
  • Paste the private key generated in the previous section to the “Authentication Settings” > “App Private Key” field. Then save the app.

App private key

  • Preview the app : if your using the “Q for Android (User Authentication Demo)” theme which is implementing a post access restriction, you should now have (and be able!) to log in from the app using your WordPress credentials to see posts and pages.
  • This user authentication demo theme is only an example of how to implement login feature in a WP-AppKit app. You can use it as is, or as a base for your own implementation. If you do so you may want to take a look at the “authentication” directory of the theme and at the detailed documentation about WP-AppKit authentication API here.

Having questions?

FAQ | Tutorials | Documentation

Or

Contact Us