Learn what authentication is, how WordPress authenticates users out of the box, and when you need authentication when using the WordPress REST API.
- [Instructor] Let's start at the very beginning by answering the questions, what is authentication? And when do you need it? To understand authentication, think of an office environment where some rooms are open to the public, and some rooms are locked. You use an access badge to authenticate yourself and gain entry into the locked rooms. That badge holds information about who you are and that information is tied to a system that knows what rooms you are authorized to enter. Every time you want to enter a room, you have to authenticate yourself using the badge and your credentials can be upgraded to give you authorization to access more rooms, downgrade it to remove access to certain rooms, and even revoke at any time.
Now think of WordPress as this office environment. Some of the content is public, like posts, pages, the menu, et cetera, and other content is private, like the post editor, the customizer, and so on. To gain access to the private areas, you go to WP Admin and enter your username and password in the login form. WordPress receives the information, matches it against the list of registered users, and finds out what if any authorizations or rules and capabilities the current logged in user has.
If the login is successful, WordPress hands the browser a copy of a temporary cookie, that is also stored in the database. Think of this as the access badge. Now, anytime you do something in the admin panel, say, create or edit a post, configure the menu, or something else, the browser sends along that cookie and WordPress matches it with the one in the database. If the two are a match, the action is performed, otherwise, the action is denied. Just like in the office scenario, only someone with a cookie can perform actions.
And even if someone manages to sneak in behind you as an action is performed, they don't have the cookie, and WordPress will reject anything they try to do. The WordPress REST API is a CRUD API, meaning you can use it to create, read, update, and delete content. Of these four action groups, only read is public and even then, the visitor only has access to public data. If you want to access private data, like user profiles, or create update, or delete content, you first need to be authenticated to prove you have the authorization to do so.
In other words, if you want to do anything using the REST API, that normally requires you to login to WordPress, you need to authenticate that request. Why? Because the WordPress REST API is an API, an Application Programming Interface. You use it to interact with WordPress without necessarily working within the context of WordPress, so the application needs some way of making sure you are who you say you are at all times. In this course, we'll explore several authentication methods and I'll show you how to use the REST API to perform CRUD operations both within and outside the context of WordPress Proper.
- What is authentication and when do you need it?
- Cookie authentication
- Creating a plugin for front-end editing
- Adding the front-end editing functionality using jQuery
- Limiting front-end editing to authorized users
- What is JWT authentication?
- Adding editing capability using Ajax
- OAuth 2 authentication
- Configuring JSO
- Making login and log out states meaningful