Title: Datawiza Proxy Auth Plugin – SSO Author: Datawiza Team Published: 2020 年 12 月 19 日 Last modified: 2021 年 10 月 25 日 --- 搜索插件 **该插件尚未通过WordPress的最新3个主要版本进行测试**。 当与较新版本的WordPress一起 使用时,可能不再受到维护或支持,并且可能会存在兼容性问题。 ![](https://ps.w.org/reverse-proxy-auth-widget/assets/icon.svg?rev=2443145) # Datawiza Proxy Auth Plugin – SSO 作者:[Datawiza Team](https://profiles.wordpress.org/fyuck1991/) [下载](https://downloads.wordpress.org/plugin/reverse-proxy-auth-widget.1.1.2.zip) * [详情](https://cn.wordpress.org/plugins/reverse-proxy-auth-widget/#description) * [评价](https://cn.wordpress.org/plugins/reverse-proxy-auth-widget/#reviews) * [安装](https://cn.wordpress.org/plugins/reverse-proxy-auth-widget/#installation) * [开发进展](https://cn.wordpress.org/plugins/reverse-proxy-auth-widget/#developers) [支持](https://wordpress.org/support/plugin/reverse-proxy-auth-widget/) ## 描述 The Proxy Auth Plugin helps developers/DevOps/admins easily implement authentication and authorization for WordPress by using a [JWT (JSON Web Token)](https://en.wikipedia.org/wiki/JSON_Web_Token) provided by a reverse proxy. This could be employed to achieve SSO (OAUTH/OIDC and SAML) to a Cloud Identity Provider (e.g., Azure Active Directory, Okta, Auth0) by using an Identity-Aware Proxy, e.g., [Datawiza Access Broker](https://www.datawiza.com/) and [Google IAP](https://cloud.google.com/iap). Note that the plugin requires a reverse proxy sitting in front of the WordPress site. The reverse proxy performs authentication, and passes the user name and role in a JWT to the plugin via a HTTP header called `DW-TOKEN`. By using [Datawiza Access Broker](https://www.datawiza.com/), you get a [configuration-based](https://docs.datawiza.com/step-by-step/step1.html) [no-code solution](https://docs.datawiza.com/), following the detail instruction [here](https://docs.datawiza.com/step-by-step/step1.html). If you decide to use your own reverse proxy, please follow the instructions below. **How it works** * The plugin retrieves the user id (email) from the JWT and then checks if such a user exists. If not, the plugin creates a new user by using this email and signs him/her in. * The plugin retrieves the user role from the JWT and sets it as the user’s role in WordPress. * The plugin expects the JWT including user id and role as a HTTP header `DW-TOKEN`. For example, the payload of JWT may look like: * { “role”: “administrator”, “email”: “admin@yourwebsite.com” } **Plugin config in WordPress** In `Setting` -> `Datawiza Proxy Auth`, you need to input a private secret which is used as a Cryptography Key. Such secret is shared between the plugin and the reverse proxy which is responsible for passing the JWT to the plugin. The Signing Algorithm for the JWT is `HS256`. **!!! NOTES !!!** * **If the enabled Proxy Auth Plugin cannot retrieve the expected JWT in the HTTP header, the plugin will not work. The authentication will use the default authentication of wordpress and you will see an error banner on top of the wordpress pages.** * **MAKE SURE that clients cannot bypass the reverse proxy. This is to prevent people from sending forged malicious requests with arbitrary JWTs directly to WordPress.** * **It’s recommended that the reverse proxy in front of the WordPress site erases the incoming http request’s `DW-TOKEN` header. The `DW-TOKEN` header should be generated by the reverse proxy only.** * **If admin doesn’t assign role to the user, user’s role will be subscriber for WordPress by default.** * **If user’s role has been updated in JWT, the plugin will update the role in WordPress accordingly.** **Generate the JWT required by the plugin** If you are using openresty/lua-nginx-module, here is the code sample to generate the JWT required by the plugin: ``` jwt = require("resty.jwt") local jwt_token = jwt:sign( "jwt_secret", { header={typ="JWT", alg="HS256"}, payload={email="admin@yourwebsite.com", role="administrator"} }) ngx.req.set_header('DW-TOKEN', jwt_token) ``` The `jwt_secret` above should be the same private secret input in `Setting` -> ` Datawiza Proxy Auth`. The `role` in `payload` is optional. If it’s not specified, the default role is `subscriber`. For more details about `lua-resty-jwt`, you can visit [here](https://github.com/SkyLothar/lua-resty-jwt). ## 安装 1. Activate the plugin through the “Plugins” menu in WordPress. 2. Input private secret in “Settings” -> “Datawiza Proxy Auth Plugin”. ## 评价 ![](https://secure.gravatar.com/avatar/521db78664237389a812d3a33c0311012f26652834a2582cf4176218347e3c77? s=60&d=retro&r=g) ### 󠀁[A really good job.](https://wordpress.org/support/topic/a-really-good-job/)󠁿 [dblas](https://profiles.wordpress.org/dblas/) 2022 年 1 月 10 日 Hello, Good job. Works like a charm. And the JWT allows the proxy and the WP to be on separate machines without impeding security and without the need to use PKI. A few suggestions nevertheless: 1. priorizing the attributes’values coming from the directory (through the id_token) against WP own values [1]; 2. giving the possibility to fill in other profile’s attributes (firstname, lastname, social networks profiles, etc). [1] Above all the role MUST be set by the directory not by another user be it an administrator. That means there SHOULD exist a mean to override the user attributes or, at least, there exist a flag to do so. IAM is a too serious thing to be let in WP administrators’hands 🙂 db [ 阅读所有1条评价 ](https://wordpress.org/support/plugin/reverse-proxy-auth-widget/reviews/) ## 贡献者及开发者 「Datawiza Proxy Auth Plugin – SSO」是开源软件。 以下人员对此插件做出了贡献。 贡献者 * [ Datawiza Team ](https://profiles.wordpress.org/fyuck1991/) * [ Datawiza ](https://profiles.wordpress.org/datawiza/) [帮助将「Datawiza Proxy Auth Plugin – SSO」翻译成简体中文。](https://translate.wordpress.org/projects/wp-plugins/reverse-proxy-auth-widget) ### 对开发感兴趣吗? 您可以[浏览代码](https://plugins.trac.wordpress.org/browser/reverse-proxy-auth-widget/), 查看[SVN仓库](https://plugins.svn.wordpress.org/reverse-proxy-auth-widget/),或通过 [RSS](https://plugins.trac.wordpress.org/log/reverse-proxy-auth-widget/?limit=100&mode=stop_on_copy&format=rss) 订阅[开发日志](https://plugins.trac.wordpress.org/log/reverse-proxy-auth-widget/)。 ## 更新日志 #### 1.1.2 * Keep the user’s role in WordPress in sync with the role value in JWT. * Add close button to notification bar. * Add invalid jwt error message. #### 1.1.1 * Retrieves user info from encrypted DW-TOKEN instead of X-User. #### 1.1.0 * Initial release. ## 额外信息 * 版本 **1.1.2** * 最后更新:**5 年前** * 活跃安装数量 **不到10** * WordPress 版本 ** 3.0.1 或更高版本 ** * 已测试的最高版本为 **5.8.13** * PHP 版本 ** 5.6 或更高版本 ** * 语言 * [English (US)](https://wordpress.org/plugins/reverse-proxy-auth-widget/) * 标签 * [auth](https://cn.wordpress.org/plugins/tags/auth/)[oidc](https://cn.wordpress.org/plugins/tags/oidc/) [proxy](https://cn.wordpress.org/plugins/tags/proxy/)[SAML](https://cn.wordpress.org/plugins/tags/saml/) [sso](https://cn.wordpress.org/plugins/tags/sso/) * [高级视图](https://cn.wordpress.org/plugins/reverse-proxy-auth-widget/advanced/) ## 评级 4 星(最高 5 星)。 * [ 0 条 5 星评价 ](https://wordpress.org/support/plugin/reverse-proxy-auth-widget/reviews/?filter=5) * [ 1 条 4 星评价 ](https://wordpress.org/support/plugin/reverse-proxy-auth-widget/reviews/?filter=4) * [ 0 条 3 星评价 ](https://wordpress.org/support/plugin/reverse-proxy-auth-widget/reviews/?filter=3) * [ 0 条 2 星评价 ](https://wordpress.org/support/plugin/reverse-proxy-auth-widget/reviews/?filter=2) * [ 0 条 1 星评价 ](https://wordpress.org/support/plugin/reverse-proxy-auth-widget/reviews/?filter=1) [Your review](https://wordpress.org/support/plugin/reverse-proxy-auth-widget/reviews/#new-post) [查看全部评论](https://wordpress.org/support/plugin/reverse-proxy-auth-widget/reviews/) ## 贡献者 * [ Datawiza Team ](https://profiles.wordpress.org/fyuck1991/) * [ Datawiza ](https://profiles.wordpress.org/datawiza/) ## 支持 有话要说吗?是否需要帮助? [查看支持论坛](https://wordpress.org/support/plugin/reverse-proxy-auth-widget/)