jwt_auth_bad_iss response - Headless WordPress

[phil-sola]

jwt_auth_bad_iss response - Headless WordPress

Expected Behavior

The JWT Authentication for the WP REST API plugin gives a filter to filter the token before sign using 'jwt_auth_token_before_sign'. This is good for headless wordpress sites that change the Site Address (home_url) to the headless frontend site (not WP).

Unfortunately, the filter is irrelevant, as when you go to validate the token, it checks (hardcoded - no filter to change) if the iss matches get_bloginfo('url') (the home_url).

So I can't filter the iss address from get_bloginfo('url') as it would be ignored anyway and throw an error as soon as I go to validate the filtered token.

The issue is within the validate_token function starting at line 362 in the public/class-jwt-auth-public.php file here:

/** The Token is decoded now validate the iss */
if ( $token->iss !== get_bloginfo( 'url' ) ) {
	/** The iss do not match, return error */
	return new WP_Error(
	    'jwt_auth_bad_iss',
	    'The iss do not match with this server',
	    [
		'status' => 403,
	   ]
	);
}

Please describe the behavior you are expecting.

I would expect that the ISS should use site_url or get_bloginfo('wpurl') if anything as this will always point to the WP site, whereas home_url is always likely to change for a headless site, which is typically what this plugin would be used for.

It would be great if this could be changed to work with the WordPress admin URL instead of the frontend of the site.

[adrianhuuk]

I have the exact same problem. I am able to overwrite the iss with the 'jwt_auth_token_before_sign' hook, but am unable to change their validation without manually editing the function quoted above.