Last updated on 2019-10-04
I’m writing this post because I wasted an unexpected (and long) amount of time doing this, and maybe with this post (and this SO question), it won’t happen to you.
TL;DR – should work out of the box, but make sure that
define('JWT_AUTH_SECRET_KEY', 'your-top-secrect-key'); is in the right place and that you are NOT using the “Plain” permalink setting in your blog.
Let me tell you a story.
The journey begins with the usual web search for libraries and after a lot of rummaging around I found WordPressPCL, which looks well maintained and also has tests showing how the library works, so I decided to give it a try. A pre-requisite to use this library is having the JWT Authentication for the WP REST API plugin installed in my WordPress instance, which is not a problem, but here is where things start to go wrong. For background, my sites are (actually, were) hosted in Azure on Windows hosts (the default host in Azure if you choose to install WordPress and I never saw a reason to change this). This detail will become important below.
So I installed the plugin in one of my blogs, configured `wp-config.php` as documented here and tried posting using the library. Got a bunch of errors, a very small set of tests worked but, I was able to fetch a
JWT token but unable to authenticate…
OK, what could be the problem?
Reading the documentation for the JWT plugin there seemed to require some changes in how the web server handles authentication headers, and gave an example of how to fix this using an
.htaccess file. But wait, I’m running on Windows! I don’t have an
.htaccess file since my site is running on IIS and on Apache! But I REALLY want to do this.
Down the rabbit hole… Let’s ramp up a new WordPress site that runs on Linux, and that should do the trick, right?
Wrong! Because the new and shiny web server that is being used by Azure to run WordPress on Linux is NOT Apache, it’s something called NGINX (which I’ve heard about but never encountered), and guess what, NGINX also doesn’t have an
Now I’m getting mad…
So I’m a developer, right? I should be able to translate Apache to NGINX, right? And I should also be able to speak Klingon fluently, right? Well, no… for both :-(. But at least I can configure my server to print more logs and see where the problem is coming from, because maybe, just maybe, it’s not something related to NGINX and the problem is somewhere else. So I raise the logging level of the NGINX server and the WordPress instance. And yes, the problem was not in NGINX but in WordPress…
And then I made a smart move (finally!) and searched the issues in the JWT plugin repo, and found this gem. Basically, the plugin requires that you define
define('JWT_AUTH_SECRET_KEY', 'your-top-secrect-key'); in the
wp-config.php file, but what is never mentioned is that if you define it a the end of the file (which is what I did), the plugin does not work (some PHP/WordPress quirks, not exactly sure why and definitely not interested now in learning).
Moved the definition to where all other secrets are defined, saved the file, and voila! I can post from C#. And while I was at it, I created a PR to improve the JWT plugin documentation. You know, for future generations.
So if you find this post and it ends up saving you time, I have made the world a better place 🙏.