Add application password authorization flow to wp-login.php#551
Add application password authorization flow to wp-login.php#551obenland wants to merge 11 commits intoWordPress:trunkfrom
Conversation
|
The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the Core Committers: Use this line as a base for the props when committing in SVN: To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook. |
|
@dd32 When you get a chance, I'd appreciate any feedback you have on this. Naming, file location, stuff I missed, anything. Thank you! |
There was a problem hiding this comment.
Pull request overview
Adds an application-password authorization flow to wp-login.php?action=authorize_application for a UUID-allowlisted set of apps, enabling users to approve/reject and (for the MCP app) obtain a ready-to-copy MCP client configuration.
Changes:
- Introduces a new
login_form_authorize_applicationhandler that validates requests, renders an approval form, and creates/revokes application passwords. - Adds login-page contextual messaging and custom styling for the new action.
- Renders an MCP client configuration (with copy button + client notes) after approval for the allowlisted MCP app.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
wordpress.org/public_html/wp-content/mu-plugins/pub/authorize-application-login.php
Outdated
Show resolved
Hide resolved
wordpress.org/public_html/wp-content/mu-plugins/pub/authorize-application-login.php
Outdated
Show resolved
Hide resolved
dd32
left a comment
dd32
left a comment
There was a problem hiding this comment.
As for code location.. I don't really mind where this lives. This seems like something that could be upstreamed to WordPress core perhaps, as a front-end UI for the existing wp-admin authorize application flow. It seems this has a few things in it that are very WordPress.org specific, and that's OK.
wporg-sso plugin has a bunch of logic related to login in it. I don't really like that.
wporg-login theme has a bunch of logic in it. I also don't really like that.
I assume this is intentionally open to accepting literally any redirect location at present, and that we might look at changing it to a more strict host set before deploy? Otherwise, what's the point of an application allow list.. the UUIDs would be public knowledge..
wordpress.org/public_html/wp-content/mu-plugins/pub/login-application-passwords.php
Outdated
Show resolved
Hide resolved
...g/public_html/wp-content/plugins/login-application-passwords/login-application-passwords.php
Show resolved
Hide resolved
wordpress.org/public_html/wp-content/mu-plugins/pub/login-application-passwords.php
Outdated
Show resolved
Hide resolved
...g/public_html/wp-content/plugins/login-application-passwords/login-application-passwords.php
Show resolved
Hide resolved
wordpress.org/public_html/wp-content/mu-plugins/pub/login-application-passwords.php
Outdated
Show resolved
Hide resolved
Each app in the allowlist has a hosts array that controls which domains |
@obenland OH! I didn't realise it just then prompted, I was thinking it just allowed an open-redirect with no hosts 🙃 which as you can imagine... concerned me :) |
|
Yeah, I think that's how the current Core version works. The form shows the URL that it'll redirect to, but it mostly seems to rely on users knowing what they're doing |
dd32
left a comment
dd32
left a comment
There was a problem hiding this comment.
I'm not seeing any issues with this PR, code-wise, maybe a mu-plugin isn't ideal, we could just use a regular plugin that's activated on login.w.org, but I don't really have a big opinion on that :)
I think long-term this should probably be in core, as the wp-admin authorize endpoint is IMHO less ideal than it could be.
I guess the question stands on whether most WordPress users would expect that they could be prompted by an arbitrary application :)
| return array( | ||
| 'c4c73a54-96d7-47b9-9bdc-1a66b9b04505' => array( | ||
| 'name' => 'WordPress.org MCP', | ||
| 'hosts' => array(), | ||
| ), | ||
| ); |
There was a problem hiding this comment.
We should probably wrap this in a filter I guess.
…n.php. Provides a login-based authorization flow for creating application passwords, gated by a UUID-based app allowlist. After approval, renders the MCP client configuration for easy copy-paste setup.
Guard wporg_render_mcp_config with an app_id check so it only renders for the WordPress.org MCP application, not for any other app that may be added to the allowlist in the future.
…ison. Remove redundant urlencode() calls in add_query_arg() which already handles encoding internally. Normalize hostnames to lowercase before comparing against the allowlist since DNS is case-insensitive.
…ress.org. Only load the mu-plugin on blog ID 350 (login.wordpress.org) so the authorization flow is not available on other sites in the multisite.
…ation-passwords.php.
Co-authored-by: Dion Hulse <dd32@dd32.id.au>
…uthorization. Encode values passed to add_query_arg() to match core's authorize-application.php, use null-coalesce consistently, and remove redundant comment.
…ode. - Replace hardcoded app list with `wporg_login_application_passwords_allowed_apps` filter - Validate filter output with `_doing_it_wrong` for malformed entries - Default `hosts` to empty array via `wp_parse_args` - Add app hosts to `allowed_redirect_hosts` for `wp_safe_redirect` - Remove `wporg_render_mcp_config` and MCP-specific CSS (moving to wporg-abilities) - Improve escaping throughout
…iles. Introduces `MCP_Authorization` in `clients/mcp/` to register the WordPress.org MCP server via the new allowed-apps filter and render the client configuration after password creation. Moves inline CSS and JS into enqueued files: - `css/authorize-application.css` for the base authorization form. - `clients/mcp/style.css` for MCP config display styles. - `clients/mcp/copy-config.js` for the copy-to-clipboard button.
obenland
force-pushed
the
add/login-application-passwords
branch
from
78ccbc3 to
e531df7
Compare
2 participants
Summary
Adds an
authorize_applicationaction towp-login.phpthat lets users create application passwords through the login flow. Requests are validated against a UUID-based allowlist. After approval, the MCP client configuration is rendered with a copy button for easy setup.Not sure if this UUID-gating is strictly needed but I thought I'd be a bit conservative to start out with.
I suppose at some point we'd want an application password management UI in profiles.wordpress.org.
Login prompt
When visiting the authorization URL while logged out, a contextual message is shown:
Authorization form
After logging in, the user can approve or reject the connection:
MCP configuration
On approval, the ready-to-use MCP client config is displayed with per-client setup instructions:
TODO
login.wordpress.org.Test plan
wp-login.php?action=authorize_application&app_id=c4c73a54-96d7-47b9-9bdc-1a66b9b04505while logged out and verify redirect to login form with contextual message.app_idis rejected.success_urlorreject_urlfor the MCP app (which has empty hosts) is rejected.