Hi @benbodhi! There is nothing in the plugin, currently, to handle authorization to the WP REST API. The core way to authenticate is using cookies, as explained here:
https://developer.www.ads-software.com/rest-api/using-the-rest-api/authentication/
So, if you’re logging in using this plugin, you will get the core WP cookie necessary to make authenticated calls directly from the site. All of that should work out of the box.
What you’re talking about here, if I understand, is getting authorization on that API from an external app. Auth0 as a platform can definitely help there, here is the general documentation page on that:
https://auth0.com/docs/authorization
So, in this case, generally, you would need to:
1. Add an API in Auth0 that modeled what you wanted to do with the WP API. 1:1 permission mapping is probably not necessary, just the permissions that your external applications will ask for.
2. Add the API identifier as an audience parameter and the scope(s) needed to the authorize URL when logging in. Use the auth0_authorize_url_params (example) and auth0_auth_scope (example) filters, respectively, if you are requesting this access token from WP.
3. Extend the WP REST API to authenticate incoming requests using the Auth0 JWT. I don’t have a great example to point to here but this plugin (last commit 2 years ago) is a good place to start. It looks like the determine_current_user method is hooked into the right place and calls validate_token, which does the token checking. You would need to pull in the PHP SDK to do that validation (this class).
Hopefully this is enough to get you started. If you need additional guidance, let me know where you’re getting stuck. We don’t have any plans to support this in the plugin but it might be a good topic for a blog tutorial, assuming enough folks are interested.
