Finding the WordPress application authorization URL

Say you want to make authenticated requests to the WordPress APIs using the application passwords. Don't assume you know the URL that sends users down the authorization flow.

Most of the time, the URL to start the authorization flow is the domain followed by /wp-admin/authorize-application.php. But then there are the cases when it's not.

Don't know what the application password is? It's used instead of your username and password to authenticate you. It's a unique password per application that you can revoke anytime. Once, it was a feature plugin, now merged into core.

One way to obtain an application password is to generate it under your WordPress user profile. Then you provide the password to the application manually, aka copy-paste into an input because it's too long to type it out.

Another way is to let the application redirect you to the proper location and then redirect you back once you do what you had to, aka the authorization flow way.

This article is about the latter.

The authorize-application.php part is fixed because it's not a filterable value. That's because there's an actual PHP file name like that. But the rest of the URL can vary.

There's a filter to change the wp-admin. And then there's the confusing part where the "WordPress address" can be different from the "Site Address".

So what's the best way to determine it?

Check if the authentication key is available in the REST API response. If it is, you should see something like this:

{
    "authentication": {
        "application-passwords": {
            "endpoints": {
                "authorization": "https://wordpress.org/wp-admin/authorize-application.php"
            }
        }
    }
}
{
    "authentication": {
        "application-passwords": {
            "endpoints": {
                "authorization": "https://wordpress.org/wp-admin/authorize-application.php"
            }
        }
    }
}

Keep in mind that while the REST API is by default under /wp-json/, this is again something that can be changed.

The safest way if you make a request to https://domain.tld/?rest_route=/.

This works because the rest_route query parameter is mapped using the rewrite functionality to the correct REST API path.

I'll leave this snippet here. It's helpful if you are developing locally and don't want to bother with proper SSL/TSL certification for your local sites.

add_filter(
    'wp_is_application_passwords_available',
    '__return_true'
);
 
add_action(
    'wp_authorize_application_password_request_errors',
    static function (WP_Error $error) {
        if ( ! $error->has_errors()) {
            return;
        }
 
        if ( ! in_array('invalid_redirect_scheme', $error->get_error_codes(), true)) {
            return;
        }
 
        $error->remove('invalid_redirect_scheme');
    }
);
add_filter(
    'wp_is_application_passwords_available',
    '__return_true'
);

add_action(
    'wp_authorize_application_password_request_errors',
    static function (WP_Error $error) {
        if ( ! $error->has_errors()) {
            return;
        }

        if ( ! in_array('invalid_redirect_scheme', $error->get_error_codes(), true)) {
            return;
        }

        $error->remove('invalid_redirect_scheme');
    }
);

2021-07-01