[wp-xmlrpc] Any interest in OAuth?
Joseph Scott
joseph at randomnetworks.com
Sun Jun 15 04:53:40 GMT 2008
On Jun 14, 2008, at 10:05 AM, Allan Odgaard wrote:
>> someone who catches your auth tokens for an application cannot
>> then use them to access the admin pages for example.
>
> That assumes WordPress will allow different access levels based on
> the authentication token. This is outside the scope of the OAuth
> standard and WordPress already has such system (users).
One of the problems with creating users for use with each new app/
service is that new any new posts created by that app/service are
done under that user. So instead of a new post showing up as mine,
it shows up as this new app specific user. Instead I'd like the
token that the app is using to be associated with my user, so that
any new posts show up as being authored by me, but authorized via the
token.
Along with that I really like the idea of fine grained controls for
these tokens. An obvious one is that a token will only work on XML-
RPC requests, as Peter already mentioned. Other interesting options
might include: limiting it to a specific IP address (or range), good
for only X number of times, expires on a specific date, limit to
specific XML-RPC methods and if we really wanted to get interesting -
force all new posts created by the token to a draft status,
preventing it from automatically publishing new content. I'm sure
there are other ideas out there that people will come up with.
--
Joseph Scott
joseph at randomnetworks.com
http://joseph.randomnetworks.com/
More information about the wp-xmlrpc
mailing list