[wp-xmlrpc] Any interest in OAuth?
Joe Cheng
Joe.Cheng at microsoft.com
Tue Jun 17 19:23:24 GMT 2008
OAuth isn't my first choice due to the weird configuration experience--
we're a client app, it's strange to direct users through a website, and
IMHO is something to be avoided unless fine-grained permissions and
revocation makes a lot of sense.
But the current state of the art is completely unacceptable--passwords
passed in the clear. If there was a way for us to auth more securely
without violently changing the configuration experience, we'd be VERY
interested.
Obviously SSL is one fix but not an option for most WP users. (However
I would love to see WordPress.com RSD point to https, which seems to
already work.)
Another is X-WSSE[1] but it requires the server to know the password,
and I seem to recall Joseph saying WP only saves a hash.
Maybe we could do X-WSSE but encode the hash instead of the password?
[1] http://www.xml.com/pub/a/2003/12/17/dive.html
More information about the wp-xmlrpc
mailing list