[wp-xmlrpc] Any interest in OAuth?

Allan Odgaard m123ixd02 at sneakemail.com
Wed Jun 18 08:20:28 GMT 2008 

On 17 Jun 2008, at 23:01, Joseph Scott wrote:

> On Jun 17, 2008, at 1:23 PM, Joe Cheng wrote:
>> OAuth isn't my first choice due to the weird configuration  
>> experience--
>> we're a client app, it's strange to direct users through a website,  
>> and
>> IMHO is something to be avoided unless fine-grained permissions and
>> revocation makes a lot of sense.
> Agreed, it's a little bit odd.  I went through basically that same  
> process when enabling the Flickr features in MarsEdit. [...]

Also something like OS X has a central key chain and OAuth would  
detract from the nice user experience of utilizing this key chain.

The key chain offers a secure shared storage for white-listed  
applications where the white-list is user authorized and based on  
cryptographic signatures of the applications (in Leopard).

I think issuing a per-Desktop app token to access a given service is a  
tad too paranoid (and with the user already running this app on his  
system, he must show some sort of trust).

I agree though that remotely hosted applications should get their own  
authorization credentials rather than that of the main (admin) user. I  
just don’t see anything preventing the existing XML-RPC standard from  
doing that.

>> But the current state of the art is completely unacceptable-- 
>> passwords
>> passed in the clear. If there was a way for us to auth more securely
>> without violently changing the configuration experience, we'd be VERY
>> interested.
>
> I see this as two issues currently.  Sending sensitive data is  
> solved by using SSL, I believe at this point that is the only real  
> solution to that problem.  This isn't something that WordPress  
> itself can enforce at this point because people are free to run it  
> on non-SSL web servers.  On the WordPress.com side of things, I'll  
> see if we can do more to direct people to the https xmlrpc end points.

I agree. SSL is the secure way to connect to a server, don’t re-invent  
SSL in XML-RPC.

Whatever you do, you only add complexity to XML-RPC w/o actually  
making it fully secure.

E.g. if you come up with a challenge/response system (to avoid replay  
attacks) then you can still be the victim of host spoofing / DNS  
poisoning. So you also need to verify that you are actually talking  
with the right server.

More information about the wp-xmlrpc mailing list