[wp-xmlrpc] Any interest in OAuth?

Peter Westwood peter.westwood at ftwr.co.uk
Sat Jun 14 14:55:07 GMT 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Allan Odgaard wrote:
| On 13 Jun 2008, at 19:53, Joseph Scott wrote:
|
|> I'm curious to see if there's any interest in seeing OAuth (
|> http://oauth.net/ ) support in WordPress, specifically in the area of
|> XML-RPC.  If we made this available would any of the existing blog
|> clients out there support it?
|
| Why would a blog client support this?
|
| You already have an authentication system which supports multiple users
| with roles and access levels. It seems to me that if a third party wants
| to perform a privileged operation on the blog (say, post to it), a user
| with the proper restrictions should be created (if this third party
| cannot be trusted with the main users login).
|
|
| If we equate an OAuth security token with a WP user (which makes sense
| so you don’t have two parallel privilege systems) then the OAuth
| protocol is simply used as a way for third parties to create
| (restricted) users. How often would that be used?
|
| Maybe I am missing something here…

I think from a quick read of the spec the idea behind OAuth is to
standardise the methodology of allowing an Application access to a site
to impersonate a user without that application having to store the
username/password that are used to access the application by the end user.

Think for example of how flickr allows applications to access your
private photostream without them needing your username/password.

This would be good for xmlrpc access to blogs as eventually we could
turn off access via the username/password combo to make xmlrpc more
secure - someone who catches your auth tokens for an application cannot
then use them to access the admin pages for example.

westi
- --
Peter Westwood
http://blog.ftwr.co.uk | http://westi.wordpress.com
~ C53C F8FC 8796 8508 88D6 C950 54F4 5DCD A834 01C5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIU9vLVPRdzag0AcURAtNyAKDQeT4+Ll2mjH6tb1xPNlRJl0YydQCeKh9x
8i7lb544La7Mi1fT8Od0xNs=
=b+EP
-----END PGP SIGNATURE-----


More information about the wp-xmlrpc mailing list