[wp-xmlrpc] Any interest in OAuth?

Peter Westwood peter.westwood at ftwr.co.uk
Sat Jun 14 16:19:20 GMT 2008

Hash: SHA1

Allan Odgaard wrote:
| On 14 Jun 2008, at 16:55, Peter Westwood wrote:
|> [...]
|> This would be good for xmlrpc access to blogs as eventually we could
|> turn off access via the username/password combo to make xmlrpc more
|> secure
| Accessing the blog with a security token instead of a user/password is
| in itself not more secure.

Indeed Not.

~ But it allows you to differentiate between different applications that
are allowed to impersonate a user and revoke the right to impersonate
from one application without having to change your username/password and
re-enter it in all the different client applications.

|> someone who catches your auth tokens for an application cannot
|> then use them to access the admin pages for example.
| That assumes WordPress will allow different access levels based on the
| authentication token. This is outside the scope of the OAuth standard
| and WordPress already has such system (users).

It doesn't assume different access levels for different tokens.

It just allows for the User to allow Application A access via xmlrpc
without giving them the keys to the normal admin interface.

This allows for example flickr to auto blog your new pictures for you
without being able to log into your admin pages and reconfigure your

- --
Peter Westwood
http://blog.ftwr.co.uk | http://westi.wordpress.com
~ C53C F8FC 8796 8508 88D6 C950 54F4 5DCD A834 01C5
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the wp-xmlrpc mailing list