[wp-xmlrpc] Any interest in OAuth?
Peter Westwood
peter.westwood at ftwr.co.uk
Sat Jun 14 16:19:20 GMT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Allan Odgaard wrote:
| On 14 Jun 2008, at 16:55, Peter Westwood wrote:
|
|> [...]
|> This would be good for xmlrpc access to blogs as eventually we could
|> turn off access via the username/password combo to make xmlrpc more
|> secure
|
| Accessing the blog with a security token instead of a user/password is
| in itself not more secure.
Indeed Not.
~ But it allows you to differentiate between different applications that
are allowed to impersonate a user and revoke the right to impersonate
from one application without having to change your username/password and
re-enter it in all the different client applications.
|> someone who catches your auth tokens for an application cannot
|> then use them to access the admin pages for example.
|
| That assumes WordPress will allow different access levels based on the
| authentication token. This is outside the scope of the OAuth standard
| and WordPress already has such system (users).
|
It doesn't assume different access levels for different tokens.
It just allows for the User to allow Application A access via xmlrpc
without giving them the keys to the normal admin interface.
This allows for example flickr to auto blog your new pictures for you
without being able to log into your admin pages and reconfigure your
plugins.
westi
- --
Peter Westwood
http://blog.ftwr.co.uk | http://westi.wordpress.com
~ C53C F8FC 8796 8508 88D6 C950 54F4 5DCD A834 01C5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFIU++IVPRdzag0AcURAvXpAJ0YUZie8KEBDgvyaDaU0x5zaMJ6eACfSoZT
RsbLDq1k8OHkiYiLg9VdEIo=
=PiVg
-----END PGP SIGNATURE-----
More information about the wp-xmlrpc
mailing list