[wp-xmlrpc] Any interest in OAuth?

Joseph Scott joseph at randomnetworks.com
Sun Jun 15 04:53:40 GMT 2008

On Jun 14, 2008, at 10:05 AM, Allan Odgaard wrote:

>> someone who catches your auth tokens for an application cannot
>> then use them to access the admin pages for example.
> That assumes WordPress will allow different access levels based on  
> the authentication token. This is outside the scope of the OAuth  
> standard and WordPress already has such system (users).

One of the problems with creating users for use with each new app/ 
service is that new any new posts created by that app/service are  
done under that user.  So instead of a new post showing up as mine,  
it shows up as this new app specific user.  Instead I'd like the  
token that the app is using to be associated with my user, so that  
any new posts show up as being authored by me, but authorized via the  

Along with that I really like the idea of fine grained controls for  
these tokens.  An obvious one is that a token will only work on XML- 
RPC requests, as Peter already mentioned.  Other interesting options  
might include: limiting it to a specific IP address (or range), good  
for only X number of times, expires on a specific date, limit to  
specific XML-RPC methods and if we really wanted to get interesting -  
force all new posts created by the token to a draft status,  
preventing it from automatically publishing new content.  I'm sure  
there are other ideas out there that people will come up with.

Joseph Scott
joseph at randomnetworks.com

More information about the wp-xmlrpc mailing list