[wp-xmlrpc] Any interest in OAuth?
Joe.Cheng at microsoft.com
Tue Jun 17 19:23:24 GMT 2008
OAuth isn't my first choice due to the weird configuration experience--
we're a client app, it's strange to direct users through a website, and
IMHO is something to be avoided unless fine-grained permissions and
revocation makes a lot of sense.
But the current state of the art is completely unacceptable--passwords
passed in the clear. If there was a way for us to auth more securely
without violently changing the configuration experience, we'd be VERY
Obviously SSL is one fix but not an option for most WP users. (However
I would love to see WordPress.com RSD point to https, which seems to
Another is X-WSSE but it requires the server to know the password,
and I seem to recall Joseph saying WP only saves a hash.
Maybe we could do X-WSSE but encode the hash instead of the password?
More information about the wp-xmlrpc