[wp-xmlrpc] Any interest in OAuth?

Joe Cheng Joe.Cheng at microsoft.com
Tue Jun 17 19:23:24 GMT 2008

OAuth isn't my first choice due to the weird configuration experience--
we're a client app, it's strange to direct users through a website, and
IMHO is something to be avoided unless fine-grained permissions and
revocation makes a lot of sense.

But the current state of the art is completely unacceptable--passwords
passed in the clear. If there was a way for us to auth more securely
without violently changing the configuration experience, we'd be VERY

Obviously SSL is one fix but not an option for most WP users. (However
I would love to see WordPress.com RSD point to https, which seems to
already work.)

Another is X-WSSE[1] but it requires the server to know the password,
and I seem to recall Joseph saying WP only saves a hash.

Maybe we could do X-WSSE but encode the hash instead of the password?

[1] http://www.xml.com/pub/a/2003/12/17/dive.html

More information about the wp-xmlrpc mailing list