[wp-xmlrpc] Any interest in OAuth?
m123ixd02 at sneakemail.com
Wed Jun 18 08:20:28 GMT 2008
On 17 Jun 2008, at 23:01, Joseph Scott wrote:
> On Jun 17, 2008, at 1:23 PM, Joe Cheng wrote:
>> OAuth isn't my first choice due to the weird configuration
>> we're a client app, it's strange to direct users through a website,
>> IMHO is something to be avoided unless fine-grained permissions and
>> revocation makes a lot of sense.
> Agreed, it's a little bit odd. I went through basically that same
> process when enabling the Flickr features in MarsEdit. [...]
Also something like OS X has a central key chain and OAuth would
detract from the nice user experience of utilizing this key chain.
The key chain offers a secure shared storage for white-listed
applications where the white-list is user authorized and based on
cryptographic signatures of the applications (in Leopard).
I think issuing a per-Desktop app token to access a given service is a
tad too paranoid (and with the user already running this app on his
system, he must show some sort of trust).
I agree though that remotely hosted applications should get their own
authorization credentials rather than that of the main (admin) user. I
just don’t see anything preventing the existing XML-RPC standard from
>> But the current state of the art is completely unacceptable--
>> passed in the clear. If there was a way for us to auth more securely
>> without violently changing the configuration experience, we'd be VERY
> I see this as two issues currently. Sending sensitive data is
> solved by using SSL, I believe at this point that is the only real
> solution to that problem. This isn't something that WordPress
> itself can enforce at this point because people are free to run it
> on non-SSL web servers. On the WordPress.com side of things, I'll
> see if we can do more to direct people to the https xmlrpc end points.
I agree. SSL is the secure way to connect to a server, don’t re-invent
SSL in XML-RPC.
Whatever you do, you only add complexity to XML-RPC w/o actually
making it fully secure.
E.g. if you come up with a challenge/response system (to avoid replay
attacks) then you can still be the victim of host spoofing / DNS
poisoning. So you also need to verify that you are actually talking
with the right server.
More information about the wp-xmlrpc