[wp-xmlrpc] OAuth alternative

Joseph Scott joseph at randomnetworks.com
Wed Jun 18 17:45:03 GMT 2008

On Jun 18, 2008, at 3:16 AM, Allan Odgaard wrote:

> I am repeating myself, but just to make it clear how I would prefer  
> this granular security to be handled:
> If Bob wants Flickr to post to his blog, he logs into his WP  
> installation and on the user page there is a button called  
> “Generate API Access Key”.
> By clicking the button, WordPress will respond with something like:
>     Username: Bob+0000001
>     Password: d41d8cd98f00b204e9800998ecf8427e
> Bob can then enter this into Flickr, MarsEdit, Google Docs, Ecto,  
> etc. and for all practical purpose, this appears as just another  
> user, but WordPress will know that this user is a restricted Bob  
> (so posts coming in from Bob+0000001 are published as from Bob).
> The benefit is that _everything_ will work with this system from  
> day one, because no change needs to be done to MarsEdit, Ecto,  
> Flickr, etc. and there is no need to phase out the existing  
> authentication system (as one of the letters in the OAuth thread  
> suggested).

You want to hear something really funny?  I actually started on a  
plugin to do exactly what you described above.  Before getting too  
far I put out the email on the OAuth question, to see what the  
response would be.

> If it is a common task for users to provide web applications with  
> an API key, I can see justification for automating that, and OAuth  
> is a protocol for this. Though I don’t think it should be done by  
> introducing a completely new protocol for applications to  
> authenticate with the blog because then in a year we will have two  
> authentication schemes. One offers granular security, the other  
> does not. Some third party clients will support only one of these  
> two systems, some both. Some blogging systems will likewise only  
> support one of the two. The safest will be for everything to  
> support both, so how exactly did this help making things more  
> secure? Rather, we just added unnecessary extra complexity to the  
> XML-RPC system, and thus an extra burden on everyone writing an XML- 
> RPC client or server implementation.
> Keep it simple…

Adding an optional mechanism to authenticate (OAuth) doesn't seem  
like an extra burden.  If blog clients don't want to support it,  
that's their call.  If OAuth is found to be useful, I don't see any  
reason why we couldn't support that and the user-alias mechanism.  If  
it's determined to not be useful, they we don't worry about it.

Joseph Scott
joseph at randomnetworks.com

More information about the wp-xmlrpc mailing list