http://dougal.gunters.org/blog/2008/06/30/update-on-wordpress-blog-apis
This topic hit the mailing list:
http://comox.textdrive.com/pipermail/wp-xmlrpc/2008-June/thread.html#208
and eventually someone proposed inventing their own authorization protocol:
http://comox.textdrive.com/pipermail/wp-xmlrpc/2008-June/000222.html
Sigh.
There are a number of reasons why WordPress should adopt OAuth -- and
not just that we're going to require it for DiSo.
Heck, Stephen Weber already got OAuth + AtomPub working for WordPress:
http://singpolyma.net/2008/05/atompub-oauth-for-wordpress/
...not to mention that OAuth will pretty much be essential if
WordPress is going to adopt OpenID at some point. It's also going to
be quite useful if folks want to post from, say, a Google Gadget or
OpenSocial widget to a WordPress blog if the XML-RPC APIs are going to
be off by default.
Anyway, if I get a chance I'll attempt to blog my thoughts on this,
but I wanted to get other people thinking about this -- and involved
in the conversation. I think there's a great opportunity here to get
OAuth into WordPress Core -- if not right away, in short order.
I'd love all of your help to make that happen.
Thanks,
Chris
--
Chris Messina
Citizen-Participant &
Open Source Advocate-at-Large
factoryjoe.com # diso-project.org
citizenagency.com # vidoop.com
This email is: [X] bloggable [ ] ask first [ ] private
In MT 4.2, our next release, we're including the Perl OAuth library
for plugin authors to build on top of and this is the same library we
used to build a FireEagle plugin as their API is based on OAuth:
http://plugins.movabletype.org/fire-eagle-for-movable-type/
What this means is that anyone running Movable Type 4.2, whether it be
the core open source platform or one of our commercial products, will
be able to install plugins that utilize OAuth without having to worry
about needing additional libraries. We see this as The Right Thing to
do and a way we can help continue catalyzing OAuth adoption and moving
away from sharing passwords for the majority of API interactions.
Additionally, MT 4.2 supports OpenID 2.0 for commenting out of the
box. We ship a handful of OpenID Providers and then provide plugins
to add additional OpenID Providers to the commenting list:
http://www.majordojo.com/2008/06/introducing-yahoo-openid-for-movable-type.php
http://www.majordojo.com/projects/wordpress-openid-plugin-for-movable-type.php
http://notes.1ec5.org/archives/2007/08/25/aimopenid.html
Steve Ivy has also written an XRDS-Simple plugin for Movable Type
which allows other plugins to register as services. The Yahoo! OpenID
Commenting plugin builds on top of this plugin to advertise your
blog's endpoints in such a way that Yahoo! recognizes it as being more
trusted. This means a better user experience for commenters and shows
how this ecosystem of technologies build on one another. Obviously
this is also very useful as OAuth Discovery gets implemented:
http://redmonk.net/archives/2008/05/27/xrds-simple-for-movable-type/
Further, we've have a plugin which adds OAuth support to the Atom
Publishing Protocol, much like the plugin that Stephen Weber has
already released for WordPress.org, working but want to do a bit more
testing and polish before releasing it.
It seems like all of this would be a good thing to chat about face to
face at the WordPress Meetup tonight if you're in San Francisco.
http://upcoming.yahoo.com/event/854418/
--David
Then next time don't, start a new thread :(
> I think what we've done so far helps
> to show the importance of supporting these technologies compared to
> disabling APIs by default or even considering the idea of creating your own
> authorization protocol now that OAuth exists. Anything that improves
> security is good, but maybe the best path forward is coupling existing APIs
> to the new authentication and authorization systems available.
Messina's subject is provocative and fun, but other than some
community member having a pie in the sky discussion, there has been no
serious talk about "WordPress pursuing its own authz protocol".
OAuth won't make it into 2.6, but I'm confident that it will be in a
release soon.
Cheers,
Lloyd