In the past couple days, there's been a bit of a dust-up about some default changes coming to WordPress in 2.6 -- namely disabling ATOM and XML-RPC APIs by default. Read up on the discussion:
...not to mention that OAuth will pretty much be essential if WordPress is going to adopt OpenID at some point. It's also going to be quite useful if folks want to post from, say, a Google Gadget or OpenSocial widget to a WordPress blog if the XML-RPC APIs are going to be off by default.
Anyway, if I get a chance I'll attempt to blog my thoughts on this, but I wanted to get other people thinking about this -- and involved in the conversation. I think there's a great opportunity here to get OAuth into WordPress Core -- if not right away, in short order.
I'd love all of your help to make that happen.
Thanks,
Chris
-- Chris Messina Citizen-Participant & Open Source Advocate-at-Large factoryjoe.com # diso-project.org citizenagency.com # vidoop.com This email is: [X] bloggable [ ] ask first [ ] private
On Jul 1, 7:36 pm, "Chris Messina" <chris.mess...@gmail.com> wrote:
> In the past couple days, there's been a bit of a dust-up about some
> default changes coming to WordPress in 2.6 -- namely disabling ATOM
> and XML-RPC APIs by default. Read up on the discussion:
I wouldn't call that last one a new authorization protocol, more like
a backwards compatible token mechanism. It would use the same
authentication process. At any rate, not really the main focus
(OAuth).
> There are a number of reasons why WordPress should adopt OAuth -- and
> not just that we're going to require it for DiSo.
> Heck, Stephen Weber already got OAuth + AtomPub working for WordPress:
> ...not to mention that OAuth will pretty much be essential if
> WordPress is going to adopt OpenID at some point. It's also going to
> be quite useful if folks want to post from, say, a Google Gadget or
> OpenSocial widget to a WordPress blog if the XML-RPC APIs are going to
> be off by default.
Just so I'm sure I followed this train of thought correctly, are you
suggesting that if WordPress had OAuth support that it should over
ride the explicit 'XML-RPC & AtomPub are disabled option'?
> Anyway, if I get a chance I'll attempt to blog my thoughts on this,
> but I wanted to get other people thinking about this -- and involved
> in the conversation. I think there's a great opportunity here to get
> OAuth into WordPress Core -- if not right away, in short order.
I don't want to hijack this discussion as I'd love to see better support for things like OAuth and OpenID in both WordPress.org and WordPress.com, but think that it is important for the OAuth and DiSo communities to know what we're already doing with Movable Type. I think what we've done so far helps to show the importance of supporting these technologies compared to disabling APIs by default or even considering the idea of creating your own authorization protocol now that OAuth exists. Anything that improves security is good, but maybe the best path forward is coupling existing APIs to the new authentication and authorization systems available.
In MT 4.2, our next release, we're including the Perl OAuth library for plugin authors to build on top of and this is the same library we used to build a FireEagle plugin as their API is based on OAuth:
What this means is that anyone running Movable Type 4.2, whether it be the core open source platform or one of our commercial products, will be able to install plugins that utilize OAuth without having to worry about needing additional libraries. We see this as The Right Thing to do and a way we can help continue catalyzing OAuth adoption and moving away from sharing passwords for the majority of API interactions.
Additionally, MT 4.2 supports OpenID 2.0 for commenting out of the box. We ship a handful of OpenID Providers and then provide plugins to add additional OpenID Providers to the commenting list:
Steve Ivy has also written an XRDS-Simple plugin for Movable Type which allows other plugins to register as services. The Yahoo! OpenID Commenting plugin builds on top of this plugin to advertise your blog's endpoints in such a way that Yahoo! recognizes it as being more trusted. This means a better user experience for commenters and shows how this ecosystem of technologies build on one another. Obviously this is also very useful as OAuth Discovery gets implemented:
Further, we've have a plugin which adds OAuth support to the Atom Publishing Protocol, much like the plugin that Stephen Weber has already released for WordPress.org, working but want to do a bit more testing and polish before releasing it.
It seems like all of this would be a good thing to chat about face to face at the WordPress Meetup tonight if you're in San Francisco.
> In the past couple days, there's been a bit of a dust-up about some > default changes coming to WordPress in 2.6 -- namely disabling ATOM > and XML-RPC APIs by default. Read up on the discussion:
> ...not to mention that OAuth will pretty much be essential if > WordPress is going to adopt OpenID at some point. It's also going to > be quite useful if folks want to post from, say, a Google Gadget or > OpenSocial widget to a WordPress blog if the XML-RPC APIs are going to > be off by default.
> Anyway, if I get a chance I'll attempt to blog my thoughts on this, > but I wanted to get other people thinking about this -- and involved > in the conversation. I think there's a great opportunity here to get > OAuth into WordPress Core -- if not right away, in short order.
> I'd love all of your help to make that happen.
> Thanks,
> Chris
> -- > Chris Messina > Citizen-Participant & > Open Source Advocate-at-Large > factoryjoe.com # diso-project.org > citizenagency.com # vidoop.com > This email is: [X] bloggable [ ] ask first [ ] private
On Wed, Jul 2, 2008 at 11:39 AM, David Recordon <drecor...@sixapart.com> wrote: > I don't want to hijack this discussion
Then next time don't, start a new thread :(
> I think what we've done so far helps > to show the importance of supporting these technologies compared to > disabling APIs by default or even considering the idea of creating your own > authorization protocol now that OAuth exists. Anything that improves > security is good, but maybe the best path forward is coupling existing APIs > to the new authentication and authorization systems available.
Messina's subject is provocative and fun, but other than some community member having a pie in the sky discussion, there has been no serious talk about "WordPress pursuing its own authz protocol".
OAuth won't make it into 2.6, but I'm confident that it will be in a release soon.
> On Wed, Jul 2, 2008 at 11:39 AM, David Recordon <drecor...@sixapart.com> wrote:
> > I don't want to hijack this discussion
> Then next time don't, start a new thread :(
> > I think what we've done so far helps
> > to show the importance of supporting these technologies compared to
> > disabling APIs by default or even considering the idea of creating your own
> > authorization protocol now that OAuth exists. Anything that improves
> > security is good, but maybe the best path forward is coupling existing APIs
> > to the new authentication and authorization systems available.
> Messina's subject is provocative and fun, but other than some
> community member having a pie in the sky discussion, there has been no
> serious talk about "WordPress pursuing its own authz protocol".
> OAuth won't make it into 2.6, but I'm confident that it will be in a
> release soon.
|
