OAuth in Wordpress
Stephen Paul Weber
to Wordpress services using OAuth and tested it. It works! :D
What's done:
1) Teaching myself OAuth flow (heh... )
2) Creating an OAuthWordpressStore class that wraps all the OAuth
library store functions in a WPDB friendly way.
3) Pointing the test client (I actually tried two different ones) at
it gets the request and access tokens, correctly verifying the user
and asking for user input along the way.
4) Associating the access token with a user account
5) Accessing any URL on the Wordpress site with the access token (as
you would for any OAuth API) results in the output that user would see
when logged in
What's not:
1) An interface for adding consumer keys
2) OAuth detection (not even the draft is implemented yet)
3) Granular permissions -- lets the consumer access ALL pages
4) Expiring the access tokens
5) Probably other stuff
--
- Stephen Paul Weber, Amateur Writer
<http://www.awriterz.org>
MSN/GTalk/Jabber: singp...@gmail.com
ICQ/AIM: 103332966
BLOG: http://singpolyma.net/
Terrell Russell
> I have just finished a working prototype of a plugin to allow access
> to Wordpress services using OAuth and tested it. It works! :D
Most impressive... Care to share a link?
Terrell
--
Terrell Russell
Co-Founder, claimID.com
PhD Student, Information Science, UNC-CH
Steve Ivy
Yay!! This is AWESOME. Would love to see some demos.
Thanks for letting us know!
--Steve
--
Steve Ivy
http://redmonk.net
This email is: [ ] bloggable [x] ask first [ ] private
Stephen Paul Weber
demo/published code out tomorrow ;)
Stephen Paul Weber
hope. A basic demo is viewable though, to see that it works :)
Just click the button on that page. You will be asked to log in on my
site if you aren't already (OpenID is right there for you :) ). You
will then be asked if you want to let the test app access your
Wordpress account. Hit yes. You will then be presented with the
content of my home page, rendered at a URL that is NOT wordpress. You
will note that the login box+link in the upper right corner is not
there, because with OAuth it treats you as though you were logged in!
Note that accessing my site with cURL produces a lot of 503 errors (no
real idea why) -- so you may get such an error or a 'this is a known
bug, go back and try again' error more than once. Just keep trying it
-- I just did it twice and it /does/ work :)
Chris Messina
One thing I noticed was that if I didn't pick "always allow on my IdP"
(instead, picking allow once) I ended up back on the WP login screen
with nothing to do next... Seems like a fixable issue, right?
Great work Stephen!
Chris
--
Chris Messina
Citizen-Participant &
Open Source Advocate-at-Large
Work: http://citizenagency.com
Blog: http://factoryjoe.com/blog
Cell: 412.225.1051
IM: factoryjoe
This email is: [ ] bloggable [X] ask first [ ] private
Stephen Paul Weber
The "trust once" bug seems to be an issue with the WP-OpenID plugin
(I'm using the SVN version from the DiSo Google Code site...)
Stephen Paul Weber
Enter a comment in the textarea and click start. Same flow as before.
When it's done you should get a message saying "Comment Successful!"
Go to <http://singpolyma.net/2007/12/mini-feed-plugin-for-wordpress/>,
your comment should be there.
Now for codez!
Credit where credit is due, I'm using Andy Smith's PHP library for
OAuth <http://oauth.googlecode.com/svn/code/php/>
The Plugin: <http://singpolyma.net/oauth.tar.gz> (Now has a basic
admin page so you can properly test it)
The Consumer: <http://singpolyma.net/oauth-testcode.tar.gz> (contains
other test code too, the relevant file is example/wp_client.php)
Steve Ivy
I consistently get an error message in the wp-login page:
"OpenID authentication valid, but unable to find an account association."
Ideas? I've told myopenid.com to allow your site to authenticate, and
it's in the list of allowed sites...
--Steve
--
Steve Ivy
http://redmonk.net // http://diso-project.org
Stephen Paul Weber
use myopenid.com myself and never had an issue until two days ago when
I switched from tho original OpenID registration plugin to the
wp-openid plugin in SVN on DiSo -- now I still am fine but get
complaints from some people... In testing because of these complaints
I've found that it tends to die on 'allow once' -- but I can't verify
that and it sounds like that's not your issue. I may just go back to
the other plugin tomorrow and see if that solves it
Stephen Paul Weber
is too smart! It was detecting that I had user registrations off and
so not allowing new OpenIDs to log in! The old plugin ignored this
setting, so I never noticed. I guess it's a good thing, I've updated
the setting so it should work now :)
Aside from the "redirecting to your OpenID provider" page, which I
hate, I now think this plugin is nicer/better than the old one in both
setup and smart use of settings ;)
Anyway, I'm half-done work on providing/consuming OAuth Detection
(Draft Extension). It's basically done, just have to test some more
to be sure :)
Chris Messina
if you're allowing users to login with OpenID, you probably should
create accounts for them too so you have "hang things" off of them...
I suppose it should force the "create accounts for openid users"
option. Good catch!
Chris
Stephen Paul Weber
See how there are so many less text boxes? (5 less, in fact!) All
that data is being auto-detected now! Enter a comment (the other data
should be filled in for you) and push 'start' -- as before the comment
will be posted at
<http://singpolyma.net/2007/12/mini-feed-plugin-for-wordpress/> after
OAuth flow.
The detection extension requires my XRDS plugin (newest version, which
I just uploaded) to be installed and activated to work.
CODE
OAuth plugin: <http://singpolyma.net/oauth.tar.gz>
XRDS plugin: <http://singpolyma.net/xrds.tar.gz>
OAuth Test code (client) that I'm using:
<http://singpolyma.net/oauth-testcode.tar.gz>
What's not done:
1) Granular permissions -- currently lets the consumer access ALL pages
2) Expiring the access tokens (backend is there, but no interface to
ask the user how long so still defaults to forever, client/testcode
does not take advantage of forever)
3) Probably other stuff
James D Kirk
tinyURL. I can see it all in action, but I'm a little fuzzy on how all
of what you're creating here can be used. Could you or others maybe
lay out for the rest of us WP users/admins that want to participate
with this how we might begin to imagine uses for your OAuth plugins?
Not sure if it'll help others, but I know some real world examples
would benefit my creative thought process.
Thanks.
James.
Stephen Paul Weber
opening up new possibilities.
A possibility #1
You are reading a post on my blog in your feed reader. You want to
comment, but coming to my site is a hassle. You enter your comment in
your feed reader and click a button -- done. OAuth doesn't do this,
but it ALLOWS FOR IT by providing the needed authentication layer for
your feed reader to access your account.
A possibility #2
I am on a new social networking portal. They want to know who my
friends are, and some of my profile information. I give them my URL
and, through OAuth, can give them access to just those parts of my
private profile and private friends list that I want them to see.
OAuth doesn't do that, but FACILITATES the permissions on who can see
what.
Just some thoughts :)
--
Chris Messina
about that, but it makes perfect sense, especially if you start
reading blogs inside of, say, Flock or ever your own self-hosted
WordPress install... if you are your own OpenID provider it gets even
easier, since you'd really only be doing remote OAuth posts,
authenticating and authorizing against yourself. Trippy!
Personally I thought we'd try to hack OAuth for WordPress into
MarsEdit or ecto or other blog editors first, to prove the concept,
replacing typical u/p auth with OAuth, so that the behavior is more
like a Flickr Uploadr.
Seems to me that this work you're doing now Stephen would allow that, right?
Another idea for possibility #2 is to give out different profile
photos for different people or services based on OAuth tokens (or
OpenID personas). That way if, say, you're leaving a comment as a
person who works for a company, you can leave a picture of yourself
in, say, a suit and tie. If, instead, you're leaving a comment on a
friend's blog, maybe you use the photo of yourself with the Mai Tai.
Etc etc.
Chris
--
Stephen Paul Weber
> MarsEdit or ecto or other blog editors first, to prove the concept,
> replacing typical u/p auth with OAuth, so that the behavior is more
> like a Flickr Uploadr.
That's also something that could be done -- although they're based on
the XML-RPC, and I haven't tested the plugin's behaviour there at all,
but it's definately worth looking at! That's one of the biggest
reason I don't use flock's internal blog editor is because I'm too
lazy to set it up with the username/pass it requires on my OpenID-only
blog.
James D Kirk
see the variety of implementations via the second choice. Looking
forward to working with anyone that starts to develop plugins to
facilitate these or other ways of using this cool work Stephen's
doing.
And if anyone has other thoughts or directions, do join in the
discussion here or elsewhere in this group. Remember, a lot of people
are reading, and only a few will post, so the more ideas we can
circulate and work up, the better for the communities development and
expansion as a whole.
Thanks Stephen and Chris. This is groovy stuff!
James.