WordPress pursuing its own authz protocol?

2 views
Skip to first unread message

Chris Messina

unread,
Jul 1, 2008, 9:36:07 PM7/1/08
to oa...@googlegroups.com, diso-project, Lloyd Budd, jos...@randomnetworks.com, Daniel Jalkut
In the past couple days, there's been a bit of a dust-up about some
default changes coming to WordPress in 2.6 -- namely disabling ATOM
and XML-RPC APIs by default. Read up on the discussion:

http://dougal.gunters.org/blog/2008/06/30/update-on-wordpress-blog-apis

This topic hit the mailing list:

http://comox.textdrive.com/pipermail/wp-xmlrpc/2008-June/thread.html#208

and eventually someone proposed inventing their own authorization protocol:

http://comox.textdrive.com/pipermail/wp-xmlrpc/2008-June/000222.html

Sigh.

There are a number of reasons why WordPress should adopt OAuth -- and
not just that we're going to require it for DiSo.

Heck, Stephen Weber already got OAuth + AtomPub working for WordPress:

http://singpolyma.net/2008/05/atompub-oauth-for-wordpress/

...not to mention that OAuth will pretty much be essential if
WordPress is going to adopt OpenID at some point. It's also going to
be quite useful if folks want to post from, say, a Google Gadget or
OpenSocial widget to a WordPress blog if the XML-RPC APIs are going to
be off by default.

Anyway, if I get a chance I'll attempt to blog my thoughts on this,
but I wanted to get other people thinking about this -- and involved
in the conversation. I think there's a great opportunity here to get
OAuth into WordPress Core -- if not right away, in short order.

I'd love all of your help to make that happen.

Thanks,

Chris

--
Chris Messina
Citizen-Participant &
Open Source Advocate-at-Large
factoryjoe.com # diso-project.org
citizenagency.com # vidoop.com
This email is: [X] bloggable [ ] ask first [ ] private

Joseph Scott

unread,
Jul 1, 2008, 9:57:30 PM7/1/08
to DiSo Project


On Jul 1, 7:36 pm, "Chris Messina" <chris.mess...@gmail.com> wrote:
> In the past couple days, there's been a bit of a dust-up about some
> default changes coming to WordPress in 2.6 -- namely disabling ATOM
> and XML-RPC APIs by default. Read up on the discussion:
>
> http://dougal.gunters.org/blog/2008/06/30/update-on-wordpress-blog-apis
>
> This topic hit the mailing list:
>
> http://comox.textdrive.com/pipermail/wp-xmlrpc/2008-June/thread.html#208
>
> and eventually someone proposed inventing their own authorization protocol:
>
> http://comox.textdrive.com/pipermail/wp-xmlrpc/2008-June/000222.html
>
> Sigh.

I wouldn't call that last one a new authorization protocol, more like
a backwards compatible token mechanism. It would use the same
authentication process. At any rate, not really the main focus
(OAuth).


> There are a number of reasons why WordPress should adopt OAuth -- and
> not just that we're going to require it for DiSo.
>
> Heck, Stephen Weber already got OAuth + AtomPub working for WordPress:
>
> http://singpolyma.net/2008/05/atompub-oauth-for-wordpress/
>
> ...not to mention that OAuth will pretty much be essential if
> WordPress is going to adopt OpenID at some point. It's also going to
> be quite useful if folks want to post from, say, a Google Gadget or
> OpenSocial widget to a WordPress blog if the XML-RPC APIs are going to
> be off by default.

Just so I'm sure I followed this train of thought correctly, are you
suggesting that if WordPress had OAuth support that it should over
ride the explicit 'XML-RPC & AtomPub are disabled option'?

> Anyway, if I get a chance I'll attempt to blog my thoughts on this,
> but I wanted to get other people thinking about this -- and involved
> in the conversation. I think there's a great opportunity here to get
> OAuth into WordPress Core -- if not right away, in short order.
>
> I'd love all of your help to make that happen.



--
Joseph Scott
jos...@randomnetworks.com
http://joseph.randomnetworks.com/

David Recordon

unread,
Jul 2, 2008, 2:39:43 PM7/2/08
to oa...@googlegroups.com, diso-project, Lloyd Budd, jos...@randomnetworks.com, Daniel Jalkut
I don't want to hijack this discussion as I'd love to see better
support for things like OAuth and OpenID in both WordPress.org and
WordPress.com, but think that it is important for the OAuth and DiSo
communities to know what we're already doing with Movable Type. I
think what we've done so far helps to show the importance of
supporting these technologies compared to disabling APIs by default or
even considering the idea of creating your own authorization protocol
now that OAuth exists. Anything that improves security is good, but
maybe the best path forward is coupling existing APIs to the new
authentication and authorization systems available.

In MT 4.2, our next release, we're including the Perl OAuth library
for plugin authors to build on top of and this is the same library we
used to build a FireEagle plugin as their API is based on OAuth:

http://plugins.movabletype.org/fire-eagle-for-movable-type/

What this means is that anyone running Movable Type 4.2, whether it be
the core open source platform or one of our commercial products, will
be able to install plugins that utilize OAuth without having to worry
about needing additional libraries. We see this as The Right Thing to
do and a way we can help continue catalyzing OAuth adoption and moving
away from sharing passwords for the majority of API interactions.

Additionally, MT 4.2 supports OpenID 2.0 for commenting out of the
box. We ship a handful of OpenID Providers and then provide plugins
to add additional OpenID Providers to the commenting list:

http://www.majordojo.com/2008/06/introducing-yahoo-openid-for-movable-type.php
http://www.majordojo.com/projects/wordpress-openid-plugin-for-movable-type.php
http://notes.1ec5.org/archives/2007/08/25/aimopenid.html

Steve Ivy has also written an XRDS-Simple plugin for Movable Type
which allows other plugins to register as services. The Yahoo! OpenID
Commenting plugin builds on top of this plugin to advertise your
blog's endpoints in such a way that Yahoo! recognizes it as being more
trusted. This means a better user experience for commenters and shows
how this ecosystem of technologies build on one another. Obviously
this is also very useful as OAuth Discovery gets implemented:

http://redmonk.net/archives/2008/05/27/xrds-simple-for-movable-type/

Further, we've have a plugin which adds OAuth support to the Atom
Publishing Protocol, much like the plugin that Stephen Weber has
already released for WordPress.org, working but want to do a bit more
testing and polish before releasing it.

It seems like all of this would be a good thing to chat about face to
face at the WordPress Meetup tonight if you're in San Francisco.

http://upcoming.yahoo.com/event/854418/

--David

Lloyd Budd

unread,
Jul 2, 2008, 5:00:09 PM7/2/08
to da...@sixapart.com, oa...@googlegroups.com, diso-project, jos...@randomnetworks.com, Daniel Jalkut
On Wed, Jul 2, 2008 at 11:39 AM, David Recordon <drec...@sixapart.com> wrote:
> I don't want to hijack this discussion

Then next time don't, start a new thread :(

> I think what we've done so far helps
> to show the importance of supporting these technologies compared to
> disabling APIs by default or even considering the idea of creating your own
> authorization protocol now that OAuth exists. Anything that improves
> security is good, but maybe the best path forward is coupling existing APIs
> to the new authentication and authorization systems available.

Messina's subject is provocative and fun, but other than some
community member having a pie in the sky discussion, there has been no
serious talk about "WordPress pursuing its own authz protocol".

OAuth won't make it into 2.6, but I'm confident that it will be in a
release soon.

Cheers,
Lloyd

Chris Messina

unread,
Jul 2, 2008, 9:54:11 PM7/2/08
to DiSo Project
Blogged about this:

http://factoryjoe.com/blog/2008/07/02/feature-request-oauth-in-wordpress/

Nothing new, but now there's a public link out there.

Chris

On Jul 2, 2:00 pm, "Lloyd Budd" <lloydomat...@gmail.com> wrote:
Reply all
Reply to author
Forward
0 new messages