Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support an XMLRPC-based method for obtaining an authentication token #12

Open
danielpunkass opened this issue Feb 5, 2020 · 1 comment
Open

Support an XMLRPC-based method for obtaining an authentication token #12

danielpunkass opened this issue Feb 5, 2020 · 1 comment

Comments

@danielpunkass
Copy link

Summary: supporting a method for obtaining a REST API authentication token over XMLRPC would allow existing XMLRPC clients to start migrating to the REST API in absence of a full-blown oauth2 solution in core.

For years, clients of the XMLRPC API method, who need to authenticate outside the scope of a web browser, have been unable to take advantage of the REST API without special plugins to accommodate authenticating for the API. This limits adoptions of the API because XMLRPC clients are often developing products that are intended to be used by a broad spectrum of WordPress end-users, who may not have the inclination or ability to configure sites with custom plugins, etc.

These clients include 3rd party app developers such as myself (https://red-sweater.com/marsedit) and probably most notably the WordPress native mobile apps.

Longer term, there is talk of an oauth2 solution for authentication that could open up access to the API to these clients. In the absence of such a solution, it might be pragmatic to offer these clients a path through XMLRPC that grants access to the REST API.

Because the changes would be limited in scope to the XMLRPC API, which already supports inherently less secure authentication methods, it wouldn't be a substantive change in the security of a typical WordPress installation. Sites that, for example, disable XMLRPC would implicitly disable this enhancement as well.

In fact, any client who adopted this method for obtaining an authentication token would be immediately increasing the security of a user's site by abstaining from further use of the username/password for every request, which is what XMLRPC requires today.

One consideration is whether the authentication token granting access to REST offers greater access to the installation than a current XMLRPC authentication. If this is true (and very well might be), then you might consider limiting the scope of access for these XMLRPC-based tokens such that they only offer the same degree of access comparable to what the XMLRPC API allows.
@danielpunkass
Copy link
Author

This ticket was inspired by conversation in a Slack thread: https://wordpress.slack.com/archives/C02RQC26G/p1580745738095300

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@danielpunkass