You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This observation came to me last night as I was writing up a summary in a DM to @kadamwhite and it felt relevant so I wanted to polish it up and post it publicly.
It feels like there's three main types of credentials that are being discussed for use and storage -- across all methods I've seen.
Your actual permanent username and password
A generated set of revokable credentials
A temporary token that expires after a set amount of time (generally crypto based)
Here's a summation of how I've seen methods fit into these -- I'll try to keep the table updated as discussion progresses:
If anyone can contribute lines to the table with data on other authentication plugins (including various other flavors of jwt and oauth), please do so.
If I'm mistaken on any of these summations, or mischaracterize any, please let me know below so we can keep the data accurate. I'm not by any stretch an expert on all of these methods, so while I've tried to source and link to explain my assertions, if I've gotten anything wrong, please correct me.
If the only use of the "real" credentials is being entered directly into the site by the user for authentication, but never seen or stored by the client app, I'm treating them as not used.
The text was updated successfully, but these errors were encountered:
I wrote the endpoints for indieweb/wordpress-indieauth, which is an identity layer over OAuth2. It does not require real credentials, it uses, similar to Application Passwords, a randomly generated long token which is revokable. It does not offer a temporary token, although supporting expiring tokens and refresh tokens is trivial.
I've added the current oauth2 plugin. I wasn't sure the best way to describe the temporariness of the tokens. The plugin doesn't currently support refresh tokens. When chatting about it at WC US, it seemed like we'd support refresh tokens at a later point.
This observation came to me last night as I was writing up a summary in a DM to @kadamwhite and it felt relevant so I wanted to polish it up and post it publicly.
It feels like there's three main types of credentials that are being discussed for use and storage -- across all methods I've seen.
Here's a summation of how I've seen methods fit into these -- I'll try to keep the table updated as discussion progresses:
If anyone can contribute lines to the table with data on other authentication plugins (including various other flavors of jwt and oauth), please do so.
Notes:
If I'm mistaken on any of these summations, or mischaracterize any, please let me know below so we can keep the data accurate. I'm not by any stretch an expert on all of these methods, so while I've tried to source and link to explain my assertions, if I've gotten anything wrong, please correct me.
If the only use of the "real" credentials is being entered directly into the site by the user for authentication, but never seen or stored by the client app, I'm treating them as not used.
The text was updated successfully, but these errors were encountered: