Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Broad conceptual overview of varying methods. #15

Open
georgestephanis opened this issue Mar 27, 2020 · 2 comments
Open

Broad conceptual overview of varying methods. #15

georgestephanis opened this issue Mar 27, 2020 · 2 comments

Comments

@georgestephanis
Copy link

georgestephanis commented Mar 27, 2020

This observation came to me last night as I was writing up a summary in a DM to @kadamwhite and it felt relevant so I wanted to polish it up and post it publicly.

It feels like there's three main types of credentials that are being discussed for use and storage -- across all methods I've seen.

  • Your actual permanent username and password
  • A generated set of revokable credentials
  • A temporary token that expires after a set amount of time (generally crypto based)

Here's a summation of how I've seen methods fit into these -- I'll try to keep the table updated as discussion progresses:

If anyone can contribute lines to the table with data on other authentication plugins (including various other flavors of jwt and oauth), please do so.

Method Real Credentials Revokable Credentials Temporary Token
Cookie & Nonce ✔️Revokable Session Cookie ✔️12-24h nonce
XML-RPC ✔️For each request
Basic Auth #42790 ✔️For each request
wordpress/application-passwords ✔️App Password
indieweb/wordpress-indieauth ✔️high entropy revokable token
wp-api/oauth2 ✔️Client ❌ Access Token, no refresh support
wp-api/jwt-auth ✔️Key Pair ✔️One week, and refreshable if api key is valid
tmeister/wp-api-jwt-auth ✔️Weekly, for generating token ✔️One week

Notes:

If I'm mistaken on any of these summations, or mischaracterize any, please let me know below so we can keep the data accurate. I'm not by any stretch an expert on all of these methods, so while I've tried to source and link to explain my assertions, if I've gotten anything wrong, please correct me.

If the only use of the "real" credentials is being entered directly into the site by the user for authentication, but never seen or stored by the client app, I'm treating them as not used.

@dshanske
Copy link

I wrote the endpoints for indieweb/wordpress-indieauth, which is an identity layer over OAuth2. It does not require real credentials, it uses, similar to Application Passwords, a randomly generated long token which is revokable. It does not offer a temporary token, although supporting expiring tokens and refresh tokens is trivial.

@TimothyBJacobs
Copy link
Member

I've added the current oauth2 plugin. I wasn't sure the best way to describe the temporariness of the tokens. The plugin doesn't currently support refresh tokens. When chatting about it at WC US, it seemed like we'd support refresh tokens at a later point.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants