Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.
Sign upBroad conceptual overview of varying methods. #15
Comments
|
I wrote the endpoints for indieweb/wordpress-indieauth, which is an identity layer over OAuth2. It does not require real credentials, it uses, similar to Application Passwords, a randomly generated long token which is revokable. It does not offer a temporary token, although supporting expiring tokens and refresh tokens is trivial. |
|
I've added the current oauth2 plugin. I wasn't sure the best way to describe the temporariness of the tokens. The plugin doesn't currently support refresh tokens. When chatting about it at WC US, it seemed like we'd support refresh tokens at a later point. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This observation came to me last night as I was writing up a summary in a DM to @kadamwhite and it felt relevant so I wanted to polish it up and post it publicly.
It feels like there's three main types of credentials that are being discussed for use and storage -- across all methods I've seen.
Here's a summation of how I've seen methods fit into these -- I'll try to keep the table updated as discussion progresses:
If anyone can contribute lines to the table with data on other authentication plugins (including various other flavors of jwt and oauth), please do so.
Notes:
If I'm mistaken on any of these summations, or mischaracterize any, please let me know below so we can keep the data accurate. I'm not by any stretch an expert on all of these methods, so while I've tried to source and link to explain my assertions, if I've gotten anything wrong, please correct me.
If the only use of the "real" credentials is being entered directly into the site by the user for authentication, but never seen or stored by the client app, I'm treating them as not used.