wordpress + oauth

WordPress + OAuthWill Norris

http://will.norris.name/

WordCamp SF 2008 2008 Aug 16

Will Norris

Early 2007

Dec 2007

April 2008

DiSo - seeking a viable model for a distributed social networkcomponents - people, friends, identity, activities, sharing & permissions, messaging, groups

Vidoop - strong authentication for the consumer web

What is OAuth?

OAuth is...

... a protocol for developingpassword less APIs.

OAuth is...

... a way for an application to interact witha service on a user’s behalf without havingto know the user’s credentials.

OAuth is...

... “your valet key for the Web.”

OAuth is...

... not OpenID.

OAuth is...

... not OpenID.

(OpenID does authentication. OAuth does authorization.)

OAuth is...

... not OpenID.

(OpenID identifies users. OAuth identifies applications.)

Why do we need OAuth?

The Love Triangle

Service Provider

End User

Consumer Application

The Love Triangle

Service Provider

End User

Consumer Application

The Password Anti-Pattern

teaching people bad habits

Importing Contacts

Importing Contacts

Accessing WordPress

Accessing WordPress

Problems

Full account access

Non-revokable

Sharing your credentials is giving away the keys to the kingdom. It’s the equivalent of giving the waiter your ATM card and PIN in order to pay for dinner.You can’t revoke your password once you’ve shared it... all you can do is change your password. And then you have to update it everywhere.

OAuth Tokens can...

Be constrained ... by source ... by time ... by function ... by _____

Limit by IP Address. Allow access only during certain times of the day or for the next two months. Allow basic functions, but not administrative functions.

OAuth Tokens can...

Be revoked ... automatically ... manually

Revoke token after a certain number of uses or period of time.

WordPress OAuth Demopictu

res

The Love Triangle

Service Provider

End User

Consumer Application

Note that we only enter the blog URL now, not the username and password.

We login at our WordPress blog, through the normal login page.

Grant or deny access for this particular application.

Managing your Applications

Who’s using OAuth?

...and more

Google - All GData APIs, Google Friend ConnectYahoo! - FireEagle, Y! Open Strategy, Flickr(?)

Questions ?

Slide credits:

“OAuth: Basic Introduction” - Leah Culver“Advanced OAuth Wrangling” - Kellen Elliot-McCrea