Make WordPress Core

Opened 11 years ago

Closed 11 years ago

#23419 closed enhancement (wontfix)

Use version 1.1 for oEmbed

Reported by: kovshenin's profile kovshenin Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.4
Component: Embeds Keywords: dev-feedback has-patch
Focuses: Cc:


Version 1 of the API is deprecated and it will be retired soon. We should work on moving to version 1.1.

This sounds like a no-brainer, however one of the biggest changes between the two versions is the authentication model. Version 1.1 does not support unauthenticated requests. This means that we can no longer anonymously query the oembed endpoint.

I'm not sure we want to build an OAuth client into Core specifically for this and have users go through an authentication process before being able to embed tweets. Another option is to construct the embedded tweets manually without querying Twitter's API.

This should also fix most of the "tweets won't embed" problems people are having on shared hosts, since unauthenticated requests in v1 are rate limited by IP.

Attachments (1)

23419.diff (2.1 KB) - added by kovshenin 11 years ago.

Download all attachments as: .zip

Change History (13)

11 years ago

#1 @kovshenin
11 years ago

  • Keywords has-patch added; needs-patch removed

23419.diff drops the oEmbed and uses a regular embed with a callback, similar to what we have for Google Video. Downside is that the tweet content is not available without the embedded script, for example in feed readers.

#2 @scribu
11 years ago

  • Milestone changed from Awaiting Review to 3.6

#3 @nacin
11 years ago

I think we should talk with someone at Twitter before jumping into this. Because requiring authentication for an oEmbed endpoint is fairly insane and renders it useless.

Their own documentation on Embedded Tweets makes specific reference to us:

Embedding from WordPress and other CMSs

Some content management systems like WordPress have created an optimized workflow for embedding Tweets. In WordPress you can simply copy the URL for a Tweet and paste it on a single line in your post. WordPress will do the rest of the work to insert the proper embed code and make the Tweet appear in your content. For example:
To add this behavior to your CMS, read the section below on Embedded Tweets for Developers.

Additionally, this page (updated yesterday) still prominently references the 1.0 oEmbed endpoint. So perhaps they have plans to keep old-school oEmbed support alive.

#4 @goto10
11 years ago

  • Cc dromsey@… added

#5 @johnbillion
11 years ago

I left a comment on Twitter's discussion thread for the v1 API retirement (here) asking about the status of the v1 API for embedded Tweets and whether v1.1 will allow unauthenticated embeds. It's awaiting approval. I'll update if I get a reply.

#6 @nacin
11 years ago

We've also reached out to Twitter's API team.

#7 @Ipstenu
11 years ago

  • Cc ipstenu@… added

#8 follow-up: @nacin
11 years ago

Initial response from Twitter is that "the endpoint will continue to operate unauthenticated, as-is the spirit of oEmbed." Still trying to confirm whether that means 1.0's oEmbed endpoint will remain in operation past the 1.0 shutdown, if 1.1's oEmbed endpoint will be changed to be entirely unauthenticated, or both. Either way, we're in the clear in terms of not needing to implement something new.

#9 in reply to: ↑ 8 @kovshenin
11 years ago

Replying to nacin: Great news! Any word about whether the March "blackout tests" will affect the v1 oEmbed endpoint?

#10 @bananastalktome
11 years ago

  • Cc bananastalktome@… added

#11 @kovshenin
11 years ago

It looks like the oEmbed endpoint will continue to work on v1 of the API:

Developers may have observed that unauthenticated requests to /1/statuses/oembed still functioned during the blackout test. Twitter's support for OEmbed transcends our API versioning scheme and we'll continue providing this method of Tweet syndication. Over time the URL for our OEmbed service may change; we recommend that developers tolerate HTTP redirects on this method to better future-proof your integrations.

#12 @nacin
11 years ago

  • Milestone 3.6 deleted
  • Resolution set to wontfix
  • Status changed from new to closed

Yup, we're good. A note, wp_remote_get() defaults to 5 redirections, based on the http_request_redirection_count filter.

Note: See TracTickets for help on using tickets.