#51583 closed defect (bug) (fixed)
App Passwords: No stable way to identify applications
Reported by: | TimothyBlynJacobs | Owned by: | TimothyBlynJacobs |
---|---|---|---|
Milestone: | 5.6 | Priority: | normal |
Severity: | normal | Version: | 5.6 |
Component: | Login and Registration | Keywords: | has-patch |
Focuses: | rest-api | Cc: |
Description
We should add support for an app_id
parameter that applications could use when sending the user to authorize-application.php
. Apps can already pass an app_name
but this is just a suggestion and can be changed by the user when creating an app. The app_id
would be a string unique to that application, and by default not displayed to the user.
Plugin developers could use this to add support for disabling all app passwords with a given app_id
. This isn't to protect against bad actors, since they could use random ids each time, but for well behaving applications it would give administrators an easy way to "turn off" an application if they needed to.
By default, Core wouldn't enforce that the app_id
is provided, but developers could using the wp_authorize_application_password_request_errors
hook.
Technically, plugin developers could add support for app_id
themselves too, but I think the chances are slim of clients passing an app_id
if we don't include it as a suggestion in our documentation and provide a basic level of support.
Change History (5)
This ticket was mentioned in PR #639 on WordPress/wordpress-develop by TimothyBJacobs.
4 years ago
#1
- Keywords has-patch added
This ticket was mentioned in Slack in #core-passwords by georgestephanis. View the logs.
4 years ago
TimothyBJacobs commented on PR #639:
4 years ago
#4
Fixed in fe2053f2c1cff0c416112103988e832687ca3836.
Trac ticket: https://core.trac.wordpress.org/ticket/51583