Make WordPress Core

Changes between Initial Version and Version 1 of Ticket #55870


Ignore:
Timestamp:
05/29/2022 07:25:28 PM (3 years ago)
Author:
TimothyBlynJacobs
Comment:

Hi @mrahmadawais,

Thanks for the ticket!

I'm not sure why an OpenID client would be used with App Passwords. One of the benefits of App Passwords using Basic Authentication is that it is built in to many HTTP clients by simply passing a username and password field. For instance Axios and Guzzle both have an auth field.

The OAuth specification requires following that encoding process. However, Application Passwords is not OAuth, so I'm not sure why we'd be following the OAuth specification here.

If we did want to match the OAuth specification, changing the encoding format could potentially cause a backward compatibility break. Though it would be unlikely due to the selection of characters that WordPress Core generates.

All that being said, I'm not sure what the practical benefit here is. If the values passed to App Passwords are an OAuth client_id and client_secret they won't be successfully authenticated by wp_authenticate_application_password regardless of the encoding method chosen because they aren't App Passwords.

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #55870

    • Property Keywords reporter-feedback added
    • Property Version changed from trunk to 5.6
  • Ticket #55870 – Description

    initial v1  
    1 Using OAuth 2 based. authentication IETF recommends for [client id/secrets](https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1) URL [encoded](https://datatracker.ietf.org/doc/html/rfc6749#appendix-B) forms.
     1Using OAuth 2 based. authentication IETF recommends for [https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1 client id/secrets] URL [https://datatracker.ietf.org/doc/html/rfc6749#appendix-B encoded] forms.
    22
    33Which means, by using some node OpenID clients, we always get `Authorization: Basic urlSafeEncodedBase64String('user:pass')`.
    44
    5 This fails to authenticate as [WordPress doesn't decode](https://github.com/WordPress/wordpress-develop/blob/0a6c37ceb0a86bebf0b287ac12d200e67bbf948f/src/wp-includes/user.php#L474) the `user` and `pass` which could also be clientId and clientSecret in OAuth2.
     5This fails to authenticate as [https://github.com/WordPress/wordpress-develop/blob/0a6c37ceb0a86bebf0b287ac12d200e67bbf948f/src/wp-includes/user.php#L474 WordPress doesn't decode] the `user` and `pass` which could also be clientId and clientSecret in OAuth2.
    66
    77