Hi @mrahmadawais,
Thanks for the ticket!
I'm not sure why an OpenID client would be used with App Passwords. One of the benefits of App Passwords using Basic Authentication is that it is built in to many HTTP clients by simply passing a username
and password
field. For instance Axios and Guzzle both have an auth
field.
The OAuth specification requires following that encoding process. However, Application Passwords is not OAuth, so I'm not sure why we'd be following the OAuth specification here.
If we did want to match the OAuth specification, changing the encoding format could potentially cause a backward compatibility break. Though it would be unlikely due to the selection of characters that WordPress Core generates.
All that being said, I'm not sure what the practical benefit here is. If the values passed to App Passwords are an OAuth client_id
and client_secret
they won't be successfully authenticated by wp_authenticate_application_password
regardless of the encoding method chosen because they aren't App Passwords.