Tag Archive: oauth

Hello peoples,

Now that I am graduated, as mentioned in previous post, I am working on a project for my university. Well… today I also started working on one of my own projects again, the WordPress OAuth plugin. I am extending the plugin with features like sorting of buttons, and separating the OAuth code from the general code, to prepare support for other authentication schemes such as OpenID and Persona.

Once the separation code has been completes, it should result into two separate plugins BlaatSchaap Auth for the general code and BlaatSchaap OAuth for the OAuth specific code. This also introduces a problem. When current users upgrade to the next version, BlaatSchaap OAuth is upgraded, but then requires the BlaatSchaap Auth plugin. How to I install the BlaatSchaap Auth plugin automatically during the BlaatSchaap OAuth plugin upgrade. I have been googling about this issue, but without result. Is there an official way to do things like this or should I just hack some code together to do this trick?

Anyhow, tomorrow I’m having another party. Yeah, I am celebrating my birthday more then once this year. Party time! lol.

As I have mentioned in my previous post, I am working on creating an “universal” OAuth plugin for WordPress.
So far, I have been trying with Facebook, Twitter and Google. I have made the following observations:

FaceBook doesn’t login when the scope is not set, but allows this to be an empty string. However, Google complains about a missing parameter when this is not set. When this is set to an incorrect parameter, such as “email” (which is correct for Facebook btw), the login dialog appears, asking me to grant permissions to my application. However, the application does not receive an access token. I do receive an access token when I use ‘https://www.googleapis.com/auth/userinfo.email’ as my scope.

Facebook has something like a default scope when I don’t request anything. Therefore, a scope is not required there. It seems, I must request some scope for Google. So, it seems, I should store a default scope to my plugin as well.

The PHP OAuth implementation I am using to generate my WordPress plugin has some services pre-defined. So, I can just tell it to connect to Facebook, Twitter, Google, Tumblr, etc. etc. So, if some scope is required, I might add it as default in the OAuth implementation, or add it as a predefined interface element.

Recently, I’ve been looking at OAuth again. When, in the past, I was checking our Drupal, I had this general OAuth plugin. Just enter the protocol version, urls, client id and secret, and you could use any OAuth provider.

I have been looking for something simular for WordPress, but it doesn’t appear to exist. There exist some plugins specific to a website,
There are plugins line Gigyas and Janrain, which require you to sign up at their site. I don’t trust those kind of services, introducing another party in the login process, which, if compromised, could harm both the user and the website. Depending on a third party to authenticate your users is one thing, but letting a fourth party nagotiate between you and the third party is just asking for trouble if you ask me.

Last time I looked at OAuth, it seemed to me Facebook was the only service using OAuth 2.0. Nowadays, a higher number of services is using the 2.0 version of the protocol. Even Microsoft has adapted to this protocol, depricating it’s proprietary protocols it used when it was still called a Passport account. I know it was a long time ago when it was called this, but still, since when does Microsoft actually use standards (without raping them)?

Anyways… since there doesn’t appear to exist an universal OAuth solution for WordPress, I intent to make such a plugin. I think I’ll base it upon the oauth php library by Manuel Lemos. This library implements OAuth 1.0, 1.0a and 2.0. (For 2.0 some sites might use earlier drafts, not sure if this becomes problematic.) The source code is released under the 3 clause BSD license, so it could be used without a problem. I intend to create WordPress bindings for this library. So, I’ve been looking at the WordPress plugin API as well.

Well… I’m just getting some ideas ;)

P.S. When you think about using OAuth with Twitter, back then, and right now, I’m noticing the problem with the callback URL. You have to specify the callback URL at the application settings at their site.