[wp-trac] [WordPress Trac] #51583: App Passwords: No stable way to identify applications
WordPress Trac
noreply at wordpress.org
Wed Oct 21 01:41:40 UTC 2020
#51583: App Passwords: No stable way to identify applications
------------------------------------+-------------------------------
Reporter: TimothyBlynJacobs | Owner: TimothyBlynJacobs
Type: defect (bug) | Status: assigned
Priority: normal | Milestone: 5.6
Component: Login and Registration | Version: trunk
Severity: normal | Keywords:
Focuses: rest-api |
------------------------------------+-------------------------------
We should add support for an `app_id` parameter that applications could
use when sending the user to `authorize-application.php`. Apps can already
pass an `app_name` but this is just a suggestion and can be changed by the
user when creating an app. The `app_id` would be a string unique to that
application, and by default not displayed to the user.
Plugin developers could use this to add support for disabling all app
passwords with a given `app_id`. This isn't to protect against bad actors,
since they could use random ids each time, but for well behaving
applications it would give administrators an easy way to "turn off" an
application if they needed to.
By default, Core wouldn't enforce that the `app_id` is provided, but
developers could using the
`wp_authorize_application_password_request_errors` hook.
Technically, plugin developers could add support for `app_id` themselves
too, but I think the chances are slim of clients passing an `app_id` if we
don't include it as a suggestion in our documentation and provide a basic
level of support.
https://make.wordpress.org/core/2020/09/23/proposal-rest-api-
authentication-application-passwords/#comment-39884
--
Ticket URL: <https://core.trac.wordpress.org/ticket/51583>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list