[wp-trac] [WordPress Trac] #52275: REST API: Add App Password introspection endpoint
WordPress Trac
noreply at wordpress.org
Sun Jan 10 18:38:00 UTC 2021
#52275: REST API: Add App Password introspection endpoint
-----------------------------------+--------------------
Reporter: TimothyBlynJacobs | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: 5.7
Component: Application Passwords | Version: 5.6
Severity: normal | Keywords:
Focuses: rest-api |
-----------------------------------+--------------------
It can be helpful for an Application to be able to know which App Password
it is using to authenticate. For instance, if an application is
uninstalled, it'd be great if it could automatically delete its app
password. This could also be helpful to add additional UI hints to the
application's interface about how they are authenticated. For instance
displaying the App Password's label. In the future, this would be
necessary so an application could determine what `scope` it has been
granted.
Currently, this is somewhat achievable by utilizing the `app_id` and
making a request to `wp/v2/application-passwords/me` and searching thru
all app password's with it's `app_id`. However, this doesn't work for
instances where an Application might be installed on multiple devices,
each of which will have it's own app password, but should use the same
`app_id`.
I think this could be implemented as a `wp/v2/application-
passwords/introspect` endpoint that would return the prepared response for
the app password being used to authenticate. If one isn't found, the
endpoint would `404`. A more RESTful sounding name suggestion would be
welcome. Note we already have a `/me`, and I think we'll also have a
future `exchange` or `refresh` endpoint that would update the app
password's password.
By traversing the `self` link, the Application could determine the correct
route to use to update or delete the credential. So I don't think we
necessarily need to implement those methods on the `introspect` route
itself.
OAuth describes a potential introspection endpoint in
[https://tools.ietf.org/html/rfc7662 RFC 7662]. One thing of note is that
it accepts a `token` as an argument. I think that is less useful for us
because we don't have a separate concept of client authentication. The app
password itself is the credential.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/52275>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list