Broad conceptual overview of varying methods. #15
Description
This observation came to me last night as I was writing up a summary in a DM to @kadamwhite and it felt relevant so I wanted to polish it up and post it publicly.
It feels like there's three main types of credentials that are being discussed for use and storage -- across all methods I've seen.
- Your actual permanent username and password
- A generated set of revokable credentials
- A temporary token that expires after a set amount of time (generally crypto based)
Here's a summation of how I've seen methods fit into these -- I'll try to keep the table updated as discussion progresses:
If anyone can contribute lines to the table with data on other authentication plugins (including various other flavors of jwt and oauth), please do so.
| Method | Real Credentials | Revokable Credentials | Temporary Token |
|---|---|---|---|
| Cookie & Nonce | ❌ | ✔️Revokable Session Cookie | ✔️12-24h nonce |
| XML-RPC | ✔️For each request | ❌ | ❌ |
| Basic Auth #42790 | ✔️For each request | ❌ | ❌ |
| wordpress/application-passwords | ❌ | ✔️App Password | ❌ |
| indieweb/wordpress-indieauth | ❌ | ✔️high entropy revokable token | ❌ |
| wp-api/oauth2 | ❌ | ✔️Client | ❌ Access Token, no refresh support |
| wp-api/jwt-auth | ❌ | ✔️Key Pair | ✔️One week, and refreshable if api key is valid |
| tmeister/wp-api-jwt-auth | ✔️Weekly, for generating token | ❌ | ✔️One week |
Notes:
If I'm mistaken on any of these summations, or mischaracterize any, please let me know below so we can keep the data accurate. I'm not by any stretch an expert on all of these methods, so while I've tried to source and link to explain my assertions, if I've gotten anything wrong, please correct me.
If the only use of the "real" credentials is being entered directly into the site by the user for authentication, but never seen or stored by the client app, I'm treating them as not used.