Hi all, We are currently discussing[1] an implementation of oAuth for WordPress and what this would mean for our mobile apps[2].
It was noted that the new recommendation will completely discourage the use of the password grant. While I agree in principle that this is a good thing overall, we will have to find a migration path. Going through meeting minutes[3] I noticed this was already in your radar, but I haven’t been able to find any further mention: > Need to provide alternatives to lots of folks using this grant As I mention on our discussion, our reality is that we have thousands of existing users for whom we only have passwords, and we would need a migration path to obtain tokens for those users. Without the password grant, I don’t see a clear way to do that without asking users to log in again. Besides that, I expect a transitional period where we will also need to keep the user’s password to be able to interact with legacy APIs that don’t support the use of a token yet. Again, I don't see a way forward that doesn't involve asking users to log in twice. I would appreciate any further insights or guidelines about migrating existing credentials and supporting legacy APIs while we transition. Thanks, Koke [1] https://github.com/WP-API/authentication/issues/1 [2] https://apps.wordpress.com/mobile/ [3] https://tools.ietf.org/wg/oauth/minutes?item=minutes-104-oauth-00.html -- Jorge Bernal | jber...@gmail.com | jo...@automattic.com Mobile Engineer @ Automattic | http://automattic.com/ http://koke.me/ | http://twitter.com/koke -- Jorge Bernal | jber...@gmail.com | jo...@automattic.com Mobile Engineer @ Automattic | http://automattic.com/ http://koke.me/ | http://twitter.com/koke _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
