#wordpress 2019-11-01

2019-11-01 UTC
[qubyte], [KevinMarks], maxwell, gRegorLove, [jgmac1106], [Lewis_Cowles], [fluffy], [jeremycherfas], IWSlackGateway, [rem], [LewisCowles] and [frank] joined the channel
#
[frank]
@GWG you're visiting WCUS?
#
GWG
Yes, got convinced
#
[frank]
My buddy Remkus de Vries is Manager of Partnerships at Yoast and WCEU organizer. He's there as well. If you find the time, it's good to connect with him. He's pro-indieweb and a friendly giant πŸ™‚
#
GWG
Okay
[KevinMarks], [xavierroy], [Michael_Beckwit, [tantek] and [snarfed] joined the channel
#
GWG
Okay, off to camp
gRegorLove and [LewisCowles] joined the channel
#
GWG
I found David Wolfpaw, the individual who keeps giving Indieweb talks at WordCamps
[chrisbergr], [tantek], [Michael_Beckwit, [KevinMarks] and [dougbeal] joined the channel
#
GWG
About to sit in on rest API and authentication
#
GWG
Hopefully it reveals things I don't know. I read a lot about it when doing IndieAuth
[jgmac1106] and McLovinDiscord[m joined the channel
#
GWG
He thinks the future is JWT
#
GWG
I considered asking about IndieAuth
#
[Michael_Beckwit
WP core loves their js
#
GWG
Well, we'll see if I can chat more with the rest API guys on Sunday
[snarfed], Oclair and [KevinMarks] joined the channel
#
aaronpk
Well IndieAuth doesn't preclude JWT
#
aaronpk
IndieAuth is a way for apps to *get* tokens which might be JWTs
[tantek] joined the channel
#
GWG
aaronpk: He was advocating against oauth2 in any form
[Michael_Beckwit joined the channel
#
[Michael_Beckwit
he who, in this case?
#
[Michael_Beckwit
Brian Richards?
#
[Michael_Beckwit
or Jonny Harris?
#
aaronpk
GWG: any links to public stuff he's written about this?
#
aaronpk
This sounds like a terrible path to go down and I would like to shoot it down
#
GWG
Jonny Harris
#
GWG
He's popped up on my radar before, but I also saw many rest api team members
#
GWG
I may try to do something with them on Sunday
#
[Michael_Beckwit
i’ve actually enjoyed working with oauth2
#
aaronpk
Ooh he posted slides from his talk Jonny Harris @ WCUS πŸ‡ΊπŸ‡Έ (@thespacedmonkey) Tweeted:
#
aaronpk
Here are the slides from my talk #wceu about the REST API and authentication. Find the slides here https://t.co/jx0ZSBIEgp
#
aaronpk
reading now
#
aaronpk
oops bad copypasta thanks Twitter
#
aaronpk
Um I am seriously concerned by some of this
#
GWG
Me too, which part?
#
aaronpk
his "does not require SSL" feature seems to be used in places that do require SSL unless he is explaining things in person that are not on the slides
#
GWG
He did not
#
aaronpk
also his conclusion "lets use JWTs instead of OAuth" is facepalm
#
[Michael_Beckwit
my guess is everything from `slide 1` to `count( $slides )`
#
aaronpk
what if I told you that you can use JWTs *and* OAuth
#
[Michael_Beckwit
i have a feeling Aaron is thinking a counter blog post
#
aaronpk
Is it worth it?
#
aaronpk
There's lots of randos on the internet that propose terrible authentication solutions and there isn't enough time to respond to them all
#
[Michael_Beckwit
i dunno
#
aaronpk
the question is whether this guy has any actual leverage in the project and also whether he is willing to accept other ideas and possibly change his mind
#
[jgmac1106]
based on his bio he doesn't maintain that part of core....
#
[jgmac1106]
unless the "users component" is where authentication is kept..
#
GWG
aaronpk: I read your book and know you use jwt and oauth
#
[Michael_Beckwit
what book? i wanna read a book
#
GWG
[jgmac1106]: He had the rest team in the front row asking leading questions
[grantcodes] joined the channel
#
[grantcodes]
I think it's also from a user flow side of things with the WordPress api, (although I'm no expert) if you use WordPress oauth you have to send the user to the WordPress login page - which looks pretty strange if you don't know you're using WordPress.
#
[Michael_Beckwit
ooh
#
GWG
Yes, but why should you not know that
#
aaronpk
[grantcodes]: One of the things missing in his slides and in his conclusion is a description of how tokens get sent to apps
#
aaronpk
like sure use JWTs but what is your plan to get those into apps?
#
[grantcodes]
As well as not needing to provide auth for different services ala oauth.
#
GWG
He was asked and glossed over it
#
aaronpk
OAuth is how that happens
#
aaronpk
That application password plugin is basically OAuth but manual copy pasting tokens lol
#
[Michael_Beckwit
be back later πŸ˜„
#
[grantcodes]
GWG: You wouldn't know if you're using a mobile app that uses the api + many more fairly common use cases
#
GWG
aaronpk: I learned a lot from watching you in this case
#
aaronpk
[grantcodes]: How are gonna get their magic JWT token into the app? He kind of forgot to describe any actual workflow and is just like ooh shiny