OAuth problems #866
Comments
|
Hey, I've done some OAuth in the past. What if you made the wordpress site that github-updater is installed on the location of the callback? You could then save the tokens as wordpress options and potentially to token refreshes too. If you think this is a workable solution I may be able to find some time to help, let me know. |
|
@Gaffen if we can figure out how to use OAuth 2.0 as a replacement for setting authorization headers I think that's a better long term solution. At this time, all git hosts can accept an authorization header that contains either a modified access token, or pseudo-token for Bitbucket, or an actual OAuth 2.0 token in a similar header. What this means is this is not as high a priority. If git hosts ever remove this ability then it clearly becomes a higher priority. I appreciate the offer, but at this time I don't wish to waste your energies. I may come back though. 😉 I'll leave the |
|
Right now we are using a pseudo user account which has read-only rights to access Bitbucket. Bitbucket supports SSH access keys which would be the better solution. If GitHub Updater would support this feature we could use different SSH keys for different projects. Therefore if someone gets access to our site, only this single repository can be read. Our pseudo user account already got once compromised because a plugin provider was granted access to a copy of one installation and we received a login warning from Bitbucket. In such cases we have to reset the password and to update all sites to get GHU updates working again. https://support.atlassian.com/bitbucket-cloud/docs/add-access-keys/ Bitbucket OAuth provides for instance read access to all repositories. Unfortunately there seems to be no way to get access to a single repository. With access keys this is possible. https://support.atlassian.com/bitbucket-cloud/docs/use-oauth-on-bitbucket-cloud/ |
|
@cbratschi unfortunately WordPress does not use SSH access keys in any manner. WordPress uses HTTP GET/POST requests. Personal access tokens can be used, and are used, as authentication for GET requests. This simply isn't possible using SSH keys. Bitbucket personal access tokens only need to be given Also, please create a new issue as your issue is completely unrelated to everything else posted in this issue. Thanks. |
I have a branch
oauthwhere I was working on OAuth authentication for all git hosts. I got to a reasonable place but hit a roadblock as each git host requires the creation of on OAuth app that requires a callback. This callback must be set to a site.My only recourse would be to create a site whose sole function would be to take the authentication callback and figure out how to return the token to the user. My guess is that I would essentially be displaying OAuth tokens on the site that the user would copy into the appropriate location. This is not what I envisioned for this feature.
I could certainly be wrong but I don't see a way for the plugin to ask for an OAuth token and have the response returned to the user's site.
It looks like #323 and #848 are going to be difficult and I don't have the time or resources at the moment. Sorry.
The text was updated successfully, but these errors were encountered: