dshanske
commented
4 years ago I wrote the endpoints for indieweb/wordpress-indieauth, which is an identity layer over OAuth2. It does not require real credentials, it uses, similar to Application Passwords, a randomly generated long token which is revokable. It does not offer a temporary token, although supporting expiring tokens and refresh tokens is trivial.
TimothyBJacobs
This observation came to me last night as I was writing up a summary in a DM to @kadamwhite and it felt relevant so I wanted to polish it up and post it publicly.
It feels like there's three main types of credentials that are being discussed for use and storage -- across all methods I've seen.
Here's a summation of how I've seen methods fit into these -- I'll try to keep the table updated as discussion progresses:
If anyone can contribute lines to the table with data on other authentication plugins (including various other flavors of jwt and oauth), please do so.
Notes:
If I'm mistaken on any of these summations, or mischaracterize any, please let me know below so we can keep the data accurate. I'm not by any stretch an expert on all of these methods, so while I've tried to source and link to explain my assertions, if I've gotten anything wrong, please correct me.
If the only use of the "real" credentials is being entered directly into the site by the user for authentication, but never seen or stored by the client app, I'm treating them as not used.