Open dshanske opened 4 years ago
For what it's worth, here's a functional UI I'd written some years ago to test whether or not the current site supports Authorization headers, and displays a message to the user if not:
https://github.com/WordPress/application-passwords/commit/16af809dcaeb347baef8f3a116170eef1bca6633
It just generates a dummy username and password, and passes them as Authorization Basic base64encoded to a rest api endpoint, and check to make sure the endpoint got the username and password and returned them in turn.
It doesn't do anything with actual passwords, just dummy strings.
@georgestephanis I have similar code in my IndieAuth plugin(https://github.com/indieweb/wordpress-indieauth). It creates a login form page and sends in a dummy payload and returns success or failure. This can then be queried by site health.
I have learned through my writing of the IndieAuth Authentication plugin that the largest number of filed issues around the plugin involved hosting providers not supporting the passing of authorization headers. Regardless of how we do tokens, passing them in the header is the preferred method for OAuth2.
This means we need to ensure this works on installations by testing for it(thank you site health features) etc.