Questions about plugin development and 3rd party website authorisation
-
I am developing a WP plugin for general distribution that requires access to a third party web service. The service’s API offers authorisation by HTTP basic authorisation and OAuth2.
I understand that OAuth2 is the most secure method but I also see that both methods require a private key to be stored client side: basic authorisation has the api key and OAuth2 has the client ID secret. Are both methods equally vulnerable if a third party gains access to either of those keys?
I am inclined to use OAuth2 but this requires registering the application with the service. Will each user need to register their website as a separate application or should I register the plugin (and therefore all sites that use it) as a single application?
Finally, I’m concerned that even though OAuth2 offers better security, setting it up might feel like too much work for some users. To this end, I have not ruled out using basic authorisation. I would need to store the user’s credentials. I’ve seen popular plugins save the api key straight to the options without hashing. Is this wise? Does WP provide any tools for storing things in the DB securely?
- The topic ‘Questions about plugin development and 3rd party website authorisation’ is closed to new replies.