Questions about plugin development and 3rd party website authorisation

  • I am developing a WP plugin for general distribution that requires access to a third party web service. The service’s API offers authorisation by HTTP basic authorisation and OAuth2.

    I understand that OAuth2 is the most secure method but I also see that both methods require a private key to be stored client side: basic authorisation has the api key and OAuth2 has the client ID secret. Are both methods equally vulnerable if a third party gains access to either of those keys?

    I am inclined to use OAuth2 but this requires registering the application with the service. Will each user need to register their website as a separate application or should I register the plugin (and therefore all sites that use it) as a single application?

    Finally, I’m concerned that even though OAuth2 offers better security, setting it up might feel like too much work for some users. To this end, I have not ruled out using basic authorisation. I would need to store the user’s credentials. I’ve seen popular plugins save the api key straight to the options without hashing. Is this wise? Does WP provide any tools for storing things in the DB securely?

Viewing 1 replies (of 1 total)
  • Moderator bcworkz

    (@bcworkz)

    The authorisation scheme to use partly depends on the requirements and TOS of the API you are accessing. Whichever scheme makes sense likely would not include other plugin users using your API key. Unless the plugin users are a small limited group that you have personal knowledge of, such a scheme carries liability burdens you should not wish to take on.

    If the API key really must be client side, the provider’s scheme should relate the key to a specific domain so that others cannot use the key on their own site. For example, the Google Maps JS API does this with their keys. The key is in plain sight on the client page source, but trying to use it on another domain will fail because Google’s map servers verify the referring domain against the key used.

    It may be the key does not need to be client side. Requests could be channelled through the server. The server makes the API request and relays the results back to the client. This might be the scheme in place where the key is stored in settings somewhere.

Viewing 1 replies (of 1 total)
  • The topic ‘Questions about plugin development and 3rd party website authorisation’ is closed to new replies.