WP- OAuth and OAuth2 spec will never get access to password from their third-party provider instead they will be redirected to the provider and then redirected back to page with identity.
When user decides to verify with provider WP- OAuth we only ask for info the info required to obtain OAuth identity.
This is not to say WP- OAuth or OAuth2 spec is fool-proof as nothing only is.
It turns out that provider has need to implement OAuth2 API differently which leaves category of room for experience when it comes to users.
What makes image good is that users are able to make immediate arguments as to how OAuth client should identify users.
Technically table are correct OAuth and id are unique so they can be used for identifying user but we must keep in mind that even though email is unique it can shift time.
Without the email we have method of overrule lookup no way to phone the user if they need to send account.
With all that said OAuth2 is viable and will remain dominant in the landscape for years to come.
I think we just need faster and stricter type so it is easy to implement correctly for both providers and users.
With WP- OAuth we've taken the time to understand bloody details in the need to deliver solid plugin and clean code base..
Read more
Related items:
