Re: How to make oauth authentication with wikipedia?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: How to make oauth authentication with wikipedia?

rupert THURNER-2
On Sun, Jul 29, 2018 at 4:30 PM, Bryan Davis <[hidden email]> wrote:

> On Sun, Jul 29, 2018 at 12:37 AM rupert THURNER
> <[hidden email]> wrote:
> >
> > if one takes an example, lke https://tools.wmflabs.org/video2commons/,
> is
> > this implemented like it should? is there any difference from "any"
> > application or applications on the tools server? am looking at the code
> > here currently:
> > https://github.com/toolforge/video2commons/blob/master/
> video2commons/frontend/app.py
> > the "dologin" method.
>
> Yes, there is a major difference between a web application like the
> video2commons tool and a device native application like an Android
> app. That difference is that in a web application secret data can be
> kept on the web server side that is not visible to the end user. This
> allows the OAuth application secret to be used in signing requests to
> the Wikimedia servers without exposing that secret to anyone who is
> looking at the source code of the web application. This separation is
> not possible when the application is running on end-user controlled
> devices as a phone or desktop application does.
>
>
interesting, never thought about it. i found an entry on stackexchange
confirming what you said. additionally it states that oauth is not for
authenticaiton. oauth's purpose is to access users resources from some
resource provider, while openid_connect should be used to authenticate.
does openid_connect work with wikipedia and is it the best option currently?

[0]
https://security.stackexchange.com/questions/133065/why-is-it-a-bad-idea-to-use-plain-oauth2-for-authentication

[1] https://connect2id.com/learn/openid-connect
[2] https://www.mediawiki.org/wiki/Extension:OpenID_Connect

rupert
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: How to make oauth authentication with wikipedia?

Gergo Tisza
On Mon, Aug 6, 2018 at 12:40 AM rupert THURNER <[hidden email]>
wrote:

> interesting, never thought about it. i found an entry on stackexchange
> confirming what you said. additionally it states that oauth is not for
> authenticaiton. oauth's purpose is to access users resources from some
> resource provider, while openid_connect should be used to authenticate.
> does openid_connect work with wikipedia and is it the best option
> currently?
>

OpenID Connect uses OAuth 2 and Wikipedia only supports OAuth 1 currently.
We have a custom authentication endpoint that works in a similar way to
OpenID Connect:
https://www.mediawiki.org/wiki/OAuth/For_Developers#Identifying_the_user
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l