On Fri, Feb 22, 2013 at 12:40 PM, Greg Grossmeier <greg(a)wikimedia.org>wrote;wrote: This isn't really a matter of having one or the other. As Marc has mentioned, we need some non-hacky form of authentication for bots, tools, out-of-cluster applications, and non-mediawiki applications. OpenID as a consumer is a more difficult task for a number of reasons. I like to tackle problems one at a time and making a provider is an easy first step. - Ryan

On 02/22/2013 03:17 PM, maiki wrote: The latter. I can elucidate a number of scenarios where that is beneficial, but the primary one from my perspective is that of authenticating for external tools (like bots and webservices) written by community developers. Each of them currently need their own mechanism, have to implement baroque processes to associate a Wiki[mp]edia account, and increase exposure of credentials for the users. OpenID neatly fixes all that in one, simple to implement, open and well known manner. -- Marc

On 2013-02-22 4:43 PM, "Marc A. baroque processes to associate a Wiki[mp]edia account, and increase exposure of credentials for the users. Actually theres been a centralized method of doing that for a while now (TUSC), so each tool is not reinventing the wheel, but open id sounds much less hacky. -bawolff P.s. I agree with Marc's comment about meta but didnt want to mention it out of concern for that being considered a bikeshed over which domain (but really meta seems the most logical place)

On 02/22/2013 03:43 PM, Marc A. Pelletier wrote: OpenID allows you to tell a tool, "I can prove I am User:JohnSmith on Wikimedia". That will work as a standard replacement for TUSC. Thus, tools like CommonsHelper (https://toolserver.org/~magnus/commonshelper.php) will be able to verify who you are. However, they will still have to do the actual edits/actions themselves. For instance, if you want CommonsHelper to do the actual upload, it's actually done by https://commons.wikimedia.org/wiki/User:File_Upload_Bot_%28Magnus_Manske%29 . A better solution would be OAuth, which is a more flexible way of letting apps act directly on a user's behalf in confined ways. For example, we could have OAuth scopes for: * Editing * Watchlist changes * Uploading and potentially many more. See https://www.mediawiki.org/wiki/OAuth#Scope Then, using the CommonsHelper example again, if I uploaded something through the OAuth version of that tool, it would show as uploaded by me. Another good part of OAuth is that individual users revoke an app at any time if it misbehaves. So OpenID is an interim step (and has secondary benefits), but I think OAuth is the way to go medium-term. People (including Chris Steipp) are already working on this, which is great. https://www.mediawiki.org/wiki/OAuth Matt Flaschen

Do you intend to cover both SUL and legacy accounts? I suspect that meta might not work due to the fact that there might be some accounts that were created on meta, but never merged. So either the URL would have to be different from the regular [[User:Xxx]] @ meta, like meta.wikimedia.org/user/sul/Xxxx (SUL account) or meta.wikimedia.org/user/enwiki/Xxxx (nonmerged enwiki-only account, or a new domain should be setup. On Fri, Feb 22, 2013 at 3:46 PM, Marc A. Pelletier <marc(a)uberbox.org> wrote:

On Fri, Feb 22, 2013 at 1:03 PM, James Forrester <jforrester(a)wikimedia.org>wrote;wrote: Totally agreed. I think it would be a waste of time to support non-global accounts. - Ryan

On Fri, Feb 22, 2013 at 2:03 PM, Jay Ashworth <jra(a)baylink.com> wrote: Any OpenID consumer, whether WMF or not, would be able to use us as an authentication provider. - Ryan

On Fri, Feb 22, 2013 at 2:30 PM, Thomas Gries <mail(a)tgries.de> wrote: I see no reason in doing so. If third parties want to allow Wikimedia as a provider, I don't see why we'd object. - Ryan

On 2013-02-22 7:20 PM, "Tyler Romeo" <tylerromeo(a)gmail.com> wrote: Which coincides to several bots/tools and would generally be quite useful. Quite honestly having bots make edits directly on someones behalf using their account sounds scary. This would also be useful for test wikis people set up on labs. You could just authenticate via openid instead of creating a new account. -bawolff

On 02/22/2013 06:33 PM, Brian Wolff wrote: For autonomous bots, yes (they should keep using their own accounts). But for tools, it's common on other sites already, and makes sense here. Instead of the API requiring a user password and an elaborate token mechanism, it could just use OAuth. If an OAuth app misbehaves, a user can revoke it, or (in severe cases) it can be globally denied OAuth access. Matt Flaschen

This is exactly what I'm saying. It doesn't do this. If a tool has a username/password store, i.e., it uses the username and password of each user, enabling OpenID wouldn't solve the authentication problem. Like I said, it only works in cases where the bot does all of its work under its own account. Sure, it would be great, but allowing authentication as a consumer is a much more difficult step, and we're not ready to take it right now. OpenID How exactly is it so difficult? You just set the configuration option for the extension. *--* *Tyler Romeo* Stevens Institute of Technology, Class of 2015 Major in Computer Science www.whizkidztech.com | tylerromeo(a)gmail.com On Fri, Feb 22, 2013 at 6:48 PM, Ryan Lane <rlane32(a)gmail.com> wrote: > On Fri, Feb 22, 2013 at 3:19 PM, Tyler Romeo <tylerromeo(a)gmail.com> wrote: > > > To be absolutely clear, this does *not* solve the problem of bots/tools > > authenticating on behalf of a user. All it does is solve the problem of > > where a bot/tool authenticates under its own user account and, out of > pure > > courtesy for the community, asks users to prove their identity before > > allowing them to use the bot/tool. For bots/tools that actually perform > > edits as the user, OpenID would be useless. > > > > > You're confusing use cases. What you're talking is the use case for OAuth. > This thread isn't about OAuth. I believe we have plans to add OAuth next > quarter, but if you wish to continue discussing it, please make a new > thread. > > > > Also, I think Wikipedia acting as an OpenID consumer would be bounds more > > useful than acting as a provider. That's not to say that having both > > wouldn't be a good idea, but the consumer side of it should definitely > be a > > priority. Think of sites now like StackOverflow, where creating an > account > > is as simple as pressing a few Accept buttons. > > > > > Sure, it would be great, but allowing authentication as a consumer is a > much more difficult step, and we're not ready to take it right now. OpenID > > - Ryan > _______________________________________________ > Wikitech-l mailing list > Wikitech-l(a)lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l >

On 02/22/2013 07:31 PM, Ryan Lane wrote: This, alone, makes the case for me. There is support for OpenID: https://github.com/jalcine/bugzilla-openid. Now, if we could make it possible to edit comments in Bugzilla... -- http://hexmode.com/ There is no path to peace. Peace is the path. -- Mahatma Gandhi, "Non-Violence in Peace and War"

On Sat, Feb 23, 2013 at 8:32 AM, Chad <innocentkiller(a)gmail.com> wrote: Would the fact that Bugzilla uses your e-mail address publicly for everything (rather than a separate account name) cause any problems when switching to OpenID? -- Casey Brown (Cbrown1023) caseybrown.org

Am 23.02.2013 00:48, schrieb Ryan Lane: Here is a nice figure taken from https://developers.google.com/accounts/docs/OpenID In case you cannot see the figure in the mail, goto section "Interaction_sequence" OpenID login process

On 02/22/2013 10:44 PM, Jay Ashworth wrote: IANAL, but I can't think of a scenario where allowing a user to prove "I am user X on Wikimedia projects" can create liability; if the client is pleased with the (proven) assertion for their purposes, they can use it. If not, they won't. -- Marc

----- Original Message ----- So, then, all OpenID guarantees is "this provider says it's the same person it was last time"? Cheers, -- jra -- Jay R. Ashworth Baylink jra(a)baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274

---- Original Message ----- I'm translating that as "yes". :-) I've always looked with rather a jaundiced eye at OpenID, as it was sold as "you can run your own authenticator service", and that always struck me as "I am who I say I am", which is, obviously, pretty useless, in the general case. (Early examples showed login boxes where you *provided the URL of a random OID provider*; clearly, if the site doesn't trust said provider, the transaction is useless.) Cheers, -- jra -- Jay R. Ashworth Baylink jra(a)baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274

On 02/22/2013 11:32 PM, Brian Wolff wrote: Some sites, like Stack Overflow, allow you to add alternate OpenIDs, which helps for temporary or permanent downtime. Matt Flaschen

So I definitely see the use case for OpenID as a provider (and as long as everybody is aware that OpenID is not OAuth, I'm fine with that), but I'm not a bot/tool developers. I am, however, a frequent user of the Internet, and I find it extraordinarily surprising that Wikipedia is one of the few sites still out there that doesn't have some sort of OpenID login. My main question is that if we're really taking the time to deploy Extension:OpenID on WMF wikis, why not put in the extra ten seconds to also allow consumers. People keep going on about how the account creation process is ugly and needs to be re-designed, and yet with OpenID it takes three clicks to register an account, and especially with the recent version push Thomas did, it's better than ever. Some sites, like Stack Overflow, allow you to add alternate OpenIDs, E:OpenID does this as well, not to mention you can always set a password and login traditionally. *--* *Tyler Romeo* Stevens Institute of Technology, Class of 2015 Major in Computer Science www.whizkidztech.com | tylerromeo(a)gmail.com On Fri, Feb 22, 2013 at 11:40 PM, Brian Wolff <bawolff(a)gmail.com> wrote: > On 2013-02-23 12:37 AM, "Matthew Flaschen" <mflaschen(a)wikimedia.org> > wrote: > > > > On 02/22/2013 11:32 PM, Brian Wolff wrote: > > > What ive always wondered is what happens if your oid provider goes > > > under/otherwise dissapears. I imagine that means you lose your user > account > > > all across the internet, which is a scary thought > > > > Some sites, like Stack Overflow, allow you to add alternate OpenIDs, > > > > > Matt Flaschen > > > > _______________________________________________ > > Wikitech-l mailing list > > Wikitech-l(a)lists.wikimedia.org > > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > > Presumably you would have to do that before the downtime though as you > wouldn't be able to login once downtime starts. So one could easily be > caught off guard. > > -bawolff > _______________________________________________ > Wikitech-l mailing list > Wikitech-l(a)lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l >

Am 23.02.2013 05:40, schrieb Brian Wolff: E:OpenID is usually configured for standard (password) Login or OpenID Login, so with E:OpenID-enabled MediaWIkis (as Consumer) you are on the safe side regarding this aspect. You can associate one or many OpenIDs to your account. You can manage your OpenIDs (add further, delete unwanted) in a new preferences tab "OpenID". T.

On 02/22/2013 05:03 PM, Jay Ashworth wrote: Actually, that's the objective -- allow external tools to have their users be able to prove "I am Wikimedia user Coren" without having to hack around with edits-as-authentication-tokens or the enduser giving their credentials to some untrusted system. -- Marc