MediaWiki's authentication layer is getting a major overhaul. For more details see the announcement "MediaWiki authentication changes" sent to wikitech-l[1]; this email will repeat the portion relevant to bots. If you maintain an interactive application that uses API login, the details of how this will affect you aren't yet finalized; see the announcement on wikitech-l for more, or wait for a future announcement to this list once the details are available.

The "thinks will break" date has not yet been decided, but the goal is to have it ready by the end of February.

TL;DR: Switch your bot to OAuth if possible, or look at Special:BotPasswords (being deployed next week on WMF wikis) to set up a new username+password for your bot to use with action=login in the future.

The new authentication features mean that unattended login might no longer work since the login flow will now natively support user interaction: the account might have 2-factor enabled, or might need a password reset, or some other thing that requires user interaction. We've created two ways to work around this:
  • If possible, switch to OAuth. This week (1.27.0-wmf.10) "owner-only" consumers are being rolled out to make this easier for bot operators: log into your bot account, go to https://meta.wikimedia.org/wiki/Special:OAuthConsumerRegistration/propose, and create a consumer with the "This consumer is for use only by MyBotName" checkbox checked.The consumer will be approved for use immediately, no waiting or trying to find someone who can approve the consumer for you. Owner-only consumers also don't tag every edit, since all the edits will be from the one account anyway.
  • If you need to continue using the existing action=login, next week (1.27.0-wmf.11) we're rolling out Bot Passwords. This is something like OAuth-lite, or Google's application passwords: go to Special:BotPasswords, set one up, and then use new bot-password username and password to login as you've always done (no code changes, just update your bot's configuration). It's already live in Beta Labs if you want to test it out.
action=login with the "main" account password might still continue to work after the new AuthManager is deployed, as long as nothing requires user interaction.

For bots that run on third-party wikis, Bot Passwords are in core and are enabled by default, but it's possible a wiki could disable them. OAuth is an extension that the wiki may or may not have installed.


 [1]: https://lists.wikimedia.org/pipermail/wikitech-l/2016-January/084501.html


--
Brad Jorsch (Anomie)
Senior Software Engineer
Wikimedia Foundation