On 02/22/2013 03:43 PM, Marc A. Pelletier wrote:
On 02/22/2013 03:17 PM, maiki wrote:
Is this up for discussion, or are we at the point of planning deployment?
The latter. I can elucidate a number of scenarios where that is beneficial, but the primary one from my perspective is that of authenticating for external tools (like bots and webservices) written by community developers. Each of them currently need their own mechanism, have to implement baroque processes to associate a Wiki[mp]edia account, and increase exposure of credentials for the users.
OpenID allows you to tell a tool, "I can prove I am User:JohnSmith on Wikimedia". That will work as a standard replacement for TUSC.
Thus, tools like CommonsHelper (https://toolserver.org/~magnus/commonshelper.php) will be able to verify who you are. However, they will still have to do the actual edits/actions themselves. For instance, if you want CommonsHelper to do the actual upload, it's actually done by https://commons.wikimedia.org/wiki/User:File_Upload_Bot_%28Magnus_Manske%29 .
A better solution would be OAuth, which is a more flexible way of letting apps act directly on a user's behalf in confined ways. For example, we could have OAuth scopes for:
* Editing * Watchlist changes * Uploading
and potentially many more. See https://www.mediawiki.org/wiki/OAuth#Scope
Then, using the CommonsHelper example again, if I uploaded something through the OAuth version of that tool, it would show as uploaded by me.
Another good part of OAuth is that individual users revoke an app at any time if it misbehaves.
So OpenID is an interim step (and has secondary benefits), but I think OAuth is the way to go medium-term. People (including Chris Steipp) are already working on this, which is great.
https://www.mediawiki.org/wiki/OAuth
Matt Flaschen