On Wed, Aug 21, 2013 at 2:05 AM, Nicolas Vervelle nvervelle@gmail.comwrote:
Hi,
I'm completely new to OAuth, so bear with me if my questions are basic or I missed a point ;-) It seems interesting, but seems very oriented for web applications, not so much for desktop applications.
This is true, for exactly the reason you were asking about-- the secret key needs to be kept private, which is impossible when you distribute the application to other users. OAuth 2 has a framework for dealing with this, but it makes controlling consumers nearly impossible. So we wanted to start with OAuth 1 while everyone gets familiar with the concepts, and we see which use cases actually get used. We may extend the framework to allow situations like this in the future.
The best workaround now is probably to have each user register their copy of your desktop application as its own consumer. It's a little ugly having to give your user instructions on cutting and pasting tokens and keys around, but it can work (in the early days of Salesforce, several OAuth apps were configured this way).
I'm interested in developing this for WPCleaner [1], which is a desktop application. Is the callback URL required ? If so, which one should you use for a desktop application ?
For bots too, I'd like to have the extension implement something like https://developers.google.com/accounts/images/OauthUX_nocallback.png directly in the extension, but that wasn't something we were able to finish before this release.
Has anyone implemented the connection to WMF wikis using OAuth under Java ?
No, not yet.
For this to work, you request client tokens (including secret key) for the client : do this tokens need to be kept privately ? I'm wondering, because keeping secrets for an open source desktop application is not easy.
Nico
[1] http://en.wikipedia.org/wiki/Wikipedia:WPCleaner
On Wed, Aug 21, 2013 at 6:15 AM, Chris Steipp csteipp@wikimedia.org wrote:
As mentioned earlier this week, we deployed an initial version of the
OAuth
extension to the test wikis yesterday. I wanted to follow up with a few more details about the extension that we deployed (although if you're
just
curious about OAuth in general, I recommend starting at oauth.net, or https://www.mediawiki.org/wiki/Auth_systems/OAuth):
- Use it:
https://www.mediawiki.org/wiki/Extension:OAuth#Using_OAuthshould
get you started towards using OAuth in your application.
- Demo: Anomie setup a excellent initial app (I think counts as our first
official, approved consumer) here https://tools.wmflabs.org/oauth-hello-world/. Feel free to try it out,
so
you can get a feel for the user experience as a user!
- Timeline: We're hoping to get some use this week, and deploy to the
rest
of the WMF wikis next week if we don't encounter any issues.
- Bugs: Please open bugzilla tickets for any issues you find, or
enhancement requests--
https://bugzilla.wikimedia.org/enter_bug.cgi?product=MediaWiki%20extensions&...
And some other details for the curious:
- Yes, you can use this on your own wiki right now! It's meant to be used
in a single or shared environment, so the defaults will work on a standalone wiki. Input and patches are welcome, if you have any issues setting this up on your own wiki.
- TLS: Since a few of you seem to care about https... The extension
currently implements OAuth 1.0a, which is designed to be used without
https
(except to deliver the shared secret to the app owner, when the app is registered). So calls to the API don't need to use https.
- Logging: All edits are tagged with the consumer's id (CID), so you can
see when OAuth was used to contribute an edit.
Enjoy! _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l