On Wed, Aug 21, 2013 at 2:05 AM, Nicolas Vervelle <nvervelle(a)gmail.com>wrote;wrote:
Hi,
I'm completely new to OAuth, so bear with me if my questions are basic or I
missed a point ;-)
It seems interesting, but seems very oriented for web applications, not so
much for desktop applications.
This is true, for exactly the reason you were asking about-- the secret key
needs to be kept private, which is impossible when you distribute the
application to other users. OAuth 2 has a framework for dealing with this,
but it makes controlling consumers nearly impossible. So we wanted to start
with OAuth 1 while everyone gets familiar with the concepts, and we see
which use cases actually get used. We may extend the framework to allow
situations like this in the future.
The best workaround now is probably to have each user register their copy
of your desktop application as its own consumer. It's a little ugly having
to give your user instructions on cutting and pasting tokens and keys
around, but it can work (in the early days of Salesforce, several OAuth
apps were configured this way).
I'm interested in developing this for WPCleaner [1], which is a desktop
application.
Is the callback URL required ? If so, which one should you use for a
desktop application ?
For bots too, I'd like to have the extension implement something like
https://developers.google.com/accounts/images/OauthUX_nocallback.png directly
in the extension, but that wasn't something we were able to finish before
this release.
Has anyone implemented the connection to WMF wikis using OAuth under Java ?
No, not yet.
For this to work, you request client tokens (including secret key) for the
client : do this tokens need to be kept privately ?
I'm wondering, because keeping secrets for an open source desktop
application is not easy.
Nico
[1]
http://en.wikipedia.org/wiki/Wikipedia:WPCleaner
On Wed, Aug 21, 2013 at 6:15 AM, Chris Steipp <csteipp(a)wikimedia.org>
wrote:
As mentioned earlier this week, we deployed an
initial version of the
OAuth
extension to the test wikis yesterday. I wanted
to follow up with a few
more details about the extension that we deployed (although if you're
just
curious about OAuth in general, I recommend
starting at
oauth.net, or
https://www.mediawiki.org/wiki/Auth_systems/OAuth):
* Use it:
https://www.mediawiki.org/wiki/Extension:OAuth#Using_OAuthshould
get you started towards using OAuth in your
application.
* Demo: Anomie setup a excellent initial app (I think counts as our first
official, approved consumer) here
https://tools.wmflabs.org/oauth-hello-world/. Feel free to try it out,
so
you can get a feel for the user experience as a
user!
* Timeline: We're hoping to get some use this week, and deploy to the
rest
of the WMF wikis next week if we don't
encounter any issues.
* Bugs: Please open bugzilla tickets for any issues you find, or
enhancement requests--
https://bugzilla.wikimedia.org/enter_bug.cgi?product=MediaWiki%20extensions…
And some other details for the curious:
* Yes, you can use this on your own wiki right now! It's meant to be used
in a single or shared environment, so the defaults will work on a
standalone wiki. Input and patches are welcome, if you have any issues
setting this up on your own wiki.
* TLS: Since a few of you seem to care about https... The extension
currently implements OAuth 1.0a, which is designed to be used without
https
(except to deliver the shared secret to the app
owner, when the app is
registered). So calls to the API don't need to use https.
* Logging: All edits are tagged with the consumer's id (CID), so you can
see when OAuth was used to contribute an edit.
Enjoy!
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l