On Wednesday, February 11, 2015, Guillaume Paumier gpaumier@wikimedia.org wrote:
Hello,
Le mercredi 11 février 2015, 16:59:45 Petr Bena a écrit :
We have OAuth for browser based programs. But nothing for desktop applications that are being used by users. (Like AWB etc).
It sounds pretty simple to me, so why we don't have anything like that?
The reason currently given at https://www.mediawiki.org/wiki/OAuth/For_Developers#Intended_Users is:
"... not... Desktop applications (the Consumer Secret needs to be secret!)"
That's why we don't use OAuth for these (see my last email on that too). We can shift our threat model to change this, but it comes at a cost (vandalism can't be blocked at the app-level, we have to require https for more pieces of the protocol, etc).
Petr's current request sounds a little more like google's per-application passwords, except they are also limited in what rights they can use. Petr, I'm assuming you wouldn't want to do an OAuth-like signature on each request, but instead use it to login, then use the session cookie for future requests? Or were you thinking signed api calls like with OAuth?
-- Guillaume Paumier
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org javascript:; https://lists.wikimedia.org/mailman/listinfo/wikitech-l