Hi Petr,
Unfortunately, you're trying to do two things that the version of oauth we implemented doesn't do very well. OAuth 1 enabled users on website A to safely grant website A access to specific resources on website B. Any other use, you have to be very careful to ensure that the the protocol is giving you the security properties that you think it is.
As noted earlier, using our OAuth 1 implementation with desktop apps will not work for the typical case because the Consumer (App specific) secret is assumed to be secret only to the App owner who registered the App. So registering your app and distributing the private rsa key or secret in the binary is not safe. However, if you have your users go to the Consumer registration page (over https), register as a unique consumer, and then authorize there app to use Wikipedia, that would work-- it's just two slightly complicated steps instead of a single, easy step to do the authorization.
You also mentioned logging in with OAuth. I'm not sure if that was in the genetic sense of you App doing stuff as the user, or if you really have a central concept of each user and want to know for sure that one of your App users really is a particular Wikipedia user. If it's the later, this is a common misconception about the protocol. OAuth 1 (as specified) is not safe to use for logins. Twitter modified the protocol into xAuth, and Facebook uses the openID extension to OAuth 2 to provide safe logins. For basic OAuth though, there is a well known attack where another OAuth consumer can use the secrets that they know (from users authorizing their App) to trick your App into thinking they are someone else. Our implementation tries to prevent this attack, but if you're using the protocol in a way it wasn't designed for, your likely to be attacked in new ways in the future. So I would caution against it.
We are going to turn on openID in the bes near future, which DOES let you authenticate users, so may be a possibility.
Sorry for the bad news, but thanks for asking. If this seems to be a common scenario, then we'll prioritize something like OAuth 2 + OpenID connect in the future.
On Sep 12, 2013 6:57 AM, "Tyler Romeo" tylerromeo@gmail.com wrote:
On Thu, Sep 12, 2013 at 8:41 AM, Petr Bena benapetr@gmail.com wrote:
Ok, so should we ask users for password then? Is that the only alternative in the moment?
Pretty much, unless Chris has a better recommended solution.
*-- * *Tyler Romeo* Stevens Institute of Technology, Class of 2016 Major in Computer Science www.whizkidztech.com | tylerromeo@gmail.com _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.or