Hi,
We have OAuth for browser based programs. But nothing for desktop applications that are being used by users. (Like AWB etc).
These applications now have to ask for password, which is kind of safe given that they are open source and running on computer of the user, so at some point giving them password is as much insecure as giving it to your we browser, but still, I believe that there could be slightly better security model in use, that would make it safe to provide password to a program that was compiled by anyone and that can be potentially unsafe.
Let's take this sample model similar to OAuth:
* User would have extra panel in preferences, where they could generate access tokens. * For each token user could specify what application would have access to.
Generated tokens would be given to application instead of login and password and the application could use them to login into mediawiki.
Users could revoke the tokens in anytime effectively invalidating any tokens that potential hacker could steal using that 3rd application.
It sounds pretty simple to me, so why we don't have anything like that?