As mentioned earlier this week, we deployed an initial version of the OAuth extension to the test wikis yesterday. I wanted to follow up with a few more details about the extension that we deployed (although if you're just curious about OAuth in general, I recommend starting at oauth.net, or https://www.mediawiki.org/wiki/Auth_systems/OAuth):
* Use it: https://www.mediawiki.org/wiki/Extension:OAuth#Using_OAuth should get you started towards using OAuth in your application.
* Demo: Anomie setup a excellent initial app (I think counts as our first official, approved consumer) here https://tools.wmflabs.org/oauth-hello-world/. Feel free to try it out, so you can get a feel for the user experience as a user!
* Timeline: We're hoping to get some use this week, and deploy to the rest of the WMF wikis next week if we don't encounter any issues.
* Bugs: Please open bugzilla tickets for any issues you find, or enhancement requests-- https://bugzilla.wikimedia.org/enter_bug.cgi?product=MediaWiki%20extensions&...
And some other details for the curious:
* Yes, you can use this on your own wiki right now! It's meant to be used in a single or shared environment, so the defaults will work on a standalone wiki. Input and patches are welcome, if you have any issues setting this up on your own wiki.
* TLS: Since a few of you seem to care about https... The extension currently implements OAuth 1.0a, which is designed to be used without https (except to deliver the shared secret to the app owner, when the app is registered). So calls to the API don't need to use https.
* Logging: All edits are tagged with the consumer's id (CID), so you can see when OAuth was used to contribute an edit.
Enjoy!
This is highly anticipated on my part and awesome. I will integrate it into wikimetrics asap.
Dan
On Tue, Aug 20, 2013 at 9:15 PM, Chris Steipp csteipp@wikimedia.org wrote:
As mentioned earlier this week, we deployed an initial version of the OAuth extension to the test wikis yesterday. I wanted to follow up with a few more details about the extension that we deployed (although if you're just curious about OAuth in general, I recommend starting at oauth.net, or https://www.mediawiki.org/wiki/Auth_systems/OAuth):
get you started towards using OAuth in your application.
- Demo: Anomie setup a excellent initial app (I think counts as our first
official, approved consumer) here https://tools.wmflabs.org/oauth-hello-world/. Feel free to try it out, so you can get a feel for the user experience as a user!
- Timeline: We're hoping to get some use this week, and deploy to the rest
of the WMF wikis next week if we don't encounter any issues.
- Bugs: Please open bugzilla tickets for any issues you find, or
enhancement requests--
https://bugzilla.wikimedia.org/enter_bug.cgi?product=MediaWiki%20extensions&...
And some other details for the curious:
- Yes, you can use this on your own wiki right now! It's meant to be used
in a single or shared environment, so the defaults will work on a standalone wiki. Input and patches are welcome, if you have any issues setting this up on your own wiki.
- TLS: Since a few of you seem to care about https... The extension
currently implements OAuth 1.0a, which is designed to be used without https (except to deliver the shared secret to the app owner, when the app is registered). So calls to the API don't need to use https.
- Logging: All edits are tagged with the consumer's id (CID), so you can
see when OAuth was used to contribute an edit.
Enjoy! _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Hi,
I'm completely new to OAuth, so bear with me if my questions are basic or I missed a point ;-) It seems interesting, but seems very oriented for web applications, not so much for desktop applications.
I'm interested in developing this for WPCleaner [1], which is a desktop application. Is the callback URL required ? If so, which one should you use for a desktop application ?
Has anyone implemented the connection to WMF wikis using OAuth under Java ?
For this to work, you request client tokens (including secret key) for the client : do this tokens need to be kept privately ? I'm wondering, because keeping secrets for an open source desktop application is not easy.
Nico
[1] http://en.wikipedia.org/wiki/Wikipedia:WPCleaner
On Wed, Aug 21, 2013 at 6:15 AM, Chris Steipp csteipp@wikimedia.org wrote:
As mentioned earlier this week, we deployed an initial version of the OAuth extension to the test wikis yesterday. I wanted to follow up with a few more details about the extension that we deployed (although if you're just curious about OAuth in general, I recommend starting at oauth.net, or https://www.mediawiki.org/wiki/Auth_systems/OAuth):
get you started towards using OAuth in your application.
- Demo: Anomie setup a excellent initial app (I think counts as our first
official, approved consumer) here https://tools.wmflabs.org/oauth-hello-world/. Feel free to try it out, so you can get a feel for the user experience as a user!
- Timeline: We're hoping to get some use this week, and deploy to the rest
of the WMF wikis next week if we don't encounter any issues.
- Bugs: Please open bugzilla tickets for any issues you find, or
enhancement requests--
https://bugzilla.wikimedia.org/enter_bug.cgi?product=MediaWiki%20extensions&...
And some other details for the curious:
- Yes, you can use this on your own wiki right now! It's meant to be used
in a single or shared environment, so the defaults will work on a standalone wiki. Input and patches are welcome, if you have any issues setting this up on your own wiki.
- TLS: Since a few of you seem to care about https... The extension
currently implements OAuth 1.0a, which is designed to be used without https (except to deliver the shared secret to the app owner, when the app is registered). So calls to the API don't need to use https.
- Logging: All edits are tagged with the consumer's id (CID), so you can
see when OAuth was used to contribute an edit.
Enjoy! _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
On Wed, Aug 21, 2013 at 5:05 AM, Nicolas Vervelle nvervelle@gmail.comwrote:
I'm completely new to OAuth, so bear with me if my questions are basic or I missed a point ;-) It seems interesting, but seems very oriented for web applications, not so much for desktop applications.
I cannot speak for MediaWiki's implementation of OAuth, but the OAuth spec does provide different authentication methods so that desktop applications can be used. It's just a matter of whether MW has it.
*-- * *Tyler Romeo* Stevens Institute of Technology, Class of 2016 Major in Computer Science www.whizkidztech.com | tylerromeo@gmail.com
On Wed, Aug 21, 2013 at 2:05 AM, Nicolas Vervelle nvervelle@gmail.comwrote:
Hi,
I'm completely new to OAuth, so bear with me if my questions are basic or I missed a point ;-) It seems interesting, but seems very oriented for web applications, not so much for desktop applications.
This is true, for exactly the reason you were asking about-- the secret key needs to be kept private, which is impossible when you distribute the application to other users. OAuth 2 has a framework for dealing with this, but it makes controlling consumers nearly impossible. So we wanted to start with OAuth 1 while everyone gets familiar with the concepts, and we see which use cases actually get used. We may extend the framework to allow situations like this in the future.
The best workaround now is probably to have each user register their copy of your desktop application as its own consumer. It's a little ugly having to give your user instructions on cutting and pasting tokens and keys around, but it can work (in the early days of Salesforce, several OAuth apps were configured this way).
I'm interested in developing this for WPCleaner [1], which is a desktop application. Is the callback URL required ? If so, which one should you use for a desktop application ?
For bots too, I'd like to have the extension implement something like https://developers.google.com/accounts/images/OauthUX_nocallback.png directly in the extension, but that wasn't something we were able to finish before this release.
Has anyone implemented the connection to WMF wikis using OAuth under Java ?
No, not yet.
For this to work, you request client tokens (including secret key) for the client : do this tokens need to be kept privately ? I'm wondering, because keeping secrets for an open source desktop application is not easy.
Nico
[1] http://en.wikipedia.org/wiki/Wikipedia:WPCleaner
On Wed, Aug 21, 2013 at 6:15 AM, Chris Steipp csteipp@wikimedia.org wrote:
As mentioned earlier this week, we deployed an initial version of the
OAuth
extension to the test wikis yesterday. I wanted to follow up with a few more details about the extension that we deployed (although if you're
just
curious about OAuth in general, I recommend starting at oauth.net, or https://www.mediawiki.org/wiki/Auth_systems/OAuth):
- Use it:
https://www.mediawiki.org/wiki/Extension:OAuth#Using_OAuthshould
get you started towards using OAuth in your application.
- Demo: Anomie setup a excellent initial app (I think counts as our first
official, approved consumer) here https://tools.wmflabs.org/oauth-hello-world/. Feel free to try it out,
so
you can get a feel for the user experience as a user!
- Timeline: We're hoping to get some use this week, and deploy to the
rest
of the WMF wikis next week if we don't encounter any issues.
- Bugs: Please open bugzilla tickets for any issues you find, or
enhancement requests--
https://bugzilla.wikimedia.org/enter_bug.cgi?product=MediaWiki%20extensions&...
And some other details for the curious:
- Yes, you can use this on your own wiki right now! It's meant to be used
in a single or shared environment, so the defaults will work on a standalone wiki. Input and patches are welcome, if you have any issues setting this up on your own wiki.
- TLS: Since a few of you seem to care about https... The extension
currently implements OAuth 1.0a, which is designed to be used without
https
(except to deliver the shared secret to the app owner, when the app is registered). So calls to the API don't need to use https.
- Logging: All edits are tagged with the consumer's id (CID), so you can
see when OAuth was used to contribute an edit.
Enjoy! _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
On Wed, Aug 21, 2013 at 5:04 PM, Chris Steipp csteipp@wikimedia.org wrote:
On Wed, Aug 21, 2013 at 2:05 AM, Nicolas Vervelle <nvervelle@gmail.com
wrote:
Hi,
I'm completely new to OAuth, so bear with me if my questions are basic
or I
missed a point ;-) It seems interesting, but seems very oriented for web applications, not
so
much for desktop applications.
This is true, for exactly the reason you were asking about-- the secret key needs to be kept private, which is impossible when you distribute the application to other users. OAuth 2 has a framework for dealing with this, but it makes controlling consumers nearly impossible. So we wanted to start with OAuth 1 while everyone gets familiar with the concepts, and we see which use cases actually get used. We may extend the framework to allow situations like this in the future.
The best workaround now is probably to have each user register their copy of your desktop application as its own consumer. It's a little ugly having to give your user instructions on cutting and pasting tokens and keys around, but it can work (in the early days of Salesforce, several OAuth apps were configured this way).
Seems very complex for users, so I won't go that way for WPCleaner. Is it possible to use only one client, with the secret key included in the distribution ? (A user with enough determination will be able to extract it) This would mean that there's not 100% certainty about the client being the true one. But, the attacker would only be able to impersonate the application, not the user.
I'm interested in developing this for WPCleaner [1], which is a desktop application. Is the callback URL required ? If so, which one should you use for a desktop application ?
For bots too, I'd like to have the extension implement something like https://developers.google.com/accounts/images/OauthUX_nocallback.pngdirectly in the extension, but that wasn't something we were able to finish before this release.
Ok, so unless there's a mechanism to work without callback URL, there's no way for a desktop application to work. I something like that is implemented, I will look again at OAuth for WPcleaner.
Nico
On Fri, Aug 23, 2013 at 10:38 AM, Nicolas Vervelle nvervelle@gmail.comwrote:
On Wed, Aug 21, 2013 at 5:04 PM, Chris Steipp csteipp@wikimedia.org wrote:
For bots too, I'd like to have the extension implement something like
https://developers.google.com/accounts/images/OauthUX_nocallback.pngdirectly
in the extension, but that wasn't something we were able to finish before this release.
Ok, so unless there's a mechanism to work without callback URL, there's no way for a desktop application to work. I something like that is implemented, I will look again at OAuth for WPcleaner.
https://gerrit.wikimedia.org/r/#/c/80569/
I am just wondering if we really need so complicated names like
[[Special:MWOAuthManageMyGrants]]
Couldn't it be just [[Special:MWOAuthManage]]
or [[Special:MWOAuthGrants]]
On Fri, Aug 23, 2013 at 5:52 PM, Brad Jorsch (Anomie) bjorsch@wikimedia.org wrote:
On Fri, Aug 23, 2013 at 10:38 AM, Nicolas Vervelle nvervelle@gmail.comwrote:
On Wed, Aug 21, 2013 at 5:04 PM, Chris Steipp csteipp@wikimedia.org wrote:
For bots too, I'd like to have the extension implement something like
https://developers.google.com/accounts/images/OauthUX_nocallback.pngdirectly
in the extension, but that wasn't something we were able to finish before this release.
Ok, so unless there's a mechanism to work without callback URL, there's no way for a desktop application to work. I something like that is implemented, I will look again at OAuth for WPcleaner.
https://gerrit.wikimedia.org/r/#/c/80569/
-- Brad Jorsch (Anomie) Software Engineer Wikimedia Foundation _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
On Fri, Aug 23, 2013 at 8:59 AM, Petr Bena benapetr@gmail.com wrote:
I am just wondering if we really need so complicated names like
[[Special:MWOAuthManageMyGrants]]
Couldn't it be just [[Special:MWOAuthManage]]
or [[Special:MWOAuthGrants]]
I think it would make sense. Could you open an enhancement bug so we don't loose track of it?
Done: https://bugzilla.wikimedia.org/show_bug.cgi?id=53322
On Fri, Aug 23, 2013 at 1:22 PM, Chris Steipp csteipp@wikimedia.org wrote:
On Fri, Aug 23, 2013 at 8:59 AM, Petr Bena benapetr@gmail.com wrote:
I am just wondering if we really need so complicated names like
[[Special:MWOAuthManageMyGrants]]
Couldn't it be just [[Special:MWOAuthManage]]
or [[Special:MWOAuthGrants]]
I think it would make sense. Could you open an enhancement bug so we don't loose track of it? _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
On Fri, Aug 23, 2013 at 7:38 AM, Nicolas Vervelle nvervelle@gmail.comwrote:
The best workaround now is probably to have each user register their copy of your desktop application as its own consumer. It's a little ugly
having
to give your user instructions on cutting and pasting tokens and keys around, but it can work (in the early days of Salesforce, several OAuth apps were configured this way).
Seems very complex for users, so I won't go that way for WPCleaner. Is it possible to use only one client, with the secret key included in the distribution ? (A user with enough determination will be able to extract it) This would mean that there's not 100% certainty about the client being the true one. But, the attacker would only be able to impersonate the application, not the user.
Unfortunately, no. This is one of the subtleties of OAuth 1. Since we don't require HTTPS for getting the user token, or using a user token, it's possible to impersonate a user by compromising the consumer's secret key if the attacker has also been able to sniff traffic generated by that consumer also.
It does sound like the current iteration of the extension may not be the best fit. But it's good to know about these use cases, so we can set priorities for future development.
On Wed, Aug 21, 2013 at 5:05 AM, Nicolas Vervelle nvervelle@gmail.comwrote:
I'm completely new to OAuth, so bear with me if my questions are basic or I missed a point ;-)
You have some good questions here.
I'm interested in developing this for WPCleaner [1], which is a desktop application. Is the callback URL required ? If so, which one should you use for a desktop application ?
A callback URL is required.
In general with OAuth, a desktop or mobile app has to direct the user to a web browser in some manner to go to the site, log in, and authorize the application.
If you embed a web browser control right in your application, you can probably watch for it to be directed to your specific callback URL, remove the web browser control, and proceed to process the response. On the other hand, and end user shouldn't necessary trust a web browser control to not be sniffing their password as they log into the site to authorize (but on the gripping hand, the desktop app might sniff the keystrokes even with an external browser, so...))
If you open an external browser, chances are you can't catch the callback URL, so your options are limited to basically having a web page somewhere that just displays the necessary verification token for the user to copy back into your application. Perhaps we should allow for the callback URL to be left empty, in which case the OAuth extension would do just this.
For that matter, it's possible the app is unable to open a browser at all. In that case, the app could always just display the URL (possibly using a shortener), instruct the user to visit that from a full-featured computer, and then enter the verification code as mentioned in the above paragraph.
Has anyone implemented the connection to WMF wikis using OAuth under Java ?
I don't think the MediaWiki OAuth extension does anything particularly unusual, so you should be able to start with any other Java implementation of an OAuth 1.0a client.
For this to work, you request client tokens (including secret key) for the
client : do this tokens need to be kept privately ? I'm wondering, because keeping secrets for an open source desktop application is not easy.
That is a good point. I hope someone will correct me if I'm wrong, but I can't think of any way to prevent a determined attacker from extracting the keys from a desktop or mobile app (open or closed source) and impersonating it. Which means that there's no way for MediaWiki to know that the app is really who it says it is, meaning that the OAuth CID tags for such apps aren't any more reliable than the existing method of including something like "([[WP:TW|TW]])" in the edit summary. On the other hand, this in itself shouldn't compromise end-user security, because the malicious app would still have to steal the access token from the legitimate app's storage on the end user's computer.
As far as I can tell from looking around, no one really has a solution for this. There are reports that Twitter blocks the consumer key if it finds it has been compromised, which is widely criticized. On the opposite end, it seems Google just lets such apps use "anonymous" for the consumer secret, and presumably doesn't try to positively identify the consumer at all.
Shouldn't Special:MWOAuth with no other parameters do something better than just returning an error?
Also, how is normal user supposed to learn about Special:MWOAuthManageMyGrants? I would expect this to be available from Preferences, but I didn't find anything there.
Petr Onderka [[en:User:Svick]]
On Wed, Aug 21, 2013 at 6:15 AM, Chris Steipp csteipp@wikimedia.org wrote:
As mentioned earlier this week, we deployed an initial version of the OAuth extension to the test wikis yesterday. I wanted to follow up with a few more details about the extension that we deployed (although if you're just curious about OAuth in general, I recommend starting at oauth.net, or https://www.mediawiki.org/wiki/Auth_systems/OAuth):
get you started towards using OAuth in your application.
- Demo: Anomie setup a excellent initial app (I think counts as our first
official, approved consumer) here https://tools.wmflabs.org/oauth-hello-world/. Feel free to try it out, so you can get a feel for the user experience as a user!
- Timeline: We're hoping to get some use this week, and deploy to the rest
of the WMF wikis next week if we don't encounter any issues.
- Bugs: Please open bugzilla tickets for any issues you find, or
enhancement requests--
https://bugzilla.wikimedia.org/enter_bug.cgi?product=MediaWiki%20extensions&...
And some other details for the curious:
- Yes, you can use this on your own wiki right now! It's meant to be used
in a single or shared environment, so the defaults will work on a standalone wiki. Input and patches are welcome, if you have any issues setting this up on your own wiki.
- TLS: Since a few of you seem to care about https... The extension
currently implements OAuth 1.0a, which is designed to be used without https (except to deliver the shared secret to the app owner, when the app is registered). So calls to the API don't need to use https.
- Logging: All edits are tagged with the consumer's id (CID), so you can
see when OAuth was used to contribute an edit.
Enjoy! _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
On Wed, Aug 21, 2013 at 1:00 PM, Petr Onderka gsvick@gmail.com wrote:
Also, how is normal user supposed to learn about Special:MWOAuthManageMyGrants? I would expect this to be available from Preferences, but I didn't find anything there.
There's a link to it on the first page of preferences. Under basic information, it's labelled "OAuth consumer access".
wikitech-l@lists.wikimedia.org