On Sun, Jul 29, 2018 at 4:30 PM, Bryan Davis <bd808(a)wikimedia.org> wrote:
On Sun, Jul 29, 2018 at 12:37 AM rupert THURNER
<rupert.thurner(a)gmail.com> wrote:
is
this implemented like it should? is there any
difference from "any"
application or applications on the tools server? am looking at the code
here currently:
https://github.com/toolforge/video2commons/blob/master/
video2commons/frontend/app.py
the "dologin" method.
Yes, there is a major difference between a web application like the
video2commons tool and a device native application like an Android
app. That difference is that in a web application secret data can be
kept on the web server side that is not visible to the end user. This
allows the OAuth application secret to be used in signing requests to
the Wikimedia servers without exposing that secret to anyone who is
looking at the source code of the web application. This separation is
not possible when the application is running on end-user controlled
devices as a phone or desktop application does.
interesting, never thought about it. i found an entry on stackexchange
confirming what you said. additionally it states that oauth is not for
authenticaiton. oauth's purpose is to access users resources from some
resource provider, while openid_connect should be used to authenticate.
does openid_connect work with wikipedia and is it the best option currently?
[0]