On Sun, Jul 29, 2018 at 4:30 PM, Bryan Davis bd808@wikimedia.org wrote:

On Sun, Jul 29, 2018 at 12:37 AM rupert THURNER rupert.thurner@gmail.com wrote:

...

if one takes an example, lke https://tools.wmflabs.org/video2commons/,

is

...

this implemented like it should? is there any difference from "any" application or applications on the tools server? am looking at the code here currently: https://github.com/toolforge/video2commons/blob/master/

video2commons/frontend/app.py

...

the "dologin" method.

Yes, there is a major difference between a web application like the video2commons tool and a device native application like an Android app. That difference is that in a web application secret data can be kept on the web server side that is not visible to the end user. This allows the OAuth application secret to be used in signing requests to the Wikimedia servers without exposing that secret to anyone who is looking at the source code of the web application. This separation is not possible when the application is running on end-user controlled devices as a phone or desktop application does.

interesting, never thought about it. i found an entry on stackexchange confirming what you said. additionally it states that oauth is not for authenticaiton. oauth's purpose is to access users resources from some resource provider, while openid_connect should be used to authenticate. does openid_connect work with wikipedia and is it the best option currently?

[0] https://security.stackexchange.com/questions/133065/why-is-it-a-bad-idea-to-...

[1] https://connect2id.com/learn/openid-connect [2] https://www.mediawiki.org/wiki/Extension:OpenID_Connect

rupert