Hi,
We have OAuth for browser based programs. But nothing for desktop applications that are being used by users. (Like AWB etc).
These applications now have to ask for password, which is kind of safe given that they are open source and running on computer of the user, so at some point giving them password is as much insecure as giving it to your we browser, but still, I believe that there could be slightly better security model in use, that would make it safe to provide password to a program that was compiled by anyone and that can be potentially unsafe.
Let's take this sample model similar to OAuth:
* User would have extra panel in preferences, where they could generate access tokens. * For each token user could specify what application would have access to.
Generated tokens would be given to application instead of login and password and the application could use them to login into mediawiki.
Users could revoke the tokens in anytime effectively invalidating any tokens that potential hacker could steal using that 3rd application.
It sounds pretty simple to me, so why we don't have anything like that?
Hello,
Le mercredi 11 février 2015, 16:59:45 Petr Bena a écrit :
We have OAuth for browser based programs. But nothing for desktop applications that are being used by users. (Like AWB etc).
It sounds pretty simple to me, so why we don't have anything like that?
The reason currently given at https://www.mediawiki.org/wiki/OAuth/For_Developers#Intended_Users is:
"… not… Desktop applications (the Consumer Secret needs to be secret!)"
On Wednesday, February 11, 2015, Guillaume Paumier gpaumier@wikimedia.org wrote:
Hello,
Le mercredi 11 février 2015, 16:59:45 Petr Bena a écrit :
We have OAuth for browser based programs. But nothing for desktop applications that are being used by users. (Like AWB etc).
It sounds pretty simple to me, so why we don't have anything like that?
The reason currently given at https://www.mediawiki.org/wiki/OAuth/For_Developers#Intended_Users is:
"... not... Desktop applications (the Consumer Secret needs to be secret!)"
That's why we don't use OAuth for these (see my last email on that too). We can shift our threat model to change this, but it comes at a cost (vandalism can't be blocked at the app-level, we have to require https for more pieces of the protocol, etc).
Petr's current request sounds a little more like google's per-application passwords, except they are also limited in what rights they can use. Petr, I'm assuming you wouldn't want to do an OAuth-like signature on each request, but instead use it to login, then use the session cookie for future requests? Or were you thinking signed api calls like with OAuth?
-- Guillaume Paumier
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org javascript:; https://lists.wikimedia.org/mailman/listinfo/wikitech-l
From developer point of view session looks much more easy to implement
than signed api calls. I wouldn't even need to change the code of application for it to work.
On Wed, Feb 11, 2015 at 6:43 PM, Chris Steipp csteipp@wikimedia.org wrote:
On Wednesday, February 11, 2015, Guillaume Paumier gpaumier@wikimedia.org wrote:
Hello,
Le mercredi 11 février 2015, 16:59:45 Petr Bena a écrit :
We have OAuth for browser based programs. But nothing for desktop applications that are being used by users. (Like AWB etc).
It sounds pretty simple to me, so why we don't have anything like that?
The reason currently given at https://www.mediawiki.org/wiki/OAuth/For_Developers#Intended_Users is:
"... not... Desktop applications (the Consumer Secret needs to be secret!)"
That's why we don't use OAuth for these (see my last email on that too). We can shift our threat model to change this, but it comes at a cost (vandalism can't be blocked at the app-level, we have to require https for more pieces of the protocol, etc).
Petr's current request sounds a little more like google's per-application passwords, except they are also limited in what rights they can use. Petr, I'm assuming you wouldn't want to do an OAuth-like signature on each request, but instead use it to login, then use the session cookie for future requests? Or were you thinking signed api calls like with OAuth?
-- Guillaume Paumier
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org javascript:; https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
I know this and that is why I started this thread :)
On Wed, Feb 11, 2015 at 5:17 PM, Guillaume Paumier gpaumier@wikimedia.org wrote:
Hello,
Le mercredi 11 février 2015, 16:59:45 Petr Bena a écrit :
We have OAuth for browser based programs. But nothing for desktop applications that are being used by users. (Like AWB etc).
It sounds pretty simple to me, so why we don't have anything like that?
The reason currently given at https://www.mediawiki.org/wiki/OAuth/For_Developers#Intended_Users is:
"… not… Desktop applications (the Consumer Secret needs to be secret!)"
-- Guillaume Paumier
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
wikitech-l@lists.wikimedia.org