[Labs-l] OAuth is here!

Brad Jorsch (Anomie) bjorsch at wikimedia.org
Sun Nov 24 19:58:21 UTC 2013


On Sat, Nov 23, 2013 at 6:04 PM, Marc A. Pelletier <marc at uberbox.org> wrote:
> On 11/23/2013 05:18 PM, Matthew Flaschen wrote:
>> I haven't seen TUSC used for simply logging into other sites without
>> intending to take an action on a Wikimedia wiki.  It may be, somewhere,
>> though.
>
> I didn't know about that commons thing, and that is clearly OAuth.
> UTRS, however, uses TUSC just to know who you are, which is OpenID.

Other possibilities for "to know who you are":

If you're not worried about MitM (including NSA-style compromised CA
situations) or other sorts of attacks, hitting
api.php?action=query&meta=userinfo via OAuth will tell the app who the
user is. If the app doesn't have any personal or private information
or access controls based on the on-wiki identity of the user (e.g.
it's just used for "Hi $NAME" or showing/hiding "block" or "protect"
buttons based on whether you have the needed user rights), I'd think
you're probably good here.

Then there's Gerrit change 93859,[1] which would add the ability to
request what is effectively a signed version of meta=userinfo.
Something like UTRS that needs to restrict access to unblock requests
based on the on-wiki identity would need this (or OpenID).


 [1]: https://gerrit.wikimedia.org/r/#/c/93859/


-- 
Brad Jorsch (Anomie)
Software Engineer
Wikimedia Foundation



More information about the Labs-l mailing list