On Wed, Aug 21, 2013 at 5:05 AM, Nicolas Vervelle nvervelle@gmail.comwrote:
I'm completely new to OAuth, so bear with me if my questions are basic or I missed a point ;-)
You have some good questions here.
I'm interested in developing this for WPCleaner [1], which is a desktop application. Is the callback URL required ? If so, which one should you use for a desktop application ?
A callback URL is required.
In general with OAuth, a desktop or mobile app has to direct the user to a web browser in some manner to go to the site, log in, and authorize the application.
If you embed a web browser control right in your application, you can probably watch for it to be directed to your specific callback URL, remove the web browser control, and proceed to process the response. On the other hand, and end user shouldn't necessary trust a web browser control to not be sniffing their password as they log into the site to authorize (but on the gripping hand, the desktop app might sniff the keystrokes even with an external browser, so...))
If you open an external browser, chances are you can't catch the callback URL, so your options are limited to basically having a web page somewhere that just displays the necessary verification token for the user to copy back into your application. Perhaps we should allow for the callback URL to be left empty, in which case the OAuth extension would do just this.
For that matter, it's possible the app is unable to open a browser at all. In that case, the app could always just display the URL (possibly using a shortener), instruct the user to visit that from a full-featured computer, and then enter the verification code as mentioned in the above paragraph.
Has anyone implemented the connection to WMF wikis using OAuth under Java ?
I don't think the MediaWiki OAuth extension does anything particularly unusual, so you should be able to start with any other Java implementation of an OAuth 1.0a client.
For this to work, you request client tokens (including secret key) for the
client : do this tokens need to be kept privately ? I'm wondering, because keeping secrets for an open source desktop application is not easy.
That is a good point. I hope someone will correct me if I'm wrong, but I can't think of any way to prevent a determined attacker from extracting the keys from a desktop or mobile app (open or closed source) and impersonating it. Which means that there's no way for MediaWiki to know that the app is really who it says it is, meaning that the OAuth CID tags for such apps aren't any more reliable than the existing method of including something like "([[WP:TW|TW]])" in the edit summary. On the other hand, this in itself shouldn't compromise end-user security, because the malicious app would still have to steal the access token from the legitimate app's storage on the end user's computer.
As far as I can tell from looking around, no one really has a solution for this. There are reports that Twitter blocks the consumer key if it finds it has been compromised, which is widely criticized. On the opposite end, it seems Google just lets such apps use "anonymous" for the consumer secret, and presumably doesn't try to positively identify the consumer at all.