Proposal talk:Implement OAuth for MediaWiki (and employ in Wikimedia)

From Strategic Planning

Check out bug 19907 for a limited, but safer alternative (no need to give out passwords or any similar identification). --Tgr 16:46, 20 August 2009 (UTC)[reply]

Er, but OAuth is already an alternative to giving out passwords. Was that not clear in what I wrote?
I didn't know about this thing, but looking at it, I suspect it will only be used within Wikimedia, rather than having a potentially huge list of third parties in that config variable as well. What is your impression about it? --pfctdayelise 01:58, 21 August 2009 (UTC)[reply]

OAuth still requires giving out some sort of token that allows the site to do whatever and whenever it wants. This was the main cause of people opposing it on wikitech-l IIRC. Cross-domain AJAX requests use the standard domain-based security model of the web: you log in to Wikipedia, your browser stores a cookie, which will be attached to all cross-domain requests your browser makes from 3rd-party sites to Wikipedia, without the 3rd-party site actually accessing it. This means that all requests have to be routed through your browser and you can easily track them, and the site can access your Wikipedia account only as long as you have its browser window open. These are not very painful limitations for an editing interface, and they mean extra security. Cross-domain AJAX is also fairly simple to implement, both on server and on client side.

You are right that the config variable is not the right way to handle a lot of sites (it is good for things like the toolserver), but you could allow users to add their own sites or even create some sort of opt-in interface. --Tgr 12:32, 22 August 2009 (UTC)[reply]

I like one of the hoped for outcomes for this proposal: to allow small communities to develop within the larger Wikipedia community. This makes a lot of sense to me. Adding to favourites. --Bodnotbod 11:22, 1 September 2009 (UTC)[reply]

Impact?

Some proposals will have massive impact on end-users, including non-editors. Some will have minimal impact. What will be the impact of this proposal on our end-users? -- Philippe 00:10, 3 September 2009 (UTC)[reply]

Implementation

FamilySearch Research Wiki has implemented oauth. It'll be available on the production system within the next few months. We've been authenticating on our development, systest and staging references for the last few months. -- Stringhamdb 02:37, 25 September 2009 (UTC)[reply]