Last modified: 2013-12-22 14:19:29 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T32348, the corresponding Phabricator task for complete and up-to-date bug report information.
Bug 30348 - Add Oauth support to Mediawiki
Add Oauth support to Mediawiki
Status: RESOLVED FIXED
Product: MediaWiki extensions
Classification: Unclassified
Extensions requests (Other open bugs)
unspecified
All All
: High enhancement with 1 vote (vote)
: ---
Assigned To: Chris Steipp
:
Depends on: 51221 53956
Blocks: 44483
  Show dependency treegraph
 
Reported: 2011-08-12 18:32 UTC by Diederik van Liere
Modified: 2013-12-22 14:19 UTC (History)
12 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments

Description Diederik van Liere 2011-08-12 18:32:18 UTC
Based on the following discussions:
1) http://strategy.wikimedia.org/wiki/Proposal:Implement_OAuth_for_MediaWiki_(and_employ_in_Wikimedia)
2) http://www.mediawiki.org/wiki/OAuth
3) http://www.mail-archive.com/wikitech-l@lists.wikimedia.org/msg04104.html

this is a request to add Oauth support to Mediawiki. This implementation should provide at a minimum (technical perspective):
1) An easy way to keep track of edits made by a particular Oauth service
2) As a start, only simple write access, not all the other actions as they are exposed by the API.
3) It should be 100% transparent who the editor was who made the edit
4) A way for admins to block  all edits from a specific tool as easily as they can currently block or revert all edits from a specific user
5) Not possible to take dangerous admin-only actions (e.g. editing interface messages)

Community perspective:
1) Policies on what kind of Oauth services to accept.
2) Policies on whether the Oauth service should be open source.
3) Policies on when to revoke an Oauth service access to the Wikipedia websites.
4) Wikimedia's privacy policy and Creative Commons license always apply to edits made through an Oauth service. 

Please add your comments if I have missed important aspects.
Comment 1 Sam Reed (reedy) 2011-08-12 18:33:19 UTC
Is this an addition to core, or is it going to be an extension?
Comment 2 Chad H. 2011-08-12 18:38:51 UTC
I would imagine as an extension, like OpenID.
Comment 3 Daniel Friesen 2011-08-12 20:11:59 UTC
Considering how deeply this would have to integrate with MW (annotating the fact that an OAuth system was used to create a rev) I think OAuth support is going to have to be part of core if we're going to do it right.

That's probably better off anyways. Everything will be a lot better if bots and whatnot can just use OAuth as a standard to talk to most MW wikis out there.
Comment 4 Diederik van Liere 2011-08-12 20:13:47 UTC
My initial thought was also to make it part of core.
Comment 5 Chad H. 2011-08-12 20:15:40 UTC
Fair enough. The authn/authz system needs a lot of love anyway.
Comment 6 Brion Vibber 2011-08-15 17:48:25 UTC
"Simple" OAuth token setup for API authentication may be doable as an extension, depending on how hard it is to plug things in appropriately.

Fine-grained permissions would probably need some explicit API support, and might need some general rethinks (eg can I give an app permission to read pages and upload files on my behalf, but not to block, unblock, delete pages, etc?).
Comment 7 Ryan Lane 2011-08-16 00:32:53 UTC
I would prefer this be an extension. Adding hook points into the right places allows us to replace oauth with whatever comes in the future as well.
Comment 8 Diederik van Liere 2011-11-17 18:03:06 UTC
I have written a proposal to implement OAuth2 and it's available here: http://www.mediawiki.org/wiki/OAuth
Comment 10 Brion Vibber 2011-11-22 00:31:53 UTC
revert properties changed by spammer
Comment 11 Ryan Lane 2013-02-06 16:47:12 UTC
Lack of OAuth means we can't have things like a web version of huggle, proper support for web tools or any web application other than mediawiki realistically usable in our infrastructure. This definitely isn't a low priority.
Comment 12 Andre Klapper 2013-02-06 19:18:20 UTC
I see. Thanks for correcting!
Comment 13 Dario Taraborelli 2013-02-06 19:43:54 UTC
Assigning this to Chris as he's currently leading work on OAuth support.
Comment 14 Mormegil 2013-08-27 20:49:00 UTC
Can this be marked RESOLVED/FIXED with https://www.mediawiki.org/wiki/Extension:OAuth in experimental state but deployed on some wikis, or should we wait for a tarball release or something?
Comment 15 Dan Garry 2013-12-22 14:19:29 UTC
Resolving as fixed due to the OAuth extension reaching the stage where it's usable.

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links