Hi all!
This is a quick announcement that it’s now possible to make cross-origin
requests to the Action API authenticated using OAuth. This means you can
create tools / apps that use OAuth to act on the user’s behalf and that
run entirely in the browser, without needing a server-side component.
To make these requests, first obtain an OAuth 2 access token following
the usual authorization flow. (I think from MediaWiki’s point of view,
OAuth 1.0a would also be technically possible, but I think it would be
pretty difficult if not impossible to generate correct OAuth 1.0a
requests within the browser. Just use OAuth 2 :D) Addshore recently
published a blog post [1] going through the process in detail; you can
also use a library, such as yours truly’s m3api-oauth2 [2]. Then, when
you make a request against the Action API, include the crossorigin=
parameter in the request URL, and the API should allow the request and
respond with the needed CORS headers to make the browser return the
response to your JS code. (The parameter is boolean, so the value is
irrelevant and can be left empty. Note that, just as with the origin=
parameter, it must be part of the request URL and not the request body
of a POST request, so that it’s still included in a preflight request.)
A full example, with an included OAuth client, is available at [3].
Note that, if you’re building a fully client-side OAuth app, this
implies that you’ll be shipping the OAuth client (consumer) credentials
to your users, so you should mark the client as non-confidential when
requesting it (uncheck the “client is confidential” box on [4]).
Non-confidential clients are just as functional as confidential clients
(with the exception of T323855 [5] – to work around that, you can just
ship the client secret together with the client ID and treat both as
public); the “not confidential” flag mainly serves as a hint to the
OAuth administrators [6] that they shouldn’t revoke your client just
because its credentials were found “in the wild”, because it’s not
expected to be confidential in the first place. If you’d rather have
your OAuth credentials confidential after all, then you’ll instead need
to build your tool with a server-side component (such as a Toolforge
webservice) that can keep them secret.
This feature was only recently developed, so if you’re targeting
non-Wikimedia wikis, you’ll probably have to wait for the release of
MediaWiki 1.44 before you can start to use the new crossorigin=
parameter there. (It’s perhaps worth noting that the REST API has
supported OAuth-authenticated CORS for a while already, though it
doesn’t offer all of the same features as the Action API.)
For more information, see also [7], [8] and [9].
Cheers!
Lucas
[1]: https://addshore.com/2025/02/vuetify-app-with-wikimedia-oauth-login/
[2]: https://github.com/lucaswerkmeister/m3api-oauth2/
[3]:
https://github.com/lucaswerkmeister/m3api-examples/tree/main/webapp-clientside-vite-guestbook
[4]:
https://meta.wikimedia.org/wiki/Special:OAuthConsumerRegistration/propose/oauth2
[5]: https://phabricator.wikimedia.org/T323855
[6]:
https://meta.wikimedia.org/wiki/Special:MyLanguage/Meta:OAuth_administrators
[7]: https://www.mediawiki.org/wiki/Manual:CORS
[8]: https://www.mediawiki.org/wiki/API:Cross-site_requests
[9]: https://phabricator.wikimedia.org/T322944
_______________________________________________
Wikitech-l mailing list -- wikitech-l@lists.wikimedia.org
To unsubscribe send an email to wikitech-l-le...@lists.wikimedia.org
https://lists.wikimedia.org/postorius/lists/wikitech-l.lists.wikimedia.org/