On Wednesday, February 11, 2015, Guillaume Paumier <[email protected]> wrote:
> Hello, > > Le mercredi 11 février 2015, 16:59:45 Petr Bena a écrit : > > > > We have OAuth for browser based programs. But nothing for desktop > > applications that are being used by users. (Like AWB etc). > > > It sounds pretty simple to me, so why we don't have anything like that? > > The reason currently given at > https://www.mediawiki.org/wiki/OAuth/For_Developers#Intended_Users > is: > > "... not... Desktop applications (the Consumer Secret needs to be secret!)" > That's why we don't use OAuth for these (see my last email on that too). We can shift our threat model to change this, but it comes at a cost (vandalism can't be blocked at the app-level, we have to require https for more pieces of the protocol, etc). Petr's current request sounds a little more like google's per-application passwords, except they are also limited in what rights they can use. Petr, I'm assuming you wouldn't want to do an OAuth-like signature on each request, but instead use it to login, then use the session cookie for future requests? Or were you thinking signed api calls like with OAuth? > > -- > Guillaume Paumier > > _______________________________________________ > Wikitech-l mailing list > [email protected] <javascript:;> > https://lists.wikimedia.org/mailman/listinfo/wikitech-l _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
