From developer point of view session looks much more easy to implement than signed api calls. I wouldn't even need to change the code of application for it to work.
On Wed, Feb 11, 2015 at 6:43 PM, Chris Steipp <[email protected]> wrote: > On Wednesday, February 11, 2015, Guillaume Paumier <[email protected]> > wrote: > >> Hello, >> >> Le mercredi 11 février 2015, 16:59:45 Petr Bena a écrit : >> > >> > We have OAuth for browser based programs. But nothing for desktop >> > applications that are being used by users. (Like AWB etc). >> >> > It sounds pretty simple to me, so why we don't have anything like that? >> >> The reason currently given at >> https://www.mediawiki.org/wiki/OAuth/For_Developers#Intended_Users >> is: >> >> "... not... Desktop applications (the Consumer Secret needs to be secret!)" >> > > > That's why we don't use OAuth for these (see my last email on that too). We > can shift our threat model to change this, but it comes at a cost > (vandalism can't be blocked at the app-level, we have to require https for > more pieces of the protocol, etc). > > Petr's current request sounds a little more like google's per-application > passwords, except they are also limited in what rights they can use. Petr, > I'm assuming you wouldn't want to do an OAuth-like signature on each > request, but instead use it to login, then use the session cookie for > future requests? Or were you thinking signed api calls like with OAuth? > > >> >> -- >> Guillaume Paumier >> >> _______________________________________________ >> Wikitech-l mailing list >> [email protected] <javascript:;> >> https://lists.wikimedia.org/mailman/listinfo/wikitech-l > _______________________________________________ > Wikitech-l mailing list > [email protected] > https://lists.wikimedia.org/mailman/listinfo/wikitech-l _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
