On Mon, 2 Mar 2026 at 16:52, Roy Smith <[email protected]> wrote: > > Why 2.0? All of my OAuth consumers use 1.0a. Will I need to generate new > consumer keys?
This is primarily because OAuth 2.0 uses access tokens that are formatted as JWTs, which we can validate extremely efficiently in services outside of MediaWiki. That means we can use authentication as a signal in abuse detection at the CDN without affecting performance, likewise using it to apply global API rate limits in an API gateway that sits in front of all MediaWiki instances. If tools are running on WMCS, this will exempt you from the limits even when using OAuth 1.0. For tools outside WMCS, OAuth 1.0 consumers will work as long as you also send cookies as this will include a JWT cookie in the request that we can validate in place of an OAuth 2.0 access token. If neither of these are possible, then yes, it would make sense to generate new OAuth 2.0 clients. Best Jonathan _______________________________________________ Wikitech-l mailing list -- [email protected] To unsubscribe send an email to [email protected] https://lists.wikimedia.org/postorius/lists/wikitech-l.lists.wikimedia.org/
