OAuth
From MediaWiki.org
Could be some benefit to implementing OAuth to provide limited access to account permissions or information to third-party tools (web or client).
OAuth provides a standard protocol for negotiating secure access tokens, which don't reveal usernames or passwords to the third-party tool.
(Consider also OpenID, which doesn't exactly do the same thing. The two can work nicely together... TODO: find some relevant links from the Mozilla Labs presentation last month --brion 00:07, 24 July 2009 (UTC))
Contents |
[edit] Relevant API actions
- login
- watchlist, watchlistraw, feedwatchlist
- deletedrevs
From the "write" API:
- rollback
- delete
- undelete
- protect
- block
- unblock
- move
- edit
- emailuser
- watch
- patrol
- import
- userrights
[edit] Benefits for users
- Don't have to give their password to third parties
- Can manage authorisation to third parties from the OAuth provider (ie MediaWiki)
- see all authorisations they have granted
- revoke any authorisation without having to change their password and without upsetting the others
[edit] Benefits for the wiki
- Provides a way to approve applications, and set enforcable guidelines about acceptable use
- Provides a way for third parties to "do the right thing" and not collect passwords
- Provides a way to identify, on-wiki, actions made by third parties, and easily stop them if necessary
[edit] What is needed
(as well as the actual OAuth stuff, or as part of it)
- Page on MW that lists all applications a user has authorised, and what exactly has been authorised, time limit (a Special page or maybe under Preferences)
- Way for very privileged users (admins? bcrats?) to revoke an applications' authorisations site-wide (this is in case it "goes rogue")
- Way to mass-rollback edits made by an application (perhaps similar to Extension:Nuke)
