Thread:Talk:OAuth/OAuth 2 over https/reply (2)

On this topic I ran into this post: http://blog.astrumfutura.com/2010/10/do-cryptographic-signatures-beat-ssltls-in-oauth-2-0/

It's nice to hear that signatures are coming back (though I can't find them when scanning the spec). But I do have something important on this topic:


 * The big issue with not having signatures is discoverability. No signatures + discoverability = phishing basically.
 * While everyone talks about OAuth on Wikipedia, the frank reality is what we'll be developing is OAuth for MediaWiki. Which is a different beast that will inevitably end with lots of small MediaWiki installations installing OAuth.
 * We're also already talking about anti-vandalism tools using OAuth. And quite frankly, while Huggle is WMF-centric OAuth is inevitably going to be used for other anti-spam tools, bots, etc... which of course may not be WMF-centric.
 * This means that discoverability is inevitable. We will have OAuth on many MediaWiki installations and we will have clients that want to work with more than just WMF.
 * This also means that wikis without HTTPS are inevitable. There are thousands of MediaWiki installations without it, plenty that will have users that want to use apps that will use OAuth, and plenty without a budget for a SSL certificate.

So under these circumstances I think we need the following:
 * When we do implement OAuth, we include the signatures implementation right away.
 * By default we DO NOT support OAuth without signatures. Only wikis that have explicitly enabled non-signature support will accept clients not using signatures.
 * Even when signatureless OAuth is enabled we ALWAYS support signatures. If a client asks for authentication using signatures we ALWAYS respect that.
 * We keep the situation where we have an arbitrary number of MW API clients using OAuth and an arbitrary number of MediaWiki instances supporting OAuth in mind and remember we'll eventually need to support the situation where a client can work with a MediaWiki installation without the author explicitly registering with every MediaWiki instance in existence to support them all.

I know that there's still some issue with OAuth over http even with signatures. But I believe that's something that can potentially be handled in the discoverability process. It's also still better than the alternative.