Extension:OAuth

The OAuth extension implements OAuth 1.0a in MediaWiki. It allows third party developers to securely develop applications (Consumer), which users can grant a limited set of permissions (Grants) to, so that the application can use the MediaWiki api on the user's behalf.

Requirements

 * OAuth relies on memcached for temporary tokens and sessions
 * Currently, only mysql database backend is supported

Installation
You will need to configure the user rights below into relevant groups in.

Using OAuth
In order to use OAuth to make MediaWiki api calls on behalf of another user, you need to: An example php script that handles the technical portions of this can be found here: User:CSteipp/OAuth_demo_client
 * 1) Register your application (Consumer), and get it approved by a wiki admin
 * 2) Get the user's permission, and get a set of authorized tokens
 * 3) When making api calls, include an Authorization: HTTP header, which identify the user and prove your possession of the authorized token

An example using flask-oauth: Setting_up_Flask_cgi_app_as_a_tool/OAuth

Register your Consumer

 * To propose your Consumer, you must have the 'mwoauthproposeconsumer' right
 * On WMF wikis, this right is given to autoconfirmed accounts
 * Visit Special:MWOAuthConsumerRegistration/propose
 * Fill in the required information
 * Name and description: This is what your users will see when authorizing your application, along with your wiki username
 * Version: The permissions you grant are tied to a specific version of your application. You will increase the version number if you need to change grants later.
 * Callback URL: This is the url where user will be redirected after they have authorized your application in their web browser, with the verification code added as a GET parameter, and the temporary token to identify the user to you.
 * For bots, you will probably want to redirect the user to a page that will show the verification code back to the user, and have them cut-and-paste the verification code into the bot.
 * Grants: These are the permissions you application will use, if your user also has these rights.
 * Unless this is a demo application, you will need "Basic Rights" to use the MediaWiki api
 * Users can revoke individual grants from your application, so your application always needs to handle permission errors gracefully
 * Restrictions: The OAuth specification recommends that OAuth Consumers are restricted to a limited set of IP addresses. This protects your users, in case your secret key is compromised, and an attacker attempts to use the MediaWiki api on behalf of your users. This can be updated after your application is approved.

Get Your User's Permission
For a user (who you have authenticated in your application) to allow your application to use MediaWiki on their behalf, you will need to complete the 3-step OAuth protocol, and store the user-specific token and secret for that user. You will use the user-specific token, along with your application's token and secret on each API call, for MediaWiki to act on behalf of the user.


 * Step 1: Obtain a temporary token by calling Special:MWOAuth/initiate from your application
 * Caveat: When constructing your url, use /index.php?title=Special:MWOAuth instead of /wiki/Special:MWOAuth, because MediaWiki silently will create a title parameter that isn't included in your signature calculation.
 * Step 2: Direct the user's browser to Special:MWOAuth/authorize, with the token from Step #1 as a GET parameter
 * Step 3: After the user has authorized your application and been redirected back to your application, exchange the verification code and the temporary token for a permanent authorized token

Use the API, setting Authorization header

 * MediaWiki requires that you use the http Authorization header, instead of including the OAuth parameters your GET or POST values
 * You will still need to get and use CSRF tokens to make edits, just as if you were using the API normally. Your application does not need to keep track of the wiki's session cookie-- the OAuth extension will create and use a session based on the user's authorized token, which will last up to 1 hour
 * Your API calls will be limited to the user rights that were both given to the user, and granted by the user to your application during the authorization step
 * Edits from your application will be tagged with your Consumer's id number