OAuth/For Developers

OAuth Security Provisions

 * MediaWiki users can allow other websites to edit and perform other actions using the MediaWiki api on their behalf.
 * The attached website does not share the user's password, instead they are issued a unique token and secret to make calls on behalf of the user.
 * The access is limited to explicit sets of permissions (“grants”) for the application.
 * Users can revoke their authorization of an attached application at any time.
 * Administrators can reject entire applications at any time.

MediaWiki Specific Provisions

 * Extension:OAuth implements an /identify function to allow the attached application to identify the authorizing user

Signatures and TLS

 * For OAuth 1.0a, all interactions between MediaWiki and the attached application are signed with either a shared secret (using HMAC-SHA1), or RSA signature.
 * If shared secrets are used, the attached application must use TLS when negotiating the shared secret.
 * If RSA is used, TLS is not required.

Intended Users

 * Websites that want to take actions on MediaWiki on behalf of their users.
 * Bots
 * But not...
 * Desktop applications (the Consumer Secret needs to be secret!)
 * Websites wanting single sign-on with MediaWiki

Application Approval

 * Wiki administrators will verify that OAuth applications are written by reputable developers, and the developers are intending to use OAuth correctly. (for now)
 * Application developers must apply to have their application (Consumer) approved at Special:OAuthConsumerRegistration/propose
 * A user with the oauth-admin right must approve the application (currently CSteipp, Anomie, DGarry (WMF), Eloquence.
 * Stewards soon?
 * Your MediaWiki user can authorize your app while waiting for approval.

Attached Application Responsibility

 * Establish user's session
 * Special:OAuth/initiate - get a temporary (request) token
 * Redirect the user's browser to Special:Oauth/authorize?oauth_token= &oauth_consumer_key=
 * The user will be redirected back the the url you registered
 * Special:OAuth/token – get the authorized (access) token for this user
 * Set an Authorization: header when calling api.php with oauth_version, oauth_nonce, oauth_timestamp, oauth_consumer_key, oauth_token, oauth_signature_method, oauth_signature