Help talk:OAuth

Jump to navigation Jump to search

About this board

Restrictions for new accounts ?

Simon Villeneuve (talkcontribs)


I plan to show how to use mix'n'match to a group of newbies and I want to know if there's restrictions for using OAuth for new accounts (like "only autoconfirmed shall pass").

Iluvatar (talkcontribs)

There are no restrictions to users (see that — new acc, no edits, no flags), but developers of tools might add any restrictions in own source code. Sorry for my English.

Tgr (WMF) (talkcontribs)

There might be unintentional limitations coming from the fact that requests through that tool all use the same IP. So if something has an IP-level rate limit for non-autoconfirmed accounts (and several things do, e.g. 8 edits per minute), that will apply. Although for an IRL presentation with everyone using the same internet connection, such limitations would apply to non-OAuth actions as well.

Simon Villeneuve (talkcontribs)
Reply to "Restrictions for new accounts ?"
Magnus Manske (talkcontribs)

So, how do I register my application? It seems like that's a thing that should be mentioned on the Help page...

Magnus Manske (talkcontribs)

Never mind, found it, and added to the Help page.

Deskana (WMF) (talkcontribs)

Hi Magnus,

Thanks for adding that link. It's possible I might make a help page for OAuth developers in the future which we can put that on, but for now I think it's helpful to have on the main help page.

Your application's already been approved. Let me know if I can help more.

This post was posted by Deskana (WMF), but signed as DGarry (WMF). (talkcontribs)

Ok thanx

Dnaber (talkcontribs)

My application would like to know the usernames of Wikipedia users, so that people don't have to sign up for yet another service. It wouldn't actually run any action on Wikipedia. Does it make sense to use OAuth for that, or is there a better alternative?

Deskana (WMF) (talkcontribs)

Hi Dnaber,

You can retrieve a user's username using the API. The query you can use for this is:

That said, I suspect what you're actually asking me is "Can my website somehow use OAuth as an authentication method, so that users can sign in using their Wikipedia credentials?". The answer to that is that you can, but you shouldn't. If it's being used for authentication, the OAuth protocol is susceptible to man-in-the-middle attacks. The use of HTTPS mitigates that somewhat, but the vulnerability is still theoretically there. We'd highly recommend not using OAuth for authentication.

We're exploring the possibility of making Wikimedia wikis an OpenID provider which would allow you to use Wikimedia credentials for authorisation. We don't know if or when we'll start working on that, though.

Please let me know if you need any more information.

This post was posted by Deskana (WMF), but signed as DGarry (WMF).

This post was hidden by Tgr (WMF) (history)
Tgr (WMF) (talkcontribs)

The above answer is now outdated. You can send an OAuth-authorized request to Special:OAuth/identify which will return user identity in a JWT (signed JSON token). As long as you properly validate the signature, this is safe and does not suffer from the vulnerability mentioned above.

Reply to "OAuth with no actions?"

How can my application yichengtry [1.1] be approved?

Anorange0409 (talkcontribs)

I registered this application on 20 June, is there any thing I need to do to get an approval?

GZWDer (talkcontribs)

You can just use it, but it is currently not useful, since you don't make "Edit existing pages" applicable to consumer.

Ddennedy (talkcontribs)

I would like an answer to this too. I have a consumer for "Video Editing Server" that was proposed 10 days ago, and it is still not approved. In its proposed state, only my user account can use it to let the app get an access token. This is inhibiting other people from developing and testing.

Adam (Wiki Ed) (talkcontribs)

~Is there some clarification on where/why Oauth is disabled for blocked IPs. I'm seeing some failed login attempts for unblocked users operating on schoolblocked IPs and I want to know what the exact check is. thanks.

CSteipp (WMF) (talkcontribs)

Hi Adam, users shouldn't (can't) use OAuth to login-- the login api calls are explicitly disabled. Are you seeing failures when potential users are logging in to authorize the Consumer? Or is the Consumer's api calls failing, because it's running from a blocked IP?

Adam (Wiki Ed) (talkcontribs)

@CSteipp (WMF) thanks for the reply and sorry for not noticing it. I'm talking about the latter, (API calls failing). They're logged in or reported as much.

Tgr (WMF) (talkcontribs)

Blocking will work the same way for OAuth requests as normal requests (but keep in mind that the IP will be that of the server hosting the OAuth application, not the real user).

Some plans to make block handling more flexible are in T159889 and T110249.

Reply to "Login from blocked IP"

fatal error logging into QuickStatements2

Summary by BDavis (WMF)

Bug report for a Toolforge tool. Not globally relevant.

Trilotat (talkcontribs)

<b>Fatal error</b>: Uncaught Exception: Error retrieving token1: {&amp;quot;error&amp;quot;:&amp;quot;mwoauth-callback-not-oob-or-prefix&amp;quot;,&amp;quot;message&amp;quot;:&amp;quot;oauth_callback must be set, and must be set to \&amp;quot;oob\&amp;quot; (case-sensitive), or the configured callback must be a prefix of the supplied callback.&amp;quot;,&amp;quot;callback&amp;quot;:&amp;quot;api.php&amp;quot;} in /data/project/magnustools/public_html/php/oauth.php:283 Stack trace: #0 /data/project/quickstatements/public_html/api.php(103): MW_OAuth-&gt;doAuthorizationRedirect('api.php') #1 {main} thrown in <b>/data/project/magnustools/public_html/php/oauth.php</b> on line <b>283</b><br /

I have used quickstatements successfully. I had to clear cookies for other issues and now cannot relogin. I deauthorized and now cannot use at all.

BDavis (WMF) (talkcontribs)

How do I print a Wikipedia biography?

Summary by Tgr


2600:1014:B1B8:18C3:68A9:E0F4:CD5E:53E (talkcontribs)

How do I print a Wikipedia biography?

Tgr (talkcontribs)

By clicking the "Print" icon in your browser, probably?

Definitely not by asking about it on a completely unrelated talk page.

Differentiate Oauth 1.0a and Oauth 2.0

Xinbenlv (talkcontribs)

Since Oauth 1.0a and Oauth 2.0 are practically two different protocols, shall we make it more explicit what version it refer to here? I am a bit confused...

Tgr (WMF) (talkcontribs)

This is user documentation; there's not that much difference from a user's point of view. The developer documentation does discuss them separately.

Reply to "Differentiate Oauth 1.0a and Oauth 2.0"

OAuth request token not found

Mkayschmitt (talkcontribs)

I am just beginning to sign in as a new contributor. The message reads:



The OAuth request token was not found. This is the OAuth equivalent of a session loss / CSRF error - could be caused by timeout, token reuse, the app omitting some earlier authentication step, or the token store being misconfigured on the server or being unreliable.

I am not a very savvy computer user, so will appreciate simple language in the responses.

Tgr (WMF) (talkcontribs)

This can be caused by unreliable infrastructure. You should just retry a few times.

Reply to "OAuth request token not found"
Monkelese15 (talkcontribs)

Croptool keeps giving me an error message, unable to authorize it. How do I fix it (~~~~

Tgr (WMF) (talkcontribs)

Please copy the exact error message.

Reply to "Unable to use croptool"