Help talk:OAuth

Jump to navigation Jump to search

About this board

User login or registration with Oauth

4
Tribly (talkcontribs)

I would like to use Oauth to help people login or register on my wiki with sites such as Facebook, Twitter, Google, Microsoft etc. How do I go about that?

Markhalsey (talkcontribs)

I am sorry that I don’t know exactly where to locate this information, although I did come across it sometime yesterday, and the ability to utilize Twitter, Facebook and Google, were options that I noticed are indeed available in some form or another.

If you are interested in locating the Help Page which describes the capabilities, I am sure I can locate once again. If so, please send me a message ASAP, via my Talk Page, and I will go through my Bookmarks or History for you.

Markhalsey (talk) 18:30, 13 January 2018 (UTC)Mark Halsey

Tgr (WMF) (talkcontribs)
Markhalsey (talkcontribs)

I am sorry that I don’t know exactly where to locate this information, although I did come across it sometime yesterday, and the ability to utilize Twitter, Facebook and Google, were options that I noticed are indeed available in some form or another.

If you are interested in locating the Help Page which describes the capabilities, I am sure I can locate once again. If so, please send me a message ASAP, via my Talk Page, and I will go through my Bookmarks or History for you.

Markhalsey (talk) 18:29, 13 January 2018 (UTC)Mark Halsey

Reply to "User login or registration with Oauth"
Oalexander (talkcontribs)

Checking my "Manage connected applications" page after having been notified of a failed login attempt under a new device I have found out that a "Library Card [1.6]" (Publisher: Jsn.sherman) is connected to my account by using the OAuth protocol. Could somebody pls. advise me what this means? Thanks. ~~~~

Tgr (WMF) (talkcontribs)

That you have at some point logged into The Wikipedia Library Card Platform, and as part of the process authorized it to read your identity and email address on the Wikimedia sites. It's not related to failed logins in any way.

mwoauth-invalid-authorization

11
Summary by Smartse

The error can mean many things, but in this case it seems to have been caused by the API request, rather than any problem with the headers as the error suggested.

Smartse (talkcontribs)

Hi. I'm trying to use OAuth to be able to connect to the API via python using my en.wiki admin rights, but get a "mwoauth-invalid-authorization" error when using a slightly adapted version of the example code at OAuth/Owner-only consumers#Python. Does anyone have any suggestions as to what might be causing the problem? Should I try getting new tokens? Does it make a difference that I've activated 2FA?

Tgr (WMF) (talkcontribs)

Normally that would mean that the consumer is waiting for admin approval, but there doesn't seem to be any such consumer. Are you using an owner-only consumer? If not, what's the consumer ID?

Smartse (talkcontribs)
Tgr (WMF) (talkcontribs)

Owner-only consumers do not require approval and it should not possible to get that error for an owner-only consumer. Is there any chance you are using a different consumer ID in your bot configuration?

Smartse (talkcontribs)

Sorry - been away for the last week. Hmm well I'm obviously doing something wrong! I've triple checked and am definitely using that key and the other 3 parameters as in the example code. I've tried making a new key and using those but still get the same error. The only slight difference I can see with my code compared to the example is that the example uses "customer_key" whereas I have a "consumer_token" but I assumed that these are synonymous.

Tgr (WMF) (talkcontribs)

customer_key sounds wrong but I don't see it in the example, either. Apparently we do not log the consumer key for OAuth errors :/ so I cannot easily check in the server logs what went wrong - filed phab:T188848 about that.

Can you generate the error and tell the exact time it happened?

Smartse (talkcontribs)

Yes I was a bit confused by that but there are 4 parameters and I entered them in the order that the request page spits out. The time and error are below. I am on UTC:

2018-03-04 22:30:01.808559

{u'servedby': u'mw1223', u'error': {u'info': u'The authorization headers in your request are not valid: Invalid signature', u'*': u'See https://en.wikipedia.org/w/api.php for API usage. Subscribe to the mediawiki-api-announce mailing list at <https://lists.wikimedia.org/mailman/listinfo/mediawiki-api-announce> for notice of API deprecations and breaking changes.', u'code': u'mwoauth-invalid-authorization'}}

As you'll see it also says the authorization header is not valid, but I figured that this wasn't the main problem since the request is served fine if I remove auth=auth. Just in case though my header is {'user-agent': 'Smartse deleted contribs - <my email>'}

Thanks very much for your help with this!

Smartse (talkcontribs)

Hi Tgr. Have you had a chance to take a look at the logs yet?

Tgr (WMF) (talkcontribs)

Sorry, I got distracted. Apparently mwoauth-invalid-authorization is reused for all kinds of errors so forget what I said in my earlier comments :-/ Invalid signature means an error on your side; either the algorithm for building the authorization header is wrong (sounds like you are using the one built into the requests library so that's not very likely), or you are passing in the wrong data, or your computer's clock is off. Unfortunately we don't log any useful information for signature checks :( so the logs wouldn't tell anything interesting.

Smartse (talkcontribs)

No worries. Thanks for trying. I will try and fiddle around more and hope I can get something to work, and failing that try a bot password instead.

Smartse (talkcontribs)

I don't quite understand why, but after trying and failing to get it to work with special:botpasswords instead, I've now got it working :D It seems as if it was a problem with the API query itself as I didn't change any of the other parameters in the request, but as I said above, it worked fine when I removed "auth=auth".

i cant Allow OAuth on my account

4
Summary by Mojackjutaily

its been answered

Mojackjutaily (talkcontribs)

HI, i tried using flickr2commons but its say "You haven't authorized this application yet!" and when i go to here, this message appear "Sorry, something went wrong connecting this application. Go back and try to connect your account again, or contact the application author.

OAuth token not found, E004"

but in Special:OAuthManageMyGrants it show that i have Allowed OAuth Uploader on All projects . what seem to be the problem.? thank you.

Tgr (WMF) (talkcontribs)

You should report this to the flickr2commons author. At a guess the tool is having problems with the cache backend it uses.

Tgr (WMF) (talkcontribs)

FWIW I can sort of reproduce, although in my case the error is Error retrieving token: mwoauthdatastore-request-token-not-found

Mojackjutaily (talkcontribs)

Thank you i dont know what happened but its working now.

Reply to "i cant Allow OAuth on my account"

How can I start to translate this?

5
Drashtikaushik (talkcontribs)
BDavis (WMF) (talkcontribs)
Tgr (WMF) (talkcontribs)

Or if you want to translate this wiki page, just click on the small "Translate this page" link on top.

Drashtikaushik (talkcontribs)
Tgr (WMF) (talkcontribs)

The Gujarati community and/or the proposer of T158564 can probably better answer that.

Reply to "How can I start to translate this?"
Dnaber (talkcontribs)

My application would like to know the usernames of Wikipedia users, so that people don't have to sign up for yet another service. It wouldn't actually run any action on Wikipedia. Does it make sense to use OAuth for that, or is there a better alternative?

Deskana (WMF) (talkcontribs)

Hi Dnaber,

You can retrieve a user's username using the API. The query you can use for this is: https://en.wikipedia.org/w/api.php?format=json&action=query&meta=userinfo

That said, I suspect what you're actually asking me is "Can my website somehow use OAuth as an authentication method, so that users can sign in using their Wikipedia credentials?". The answer to that is that you can, but you shouldn't. If it's being used for authentication, the OAuth protocol is susceptible to man-in-the-middle attacks. The use of HTTPS mitigates that somewhat, but the vulnerability is still theoretically there. We'd highly recommend not using OAuth for authentication.

We're exploring the possibility of making Wikimedia wikis an OpenID provider which would allow you to use Wikimedia credentials for authorisation. We don't know if or when we'll start working on that, though.

Please let me know if you need any more information.

This post was posted by Deskana (WMF), but signed as DGarry (WMF).

This post was hidden by BDavis (WMF) (history)
This post was hidden by Tgr (WMF) (history)
Tgr (WMF) (talkcontribs)

The above answer is now outdated. You can send an OAuth-authorized request to Special:OAuth/identify which will return user identity in a JWT (signed JSON token). As long as you properly validate the signature, this is safe and does not suffer from the vulnerability mentioned above.

Reply to "OAuth with no actions?"
Adam (Wiki Ed) (talkcontribs)

~Is there some clarification on where/why Oauth is disabled for blocked IPs. I'm seeing some failed login attempts for unblocked users operating on schoolblocked IPs and I want to know what the exact check is. thanks.

CSteipp (WMF) (talkcontribs)

Hi Adam, users shouldn't (can't) use OAuth to login-- the login api calls are explicitly disabled. Are you seeing failures when potential users are logging in to authorize the Consumer? Or is the Consumer's api calls failing, because it's running from a blocked IP?

Adam (Wiki Ed) (talkcontribs)

@CSteipp (WMF) thanks for the reply and sorry for not noticing it. I'm talking about the latter, (API calls failing). They're logged in or reported as much.

This post was hidden by BDavis (WMF) (history)
Tgr (WMF) (talkcontribs)

Blocking will work the same way for OAuth requests as normal requests (but keep in mind that the IP will be that of the server hosting the OAuth application, not the real user).

Some plans to make block handling more flexible are in T159889 and T110249.

Reply to "Login from blocked IP"
DarkoS (talkcontribs)

While this article leaves impression that OAuth is secure, Wikipedia in English claims the opposite for both protocol version 1.0 and 2.0. So, is there a safe way to use it and avoid the risks?

CSteipp (WMF) (talkcontribs)

Hi @DarkoS, when implementing OAuth for MediaWiki, we made many deliberate choices to prevent known attacks, and encourage good practices by the developers who will be connecting their tools to the wiki via OAuth.

That said, how "secure" it is depends on what aspect you are looking at, and what threat models your concerned with.

  • From the perspective of your server running the OAuth extension, the extension should not expose your server to any additional risk. The code has been well reviewed, and we haven't had any sql/code injections through the extension yet. The extension is supported by the WMF, so any security updates will be announced and patched.
  • From the perspective of your users, OAuth has the advantage that it allows other tools to edit as them, without requiring the user to give them their password. The OAuth tokens have limited rights, and can be revoked. If your users are going to have tools edit on their behalf, using OAuth is significantly more secure than having the tool login with the user's password.
  • It's entirely possible that another protocol level attack against OAuth 1.0a will be discovered, allowing an attacker to authorize their Consumer without the user's knowledge, or convince the user they are authorizing a different Consumer. Again, this extension is supported with the WMF, so we would patch that as a security issue, if we were ever made aware that that was possible.
  • The claims on enwiki about phising have some merit, but I would say it's just as easy for an attacker to redirect users to a site they control "to login for OAuth" as it is to redirect them to fake copy of any wiki, and encourage the user to login. If you think that is a legitimate risk for you users, and the risk outweighs the benefits, then OAuth is not right for you.

Hope that helps!

This post was hidden by BDavis (WMF) (history)
FNDE (talkcontribs)

Hi there, I have a question about the OAuth-session. When I close the browser window, the session cookie will be deleted (look at this PHP-example). Is there any possibility, to "renew" the login without passing the whole process (click on grant access)? Thank you very much!

BDavis (WMF) (talkcontribs)
FNDE (talkcontribs)

This is what I'm looking for, thank you! Is there a way to pass the authentication without a redirect? Maybe with CURL?

BDavis (WMF) (talkcontribs)

No, the user's browser is needed to interact with the OAuth server and get the request signed. You can however store the tokens that are returned from the handshake callback. They do not expire, but can be revoked by the user via Special:OAuthManageMyGrants. On your app side you will still need some way to re-associate the user and the credentials that you persist.

Magnus Manske (talkcontribs)

So, how do I register my application? It seems like that's a thing that should be mentioned on the Help page...

Magnus Manske (talkcontribs)

Never mind, found it, and added to the Help page.

Deskana (WMF) (talkcontribs)

Hi Magnus,

Thanks for adding that link. It's possible I might make a help page for OAuth developers in the future which we can put that on, but for now I think it's helpful to have on the main help page.

Your application's already been approved. Let me know if I can help more.

This post was posted by Deskana (WMF), but signed as DGarry (WMF).

1.38.27.133 (talkcontribs)

Ok thanx

This post was hidden by BDavis (WMF) (history)