This tutorial describes how you can use OAuth instead of password-based login with Pywikibot on Wikimedia wikis.
OAuth allows your bot to use your primary account in a secure way, limited to whatever permissions you grant. The old way of having a separate bot account and primary account and using the latter only for actions which need extra permissions is not necessary (and not yet supported either); you can always use your primary account.
- you must use Pywikibot master (and a version that's not older than 2015 August).
- you must install requests-oauthlib. You can do this e.g. by running
pip install requests-oauthlib.
Registering your bot with the wiki software
Log in on meta.wikimedia.org with the account you want to use with Pywikibot (eg. the bot account), visit m:Special:OAuthConsumerRegistration/propose and fill out the following fields (you can ignore all other fields, and also the warning text at the top; it's meant for registrations which do not use the "for use only by" option):
- Application name: whatever helps you remember (needed in the future if you want to change or revoke the bot's access)
- Application description: it cannot be empty, but otherwise does not matter
- This consumer is for use only by <your username>: must be checked
- Contact email address: must be the same as your wiki email (will be visible to OAuth admins)
- Applicable grants: depends on what you use the bot for. You will probably want High-volume editing, Edit existing pages, Create, edit, and move pages, and maybe Upload new files, Upload, replace, and move files and Patrol changes to pages. If you are an administrator or other rights holder and want to allow your bot to use your permissions, you might also want to add Edit protected pages, Rollback changes to pages, Block and unblock users, View deleted files and pages, Delete pages, revisions, and log entries and Protect and unprotect pages. The other permissions are unlikely to be needed and granting some of them is a potential security risk. (Note: if your user does not have permission to e.g. deleting pages, checking the box will not make your bot able to do so.)
- By submitting this application, you acknowledge that...: must be checked
After submitting the form, you'll get four authentication codes which you need to add to your Pywikibot configuration (
usernames['wikipedia']['*'] = usernames['meta']['*'] = usernames['commons']['*'] = usernames['wikidata']['*'] = usernames['wiktionary']['*'] = usernames['wikibooks']['*'] = usernames['wikinews']['*'] = usernames['wikiquote']['*'] = usernames['wikisource']['*'] = usernames['wikiversity']['*'] = usernames['wikivoyage']['*'] = 'ExampleUser' authenticate['*.wikipedia.org'] = authenticate['*.wikimedia.org'] = authenticate['*.wikidata.org'] = authenticate['*.wiktionary.org'] = authenticate['*.wikibooks.org'] = authenticate['*.wikinews.org'] = authenticate['*.wikiquote.org'] = authenticate['*.wikisource.org'] = authenticate['*.wikiversity.org'] = authenticate['*.wikivoyage.org'] = authenticate['*.mediawiki.org'] = ('consumer_token','consumer_secret', 'access_token', 'access_secret')
Using the bot
You can use the bot in the usual way, except that
logout.py will not be working. These are not needed: as long as the configuration is in place, the bot will always be logged in.
If you want to revoke the bot's access to your account, you can do so at m:Special:OAuthConsumerRegistration/list.