Help talk:OAuth/Flow

About this board

Vanished user Xorisdtbdfgonugyfs (talkcontribs)

Is it possible to totally disable that ability, so that it will not be enabled for some reason by accident?

Dnaber (talkcontribs)

My application would like to know the usernames of Wikipedia users, so that people don't have to sign up for yet another service. It wouldn't actually run any action on Wikipedia. Does it make sense to use OAuth for that, or is there a better alternative?

Deskana (WMF) (talkcontribs)

Hi Dnaber,

You can retrieve a user's username using the API. The query you can use for this is: https://en.wikipedia.org/w/api.php?format=json&action=query&meta=userinfo

That said, I suspect what you're actually asking me is "Can my website somehow use OAuth as an authentication method, so that users can sign in using their Wikipedia credentials?". The answer to that is that you can, but you shouldn't. If it's being used for authentication, the OAuth protocol is susceptible to man-in-the-middle attacks. The use of HTTPS mitigates that somewhat, but the vulnerability is still theoretically there. We'd highly recommend not using OAuth for authentication.

We're exploring the possibility of making Wikimedia wikis an OpenID provider which would allow you to use Wikimedia credentials for authorisation. We don't know if or when we'll start working on that, though.

Please let me know if you need any more information.

This post was posted by Deskana (WMF), but signed as DGarry (WMF).

This post was hidden by Tgr (WMF) (history)
Tgr (WMF) (talkcontribs)

The above answer is now outdated. You can send an OAuth-authorized request to Special:OAuth/identify which will return user identity in a JWT (signed JSON token). As long as you properly validate the signature, this is safe and does not suffer from the vulnerability mentioned above.

User login or registration with Oauth

2
Tribly (talkcontribs)

I would like to use Oauth to help people login or register on my wiki with sites such as Facebook, Twitter, Google, Microsoft etc. How do I go about that?

Tgr (WMF) (talkcontribs)
White Gold AJ Gaspar (talkcontribs)
BDavis (WMF) (talkcontribs)

How can I start to translate this?

5
Drashtikaushik (talkcontribs)
BDavis (WMF) (talkcontribs)
Tgr (WMF) (talkcontribs)

Or if you want to translate this wiki page, just click on the small "Translate this page" link on top.

Drashtikaushik (talkcontribs)
Tgr (WMF) (talkcontribs)

The Gujarati community and/or the proposer of T158564 can probably better answer that.

i cant Allow OAuth on my account

4
Summary by Mojackjutaily

its been answered

Mojackjutaily (talkcontribs)

HI, i tried using flickr2commons but its say "You haven't authorized this application yet!" and when i go to here, this message appear "Sorry, something went wrong connecting this application. Go back and try to connect your account again, or contact the application author.

OAuth token not found, E004"

but in Special:OAuthManageMyGrants it show that i have Allowed OAuth Uploader on All projects . what seem to be the problem.? thank you.

Tgr (WMF) (talkcontribs)

You should report this to the flickr2commons author. At a guess the tool is having problems with the cache backend it uses.

Tgr (WMF) (talkcontribs)

FWIW I can sort of reproduce, although in my case the error is Error retrieving token: mwoauthdatastore-request-token-not-found

Mojackjutaily (talkcontribs)

Thank you i dont know what happened but its working now.

Simon Villeneuve (talkcontribs)

Hi,

I plan to show how to use mix'n'match to a group of newbies and I want to know if there's restrictions for using OAuth for new accounts (like "only autoconfirmed shall pass").

Iluvatar (talkcontribs)

There are no restrictions to users (see that — new acc, no edits, no flags), but developers of tools might add any restrictions in own source code. Sorry for my English.

Tgr (WMF) (talkcontribs)

There might be unintentional limitations coming from the fact that requests through that tool all use the same IP. So if something has an IP-level rate limit for non-autoconfirmed accounts (and several things do, e.g. 8 edits per minute), that will apply. Although for an IRL presentation with everyone using the same internet connection, such limitations would apply to non-OAuth actions as well.

Simon Villeneuve (talkcontribs)
AndreaDileva (talkcontribs)

i would like to know how to set my prefrences i looked in my history before and im bloked or i think i am because another ip is sharing my address and i have been thinking someone is using my ip address and email acct to do things i dont even know if this website is going to help me. can anyone give me advice?

AndreaDileva (talkcontribs)

i dont even know how to read your comment im sorry im learning how to use this sight

Tgr (WMF) (talkcontribs)

Expected oauth_callback_confirmed

7
KermitLiu (talkcontribs)

I receive consumer key and secret key from wiki.

I have config consumer key and secret key in phabricator.

and callback url in wiki.


but the phabricator give me a exception :

Unhandled Exception (“Exception”)

Expected ‘oauth_callback_confirmed’ to be ‘true’!


could you give some help?

Tgr (WMF) (talkcontribs)

At a wild guess, poor error handling in your client library, which receives an error and tries to verify it as if it would be a valid token (in which case indeed it should have an oauth_callback_confirmed field).

KermitLiu (talkcontribs)

mediawiki as my wiki provider, phabricator as my consumer,

i use my wiki to try, https://github.com/wikimedia/mediawiki-oauthclient-php , demo directory , as my consumer, success.

and i add print commond, then the return parameter : key,secret, oauth_callback_confirmed .

but the phabricator as the cosumer, the phabricator give me a exception.

so, the wiki is wrong, or the phabricator is wrong?


KermitLiu (talkcontribs)
Tgr (WMF) (talkcontribs)

We use the same setup for Wikimedia's Phabritcator so it can't be that wrong. Again, my best guess is that I think you are getting an error (which can be caused by a lot of things, wrong token configuration, out-of-sync clock, cache problems...) and Phabricator does not show the error because it does not recognize it is an error. willProcessTokenRequestResponse seems to do the right thing so maybe your wiki is returning a fatal error. Check your logs to see if that's the case.

@MModell (WMF) might be able to provide more insight.

KermitLiu (talkcontribs)

thank you very much , i will try

MModell (WMF) (talkcontribs)

What url do you have set for the callback?


You need to specify the callback url like this:

https://your.phabricator.url/auth/login/mediawiki:/

Monkelese15 (talkcontribs)

Croptool keeps giving me an error message, unable to authorize it. How do I fix it (~~~~

Tgr (WMF) (talkcontribs)

Please copy the exact error message.

Return to "OAuth/Flow" page.