Topic on Help talk:OAuth

Dnaber (talkcontribs)

My application would like to know the usernames of Wikipedia users, so that people don't have to sign up for yet another service. It wouldn't actually run any action on Wikipedia. Does it make sense to use OAuth for that, or is there a better alternative?

Deskana (WMF) (talkcontribs)

Hi Dnaber,

You can retrieve a user's username using the API. The query you can use for this is: https://en.wikipedia.org/w/api.php?format=json&action=query&meta=userinfo

That said, I suspect what you're actually asking me is "Can my website somehow use OAuth as an authentication method, so that users can sign in using their Wikipedia credentials?". The answer to that is that you can, but you shouldn't. If it's being used for authentication, the OAuth protocol is susceptible to man-in-the-middle attacks. The use of HTTPS mitigates that somewhat, but the vulnerability is still theoretically there. We'd highly recommend not using OAuth for authentication.

We're exploring the possibility of making Wikimedia wikis an OpenID provider which would allow you to use Wikimedia credentials for authorisation. We don't know if or when we'll start working on that, though.

Please let me know if you need any more information.

This post was posted by Deskana (WMF), but signed as DGarry (WMF).

This post was hidden by Tgr (WMF) (history)
Tgr (WMF) (talkcontribs)

The above answer is now outdated. You can send an OAuth-authorized request to Special:OAuth/identify which will return user identity in a JWT (signed JSON token). As long as you properly validate the signature, this is safe and does not suffer from the vulnerability mentioned above.