It came up in T255344: Openrefine: problems logging in and has come up in T150582: Support two-factor authentication in AutoWikiBrowser...
We should document the best practices of user login for different types of applications and login flows, when a user is using 2FA on their account.
In some cases, OAuth can be used, but for cases where code is open source, and distributed in apps, we can't keep secrets secret. Owner only OAuth apps may work, but higher barrier to entry
BotPasswords generally work as a catch all solution
The API action=clientlogin does support taking OATHToken as a parameter (used by the Mobile Apps at least), but should we be encouraging this pattern? In open source applications it's a bit saner, but what about non open source apps
Some example cases:
- Websites like Tools (ie use MediaWiki-extensions-OAuth)
- Self hosted Websites (like OpenRefine)
- Open source applications (like AutoWikiBrowser)
- Mobile apps (like the Android and iOS Mobile apps)