Page MenuHomePhabricator
Create Task
Maniphest T103958

Users should be able to make API requests against some central wikis (e.g. commons, wikidata) as if logged-in, even if they never visited that wiki
Open, Needs TriagePublic
Actions

Description

Some wikis serve as "backend", and gadgets make write API requests against them without sending the user there. E.g. one might edit an infobox with WE-Framework which makes a Wikidata edit in the background. There are similar use cases for Commons file uploads. We should make sure this works even if the user never visited that wiki before (and thus has no local user account there and/or is not logged in).

Related Objects

Event Timeline

Tgr created this task.Jun 26 2015, 3:21 AM
Tgr raised the priority of this task from to Needs Triage.
Tgr updated the task description. (Show Details)
Tgr added a project: MediaWiki-extensions-CentralAuth.
Tgr subscribed.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 26 2015, 3:21 AM
Legoktm subscribed.Jun 26 2015, 3:23 AM

Isn't this what the centralauthtoken is for?

Tgr added a comment.Jun 26 2015, 3:29 AM

The status quo is that when you first log in (even if you autologin, ie. visit a wiki where you were not logged in while having a valid global session), CentralAuth creates accounts and logs you in on all English wikis and all multilingual wikis (including Commons and Wikidata). This is considered a bug (T18864). There is a security argument that autologin should not happen at all (T21161). The same account creation does not seem to happen on registration itself, so if a user registers on enwiki and never goes to any other site, they won't have Commons/Wikidata accounts.

We can use $wgCentralAuthAutoCreateWikis to make sure accounts on wikis always exist, but this does not really help as CORS API request will still fail (? I think so but haven't tested) because the user does not have a session cookie for the second-level domain belonging to that site.

Glaisher subscribed.Jun 26 2015, 12:26 PM
hoo subscribed.Jun 26 2015, 3:21 PM
Tgr added a comment.Jun 26 2015, 7:43 PM
In T103958#1403592, @Legoktm wrote:

Isn't this what the centralauthtoken is for?

Huh, forgot about that completely. Does it autocreate the user if needed? It seems like it would. If that's the case then the only thing needed is to make sure people can find out about it easier and maybe provide a JS library to make it less annoying to gadget writers, something along the lines of mw.Api.postWithToken. (And maybe not change it after every request? That seems a bit awkward.)

Restricted Application added a subscriber: Steinsplitter. · View Herald TranscriptJun 26 2015, 7:43 PM
Legoktm added a comment.Jun 26 2015, 7:44 PM

Yes, it does autocreate if necessary.

Tgr added a comment.Jun 26 2015, 11:58 PM

I wonder if anything became of Brion's proxying suggestion? From a client standpoint it seems much more convenient.

Tgr added a comment.Jun 27 2015, 12:26 AM

Added some documentation to https://www.mediawiki.org/wiki/Extension:CentralAuth/API

JanZerebecki subscribed.Jun 30 2015, 9:51 PM
Tgr added a comment.Jul 1 2015, 10:42 PM
In T103958#1405892, @Tgr wrote:

the only thing needed is to make sure people can find out about it easier and maybe provide a JS library to make it less annoying to gadget writers, something along the lines of mw.Api.postWithToken.

T66636 would probably fulfull that role.

Nemo_bis subscribed.Jul 18 2015, 6:51 PM

The distinction between this report and T104932 seems quite thin.

Tgr added a comment.Jul 18 2015, 9:36 PM
In T103958#1462404, @Nemo_bis wrote:

The distinction between this report and T104932 seems quite thin.

This is about API requests, that one is about Special:OAuth.

Tgr renamed this task from Users should be able to make requests against some central wikis (e.g. commons, wikidata) as if logged-in, even if they never visited that wiki to Users should be able to make API requests against some central wikis (e.g. commons, wikidata) as if logged-in, even if they never visited that wiki.Jul 18 2015, 9:36 PM
Tgr set Security to None.
TBurmeister subscribed.Dec 5 2025, 6:29 PM
Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptDec 5 2025, 6:29 PM
Tgr moved this task from Inbox, needs triage to Not planned (Patches welcome!) on the MediaWiki-Platform-Team board.Dec 8 2025, 3:12 PM
Tgr mentioned this in T149672: OAuth: don't abort if the username does not exist on project.Dec 8 2025, 4:01 PM

See also T149672: OAuth: don't abort if the username does not exist on project which is the same issue for OAuth.

OWresch-WMF moved this task from Not planned (Patches welcome!) to Not planned / Patches welcome on the MediaWiki-Platform-Team board.Tue, Jan 20, 11:25 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits