AuthManager is generally going to complicate non-interactive authentication. We need to provide a method for legacy bots to be able to work without needing to prompt the operator for second-factors or the like.
- OAuth owner-only consumers (T87395). Disadvantage is that it requires every bot to be updated to use OAuth rather than action=login. It also requires the OAuth extension to be installed.
- "Bot passwords" (not terribly different from Google's application passwords) via action=login. Disadvantage is that it's yet-another thing.
- Somehow do T110276 in a way that action=login is backwards-compatible as long as stuff like 2-factor isn't enabled. Disadvantage is that it's impossible to guarantee the "as long as" conditions won't be changed in the future.
Current thinking is that we'll do both #1 (recommended) and #2 (easy for end users to implement).