Privileged accounts (from sysop onwards) are now given the possibility to enable two-factor authentication for their accounts. Please add support so sysops and/or other accounts with elevated accesses that have decided to enable this security feature be able to continue using AWB.
|Open||None||T169397 [AutoWikiBrowser] Authentication/Login tickets|
|Open||None||T150582 Support two-factor authentication in AutoWikiBrowser|
I don't think this task is valid. AWB should use either https://en.wikipedia.org/wiki/Special:BotPasswords or OAUTH. And probably atleast be able to tell a user that he cannot login using 2FA and direct him at bot passwords.
Yes, AWB should be probably also supporting OAUTH but I think it can be supporting also this. Do we have a task for that?
It's of course up to the developers of AWB to decide which support should be adding to the tool. To me it does not look harebrained or misbegotten to add support for 2fa with a prompt-for-token window when in the process of logging-in, if that can be achieved of course.
The API supports everything AuthManager supports via action=clientlogin. Using action=login for anything except BotPasswords is deprecated, and AWB should use OAuth instead of BotPasswords for non-interactive login.
Just a reminder that AWB is used on other projects besides the WMF ones. So if OAuth is enabled, the application will still need to function without it on other projects. That could be why it wasn't done.
No, it's why Krenair said. Unless we share said key between Developers... Which is a pain, considering the code is in public code repos
And then any third party developers... would need to modify AWB to use a different OAuth...
Bot Passwords would be the way forward, and/or supporting action=clientlogin instead which can allow 2FA to work
Better documentation is needed big-time; I went looking for info on this a few days ago and didn't find anything relevant until I finally stumbled across Special:BotPasswords itself (though now that I think about it, I probably should have checked Meta and MW.org instead of just en.WP).
If you have enabled 2FA, then you could create a bot password (Special:BotPasswords) and login with those details. That way you can login without needing 2FA. (BotPasswords is IP restricted)
This came up at WikiConf North America today. I think there's been a bit of misunderstanding of this ticket. There's no need for OAuth support in AWB (nor does it make sense). Instead, AWB needs to switch to action=clientlogin, which will return a response prompting for 2FA if necessary, which the user should provide to complete the login process.
Support for owner-only OAuth does makes sense, it's basically a different type of password that is more secure and does not require 2FA. It's not user-friendly though and you are probably better off with bot passwords (which do not require any code change, other than maybe explaining the user how to use them).
action=clientlogin requires the app to implement an open-ended dialog system which is not really specified anywhere. It's a nontrivial amount of work, and I'm not sure it is worth the effort, nor that it is good security practice to train users to put their password and 2FA into random desktop apps they have downloaded from the internet.