Support two-factor authentication in AutoWikiBrowser
Open, NormalPublic

Description

Privileged accounts (from sysop onwards) are now given the possibility to enable two-factor authentication for their accounts. Please add support so sysops and/or other accounts with elevated accesses that have decided to enable this security feature be able to continue using AWB.

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 12 2016, 5:47 PM

Note: If you create a BotPassword for yourself, you can use that to log on to AWB even if 2FA is normally enabled on your account.

TheDJ added a subscriber: TheDJ.Nov 13 2016, 10:31 AM

I don't think this task is valid. AWB should use either https://en.wikipedia.org/wiki/Special:BotPasswords or OAUTH. And probably atleast be able to tell a user that he cannot login using 2FA and direct him at bot passwords.

I don't think this task is valid. AWB should use either https://en.wikipedia.org/wiki/Special:BotPasswords or OAUTH. And probably atleast be able to tell a user that he cannot login using 2FA and direct him at bot passwords.

Yes, AWB should be probably also supporting OAUTH but I think it can be supporting also this. Do we have a task for that?

It's of course up to the developers of AWB to decide which support should be adding to the tool. To me it does not look harebrained or misbegotten to add support for 2fa with a prompt-for-token window when in the process of logging-in, if that can be achieved of course.

Regards.

Reedy added a subscriber: Reedy.Nov 14 2016, 4:33 PM

I don't think this task is valid. AWB should use either https://en.wikipedia.org/wiki/Special:BotPasswords or OAUTH. And probably atleast be able to tell a user that he cannot login using 2FA and direct him at bot passwords.

Yes, AWB should be probably also supporting OAUTH but I think it can be supporting also this. Do we have a task for that?

It's of course up to the developers of AWB to decide which support should be adding to the tool. To me it does not look harebrained or misbegotten to add support for 2fa with a prompt-for-token window when in the process of logging-in, if that can be achieved of course.

Regards.

I don't think the API supports 2FA yet

Reedy added a comment.Nov 14 2016, 4:34 PM

I don't think this task is valid. AWB should use either https://en.wikipedia.org/wiki/Special:BotPasswords or OAUTH. And probably atleast be able to tell a user that he cannot login using 2FA and direct him at bot passwords.

Probably just need some improved error handling and messages to this extent

Anomie added a subscriber: Anomie.Nov 14 2016, 5:52 PM

I don't think the API supports 2FA yet

The API supports everything AuthManager supports via action=clientlogin. Using action=login for anything except BotPasswords is deprecated, and AWB should use OAuth instead of BotPasswords for non-interactive login.

Reedy added a comment.Nov 14 2016, 7:50 PM

I seem to recall there being reasons we couldn't use oauth before

the need for a client-side secret?

Reedy added a comment.Nov 16 2016, 1:45 PM

the need for a client-side secret?

That sounds familiar, yup.

So, we need to encourage people to use BotPasswords (improve documentation etc), and look at moving action=login to action=clientlogin in the near future too

Just a reminder that AWB is used on other projects besides the WMF ones. So if OAuth is enabled, the application will still need to function without it on other projects. That could be why it wasn't done.

Reedy added a comment.Nov 16 2016, 5:41 PM

Just a reminder that AWB is used on other projects besides the WMF ones. So if OAuth is enabled, the application will still need to function without it on other projects. That could be why it wasn't done.

No, it's why Krenair said. Unless we share said key between Developers... Which is a pain, considering the code is in public code repos

And then any third party developers... would need to modify AWB to use a different OAuth...

No point

Bot Passwords would be the way forward, and/or supporting action=clientlogin instead which can allow 2FA to work

So, we need to encourage people to use BotPasswords (improve documentation etc)

Better documentation is needed big-time; I went looking for info on this a few days ago and didn't find anything relevant until I finally stumbled across Special:BotPasswords itself (though now that I think about it, I probably should have checked Meta and MW.org instead of just en.WP).

Tgr added a subscriber: Tgr.Nov 17 2016, 12:37 AM

the need for a client-side secret?

Use an owner-only OAuth consumer and handle all OAuth data (consumer key, consumer secret, access token, access secret) as user credentials.

the need for a client-side secret?

Use an owner-only OAuth consumer and handle all OAuth data (consumer key, consumer secret, access token, access secret) as user credentials.

I wonder if this causes too high of a barrier to entry for most users?

MarcoAurelio renamed this task from Support two-factor authentication to Support two-factor authentication in AutoWikiBrowser.Nov 17 2016, 11:10 AM
Stryn added a subscriber: Stryn.Dec 2 2016, 3:33 PM
Mbch331 added a subscriber: Mbch331.Jan 8 2017, 8:39 AM

If you have enabled 2FA, then you could create a bot password (Special:BotPasswords) and login with those details. That way you can login without needing 2FA. (BotPasswords is IP restricted)

Headbomb triaged this task as Normal priority.Mar 18 2017, 11:18 PM