Page MenuHomePhabricator

Add Oauth support to Mediawiki
Closed, ResolvedPublic


Based on the following discussions:


this is a request to add Oauth support to Mediawiki. This implementation should provide at a minimum (technical perspective):

  1. An easy way to keep track of edits made by a particular Oauth service
  2. As a start, only simple write access, not all the other actions as they are exposed by the API.
  3. It should be 100% transparent who the editor was who made the edit
  4. A way for admins to block all edits from a specific tool as easily as they can currently block or revert all edits from a specific user
  5. Not possible to take dangerous admin-only actions (e.g. editing interface messages)

Community perspective:

  1. Policies on what kind of Oauth services to accept.
  2. Policies on whether the Oauth service should be open source.
  3. Policies on when to revoke an Oauth service access to the Wikipedia websites.
  4. Wikimedia's privacy policy and Creative Commons license always apply to edits made through an Oauth service.

Please add your comments if I have missed important aspects.

Version: unspecified
Severity: enhancement
See Also:



Event Timeline

bzimport raised the priority of this task from to High.Nov 21 2014, 11:50 PM
bzimport set Reference to bz30348.

Is this an addition to core, or is it going to be an extension?

I would imagine as an extension, like OpenID.

Considering how deeply this would have to integrate with MW (annotating the fact that an OAuth system was used to create a rev) I think OAuth support is going to have to be part of core if we're going to do it right.

That's probably better off anyways. Everything will be a lot better if bots and whatnot can just use OAuth as a standard to talk to most MW wikis out there.

My initial thought was also to make it part of core.

Fair enough. The authn/authz system needs a lot of love anyway.

"Simple" OAuth token setup for API authentication may be doable as an extension, depending on how hard it is to plug things in appropriately.

Fine-grained permissions would probably need some explicit API support, and might need some general rethinks (eg can I give an app permission to read pages and upload files on my behalf, but not to block, unblock, delete pages, etc?).

I would prefer this be an extension. Adding hook points into the right places allows us to replace oauth with whatever comes in the future as well.

I have written a proposal to implement OAuth2 and it's available here:

tim.starling wrote:

content hidden as private in Bugzilla

revert properties changed by spammer

Lack of OAuth means we can't have things like a web version of huggle, proper support for web tools or any web application other than mediawiki realistically usable in our infrastructure. This definitely isn't a low priority.

I see. Thanks for correcting!

Assigning this to Chris as he's currently leading work on OAuth support.

Can this be marked RESOLVED/FIXED with in experimental state but deployed on some wikis, or should we wait for a tarball release or something?

Resolving as fixed due to the OAuth extension reaching the stage where it's usable.