Page MenuHomePhabricator
Create Task
Maniphest T395459

Use OAuth rather than password-based login for Wikimedia mobile apps
Open, HighPublic
Actions

Description

OAuth 2 makes it possible to have mobile apps authenticate without login (there was no secure way to do this with OAuth 1 so in the past requests like T179519: Implementing OAuth in Wikimedia Commons Android app have been rejected). Having the apps use that rather than password-based login would have several advantages:

  • They would be able to use a mechanism that's guaranteed to be stable, rather than adapting to changes in the interactive authentication flow. That would reduce maintenance burden on both app maintainers and authentication system maintainers.
  • There would be no need to enter the password on the app so there would be no way to steal it that way (e.g. on a rooted phone taken over by a malicious app).
  • OAuth provides a granular permission model, so even if some malicious app on the phone could access OAuth credentials, the abuse potential would be very limited.

This would require some work on both sides, but not that much, I think:

  • Apps would have to implement OAuth 2, but there are tons of libraries to help with that. They would have to rely on a web view for the OAuth authorization dialog, and the user would have to log in in the web view at that point - not great for UX and security, but doesn't take any effort to implement. In the long term, maybe it can be avoided by some kind of challenge-response thing.
  • In the OAuth extension, we'd want to add some sort of "internal app" where the scopes etc. can be changed without having to register a new app ID / secret, as those would have to be hardcoded in the app. And maybe suppress change tags.

Related Objects
Search...

Event Timeline

Tgr created this task.May 28 2025, 2:41 PM
Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptMay 28 2025, 2:41 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Tgr added a subscriber: HCoplin-WMF.May 28 2025, 2:41 PM

@HCoplin-WMF FYI

Pppery subscribed.May 28 2025, 5:48 PM
JTweed-WMF edited projects, added MediaWiki-Platform-Team (Roadmap); removed MediaWiki-Platform-Team.Jun 2 2025, 2:21 PM
Seddon triaged this task as Low priority.Jun 3 2025, 4:21 PM
Seddon moved this task from Needs Triage to Product Backlog on the Wikipedia-Android-App-Backlog board.
Ladsgroup subscribed.Jun 4 2025, 4:57 PM
Seddon moved this task from Needs Triage to Product Backlog on the Wikipedia-iOS-App-Backlog board.Jun 6 2025, 4:40 PM
Dbrant added a parent task: T396400: [Epic] Improvements to Authentication workflows.Jun 17 2025, 4:13 PM
Dbrant added a subtask: T398441: Allow callback URL to be custom app deeplink.Jul 2 2025, 1:20 PM
Tgr mentioned this in T364829: Update Wikimedia apps to use central login domain.Jul 5 2025, 10:54 AM
Tgr closed subtask T398441: Allow callback URL to be custom app deeplink as Resolved.Jul 13 2025, 10:26 AM
Tgr added a comment.Jul 27 2025, 2:03 PM

Related: T255370: Document best practices for user login for different types of applications if using 2FA

Tgr mentioned this in T399654: Ensure Mobile Apps are supported with 2FA changes.Jul 31 2025, 5:38 PM
Abbe98 subscribed.Aug 26 2025, 3:05 PM
TuukkaH subscribed.Aug 29 2025, 4:41 PM

Users who are not using 2FA may get scary emails when the Wikimedia apps try but fail to re-login in the background using the previously entered password.

The email contains a link to a page with the following content: "Unlike e.g. password reset emails, there is no way for someone to send you a code without knowing your password. If that someone wasn't you, that means your password was somehow stolen or guessed. You should change it as soon as possible, and consider setting up two-factor authentication if available." https://www.mediawiki.org/wiki/Help:Extension:EmailAuth

TBurmeister subscribed.Nov 18 2025, 3:50 PM
Nylki subscribed.Dec 12 2025, 8:14 AM
Tgr added subtasks: T413286: Support display=popup and preserve authentication flow query parameters for password reset form, T96158: Add a "not X? log in with a different username" bit to the authorize form, T413134: Logout API doesn't work with OAuth, T208443: User cannot log in with OAuth on a wiki before visiting that wiki directly, T149672: OAuth: don't abort if the username does not exist on project, T412214: Ensure a good experience for apps which want to use OAuth credentials for a long time (refresh token grace period), T323867: Clarify use of non-confidential OAuth 2.0 clients.Dec 19 2025, 9:50 PM
Tgr added a project: Epic.

We might also want to include some of the subtasks of T75062: OAuth permission screen (authorization dialog) needs redesign for better usability and comprehension - at least T412207: OAuth popup has a cluttered footer (should have fewer links) and T412197: Test screen reader accessibility of OAuth authorization dialog I think.

And maybe T234674: Delete OAuth 2.0 access tokens on password change to preserve the current behavior when the user gets logged out of the app on password reset / password change.

Tgr added a subtask: T413288: Allow managing OAuth apps programmatically.Dec 19 2025, 9:57 PM
matmarex subscribed.Dec 19 2025, 11:04 PM
OWresch-WMF edited projects, added MediaWiki-Platform-Team; removed MediaWiki-Platform-Team (Roadmap).Jan 16 2026, 1:55 PM
JTweed-WMF edited projects, added MediaWiki-Platform-Team (Kanban Board); removed MediaWiki-Platform-Team.Feb 9 2026, 4:00 PM
JTweed-WMF moved this task from Essential Work to OKR Work on the MediaWiki-Platform-Team (Kanban Board) board.
Tgr removed a subtask: T96158: Add a "not X? log in with a different username" bit to the authorize form.Feb 9 2026, 9:17 PM
Tgr added a subtask: T323855: OAuth 2.0 non-confidential clients cannot use refresh tokens without client secret.Feb 18 2026, 10:10 PM
OWresch-WMF assigned this task to ArielGlenn.Mar 16 2026, 2:37 PM
OWresch-WMF raised the priority of this task from Low to High.
OWresch-WMF moved this task from OKR Work to Next on the MediaWiki-Platform-Team (Kanban Board) board.
Nylki added a comment.EditedMar 20 2026, 6:00 PM

Iny my opinion T412542: Rethink protocol support for OAuth apps should be added to the subtasks. Non-WMF mobile apps have to use the registration-form at https://meta.wikimedia.org/wiki/Special:OAuthConsumerRegistration/propose to use OAuth2. But that registration form doesn't allow custom uri-schemes currently, which are required for OAuth to work with mobile apps.

JTweed-WMF created subtask T423608: Ensure OAuth flows don’t trigger new user onboarding.Thu, Apr 16, 2:40 PM
JTweed-WMF created subtask T423609: Allow skipping OAuth permissions dialog for first party clients.
matmarex changed the status of subtask T208443: User cannot log in with OAuth on a wiki before visiting that wiki directly from Open to Stalled.Thu, Apr 16, 7:53 PM
Johannnes89 subscribed.Fri, Apr 17, 7:04 AM
matmarex closed subtask T323855: OAuth 2.0 non-confidential clients cannot use refresh tokens without client secret as Resolved.Tue, Apr 21, 9:15 PM
matmarex closed subtask T323867: Clarify use of non-confidential OAuth 2.0 clients as Resolved.Wed, Apr 22, 12:33 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits