On Thu, May 27, 2010 at 6:13 PM, Robb Shecter <r...@weblaws.org> wrote:
> Here's the last post I could find on the subject:
>
>> For my part, I'm firmly against joining the "provider but not
>> consumer" camp.  It's of no benefit to anyone . . .
>

Not totally sure who wrote that. It may have been a while ago though.
Some context would be good.

> I just thought of a great benefit, however.  Consider this true
> scenario:  I want to write a MediaWiki API client for editors;
> something like the Wordpress Dashboard.  Really give editors a modern
> web experience.  I'd want to do this as a Rails app:  I could build it
> quickly and find lots of collaborators via GitHub.
>
> But there's one problem: people would need to log in to Wikipedia
> *through my app*.  They'd have to enter their username and password to
> my app, which would turn around an authenticate via the MediaWiki API.
>  Policy-wise, this isn't a good thing; that is, giving people the
> message that it's ok to type in your credentials to something other
> than Wikipedia sites.
>
> And I believe that this is why no such app exists.  And further, why
> the only similar apps that have been made were fat clients, and e.g.
> Windows only.  Because then, the credentials stay on the user's
> computer.
>

This really calls for OAuth support.

As a warning, it is very likely your application will be blocked if
you store user credentials in your third party app. OAuth support was
originally brought up about a year ago because of a third party app
that did this.

> But imagine:  If Wikipedia was an OpenID Provider, or provided OAuth,
> then my Rails app would be the OpenID Consumer.  It'd send people to
> Wikipedia to log in, and they'd bounce back and begin using the Rails
> app.  My app would never see any private information.
>
> I believe this would encourage a new wave of 3rd party app
> development; everything from big ambitious projects (like my editor
> dashboard) to small focussed apps (say, a simple web app just for
> editing one's talk page).
>

OAuth and OpenID as both a provider and a consumer were discussed at
the Berlin developer's workshop, and everyone seemed to agree that all
three were a good idea. OAuth and OpenID can and should be worked
separately. I was planning on working on all three. I don't have time
to tackle this right now. If you want to submit patches for OAuth, I'm
sure you'll get some good feedback, and will get inclusion if done
properly. You may want to do an RFC beforehand.

Consumer support for OpenID is likely going to be more difficult, and
will happen much later than OAuth or OpenID as a provider. Neither
OAuth nor OpenID are likely to get dedicated developer time in the
immediate future.

Respectfully,

Ryan Lane

_______________________________________________
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Reply via email to