Last modified: 2014-11-19 03:59:17 UTC
MediaWiki currently provides only "authorize" endpoint, but this means that users have to confirm the application again and again. By providing "authenticate" endpoint, users could just "sign in" and get immediately redirected back, without having to confirm anything, if all permissions are still same, and user has not revoked the application. See Twitter documentation for more information: https://dev.twitter.com/docs/api/1/get/oauth/authenticate
Is anyone from OAuth extension at Wikimania 2014? I am here, we could discuss this in person here.
I think Brad and Aaron are both there. I'm not. I forgot to comment on this one, but I'm solidly maybe on this. Silent redirects make me a little nervous since they've been used, along with other vulnerabilities, to silently exploit the other vulnerability. Requiring a user click makes another vulnerability much harder to exploit.. but I can definitely see the use in several scenarios. At the least, I've been thinking about setting up an alternate endpoint for Consumers that are only meant for login, and the text would say something more like "Login to XXX" instead of asking for authorization.
(In reply to Chris Steipp from comment #2) > I forgot to comment on this one, but I'm solidly maybe on this. Silent > redirects make me a little nervous since they've been used, along with other > vulnerabilities, to silently exploit the other vulnerability. Requiring a > user click makes another vulnerability much harder to exploit.. but I can > definitely see the use in several scenarios. The use of this in conjunction with other vulnerabilities doesn't make it inherently dangerous. When oauth is only being used for login to a connected application I don't see where the danger lies. When the oauth authorization includes some elevated privileges then I can see the worry, however, couldn't the authenticate endpoint provide a session without any access beyond the granting of a login? The reason I ask is because we are using oauth for phabricator login and it's really not at all convenient or user friendly to ask for authorization each time.