Last modified: 2014-11-19 03:59:17 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T71232, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 69232 - Provide "authenticate" endpoint for regular users
Provide "authenticate" endpoint for regular users
Status: UNCONFIRMED
Product: MediaWiki extensions
Classification: Unclassified
OAuth (Other open bugs)
unspecified
All All
: Normal normal (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-08-07 12:05 UTC by Mitar
Modified: 2014-11-19 03:59 UTC (History)
4 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Mitar 2014-08-07 12:05:45 UTC 
MediaWiki currently provides only "authorize" endpoint, but this means that users have to confirm the application again and again. By providing "authenticate" endpoint, users could just "sign in" and get immediately redirected back, without having to confirm anything, if all permissions are still same, and user has not revoked the application.

See Twitter documentation for more information: https://dev.twitter.com/docs/api/1/get/oauth/authenticate
Comment 1 Mitar 2014-08-08 10:01:30 UTC 
Is anyone from OAuth extension at Wikimania 2014? I am here, we could discuss this in person here.
Comment 2 Chris Steipp 2014-08-08 17:07:09 UTC 
I think Brad and Aaron are both there. I'm not.

I forgot to comment on this one, but I'm solidly maybe on this. Silent redirects make me a little nervous since they've been used, along with other vulnerabilities, to silently exploit the other vulnerability. Requiring a user click makes another vulnerability much harder to exploit.. but I can definitely see the use in several scenarios.

At the least, I've been thinking about setting up an alternate endpoint for Consumers that are only meant for login, and the text would say something more like "Login to XXX" instead of asking for authorization.
Comment 3 Mukunda Modell 2014-11-19 03:59:17 UTC 
(In reply to Chris Steipp from comment #2)

> I forgot to comment on this one, but I'm solidly maybe on this. Silent
> redirects make me a little nervous since they've been used, along with other
> vulnerabilities, to silently exploit the other vulnerability. Requiring a
> user click makes another vulnerability much harder to exploit.. but I can
> definitely see the use in several scenarios.

The use of this in conjunction with other vulnerabilities doesn't make it inherently dangerous. When oauth is only being used for login to a connected application I don't see where the danger lies.  When the oauth authorization includes some elevated privileges then I can see the worry, however, couldn't the authenticate endpoint provide a session without any access beyond the granting of a login?

The reason I ask is because we are using oauth for phabricator login and it's really not at all convenient or user friendly to ask for authorization each time.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links