Openstreetmap-website: Add Wikipedia authentication

Created on 1 Feb 2016  路  32Comments  路  Source: openstreetmap/openstreetmap-website

I think it should be great let the wikipedia folks use their account for OpenStreetMap authentication

Most helpful comment

I could have sworn that was long since deployed!

I'll have to see if I can get a token to use in production now that, which might be fun because my meta account mysteriously lost it's confirmed status the other day...

All 32 comments

Do wikipedia actually offer an external authentication service?

I don't see them listed in the OmniAuth strategy list at https://github.com/intridea/omniauth/wiki/List-of-Strategies so I'm guessing they don't.

I have not added it to the OmniAuth wiki but am the author of https://github.com/timwaters/omniauth-mediawiki/ https://rubygems.org/gems/omniauth-mediawiki

@timwaters But does wikipedia have Extension:OAuth installed?

@tomhughes I believe so. You'd need to get the token via meta.wikimedia.org. You can specify just the project (en.wikipedia.org or commons.wikimedia.org) or all projects.

However the consumer application needs to be manually approved via the wikimedia admins - but you can still use it in development mode by the user who proposed the consumer.

https://en.wikipedia.org/wiki/Special:OAuthListConsumers lists all existing consumers.

You can find more information on https://www.mediawiki.org/wiki/OAuth/For_Developers ; cc @Stype, @tgr in case they have something to add.

The one thing I noticed is that most, if not all, of the existing consumers are wikipedia related so I'm not sure whether they accept a request from somebody wanting to use it for third party authentication.

@tomhughes, that is an unfortunate side effect, not the intent. I'd love to see more open-source projects use us for authentication / identity. If you have any issues getting setup, let me know.

I have asked on the wikimedia-labs channel or IRC and I have been told that OAuth has an "authenticationonly" feature that can be used for this purpose. See this example. More info on mediawiki.org Extension:OAuth#Identify the User (optional)

I'd agree with Tom - compared to other OAuth providers, it currently does not seem to be primarily aimed towards the "authentication only" route used by Omniauth - the manual approval also points towards that (but it is a reasonably new addition to the mediawiki suite, so it could be early days).

However, when applying for a new OAuth consumer, the rights can be set to just authentication. I'll ping some WMF folks on IRC and see what they think, I'd love it if it was set to become a new authentication option for more web applications!

(edits - clarity)

@timwaters I have just done that, see my comment above, but feel free to follow up :)

Tim Waters, 04/02/2016 19:06:

However, when applying for a new OAuth consumer, the rights can be set
to just authentication. I'll ping some WMF folks on IRC and see what
they think, I'd love it if it was set to become a new authentication
option for more web applications!

The current proposal is to make the authentication-only apps be
autoapproved.
https://meta.wikimedia.org/wiki/Talk:Requests_for_comment/OAuth_handover#Reduce_number_of_total_requests

Maps are already available on some WMF sites and might go to Wikipedia soon. We want to point users to osm.org for fixing data issues and therefore having an easy way for them to log in is getting more and more important. Please let us know if we can help make it happen.

We want to point users to osm.org for fixing data issues

This part doesn't depend on wikipedia authentication.

easy way for them to log in is getting more and more important. Please let us know if we can help make it happen.

Re-reading the comments above, this issue was stuck with the respective WMF policies as drafts.

The best way to make it happen would be for WM to be an OpenID provider, since OSM already supports OpenID.

Paul Norman, 17/06/2016 01:05:

Re-reading the comments above, this issue was stuck with the respective
WMF policies as drafts.

Why get stuck on a merely hypothetical chance of rejection? Unless you
have some moral objection against processes based on common sense,
please just apply and see whether the consumer is approved.

We also need to see the TOS/contract - some third-party identification providers (e.g. Twitter) have been rejected

Paul Norman, 17/06/2016 09:10:

We also need to see the TOS/contract

There is only https://meta.wikimedia.org/wiki/Terms_of_use

@nemobis I don't think a "hypothetical chance of rejection" is the issue, more that while the policy is in draft we can't know what criteria we need to meet or whether they might suddenly change in the final version such that we no longer qualified.

It doesn't look like I can even apply anyway - going to https://meta.wikimedia.org/wiki/Special:OAuthConsumerRegistration/propose which I think is where you're supposed to apply, tells me I'm not authorised to apply:

You do not have permission to propose new OAuth consumers, for the following reason:

The action you have requested is limited to users in one of the groups: Autoconfirmed users, Confirmed users.

No idea how I become "confirmed" in order to be able to apply.

Tom Hughes, 17/06/2016 09:23:

No idea how I become "confirmed" in order to be able to apply.

Did you login?

Yes (with my wikipedia account) because it insisted on my logging on when I tried to visit the page.

Tom Hughes, 17/06/2016 09:30:

Yes (with my wikipedia account) because it insisted on my logging on
when I tried to visit the page.

If you are TomH, you are supposed to be autoconfirmed already:
https://meta.wikimedia.org/w/index.php?title=Special%3ALog&user=TomH
https://meta.wikimedia.org/wiki/Meta:Autoconfirmed_users

Does https://meta.wikimedia.org/wiki/Special:Preferences say you are not
autoconfirmed?

No I'm TomH72. I can't see any mention of confirmation on my preferences page, though I may not be looking in the right place.

Autoconfirmed status is automatically added after a certain amount of edits/days registered, I've now made you confirmed explicitly.

Is there a potential for confusion since some Wikipedia accounts won't be able to be used for login since they don't have an email?

We don't care whether they have an email - don't know if wikimedia will. We will likely use the "authentication plus access to email" option and will ask for the email and use it as a default but if there isn't one we will just ask them to enter one.

I've just created a test consumer (access to my account only) and I'll see if I can get things going with that before applying for a live one.

Paul Norman, 17/06/2016 10:14:

some Wikipedia accounts won't be able to be used for login since they
don't have an email?

What makes you think so? Such a restriction would surprise me. I just
registered a test account without an email address and I was able to
authenticate in https://dashboard-testing.wikiedu.org without problems.

Any update/progress on this?

I think we're still waiting on legal clearance.

We now have a (positive) answer from the WMF, quote " and we don't believe there are any legal or TOS reasons why you couldn't use a Wikimedia account for OSM authentication. As the threads mention, we do use OAuth; if you can make it work technically we don't believe there are any legal blockers. "

I could have sworn that was long since deployed!

I'll have to see if I can get a token to use in production now that, which might be fun because my meta account mysteriously lost it's confirmed status the other day...

@simonpoole @tomhughes this is great news! Thanks!

Was this page helpful?
0 / 5 - 0 ratings

Related issues

pnorman picture pnorman  路  5Comments

kgreenek picture kgreenek  路  6Comments

HarelM picture HarelM  路  7Comments

pangoSE picture pangoSE  路  7Comments

tyrasd picture tyrasd  路  5Comments