Is this an addition to core, or is it going to be an extension?

I would imagine as an extension, like OpenID.

Considering how deeply this would have to integrate with MW (annotating the fact that an OAuth system was used to create a rev) I think OAuth support is going to have to be part of core if we're going to do it right.

That's probably better off anyways. Everything will be a lot better if bots and whatnot can just use OAuth as a standard to talk to most MW wikis out there.

My initial thought was also to make it part of core.

Fair enough. The authn/authz system needs a lot of love anyway.

"Simple" OAuth token setup for API authentication may be doable as an extension, depending on how hard it is to plug things in appropriately.

Fine-grained permissions would probably need some explicit API support, and might need some general rethinks (eg can I give an app permission to read pages and upload files on my behalf, but not to block, unblock, delete pages, etc?).

I would prefer this be an extension. Adding hook points into the right places allows us to replace oauth with whatever comes in the future as well.

I have written a proposal to implement OAuth2 and it's available here: http://www.mediawiki.org/wiki/OAuth

tim.starling wrote:

content hidden as private in Bugzilla

revert properties changed by spammer

Lack of OAuth means we can't have things like a web version of huggle, proper support for web tools or any web application other than mediawiki realistically usable in our infrastructure. This definitely isn't a low priority.

I see. Thanks for correcting!

Assigning this to Chris as he's currently leading work on OAuth support.

Can this be marked RESOLVED/FIXED with https://www.mediawiki.org/wiki/Extension:OAuth in experimental state but deployed on some wikis, or should we wait for a tarball release or something?

Resolving as fixed due to the OAuth extension reaching the stage where it's usable.