Jump to content

Topic on Talk:OAuth/For Developers

Acess token for anonymous user

3
Diegodlh (talkcontribs)

Hi, all! I'm developing a tool that edits Wikidata. The client is public (i.e., not confidential), so I will be using PKCE.

Apart from security, one of the reasons why I'm using OAuth is because it sets a tag for the edits made with the tool, as discussed here. This is useful, because it'd let us track changes and identify bugs early.

The tool also allows making anonymous edits. This is possible by using the +\ CSRF token, but in order for these edits to be flagged with the app's tag, I guess I should send an access token in the Authorization header.

Would it be possible to get an access token from the access_token endpoint using grant_type=client_credentials? Given that this is a public client, would it be possible to get it using (PKCE's) code_verifier, instead of client_secret?

Thanks!!

Ragesoss (talkcontribs)
Tgr (WMF) (talkcontribs)

OAuth cannot be used for anonymous actions, as the user needs to approve the OAuth app before using it, and anonymous users are identified with their user address and a meaningful approval mechanism cannot be built on that. (There is a chance the handling of anonymous users will be rearchitected in the next year or so and that might affect the ability of the OAuth extension to cover anonymous actions, but not anytime soon.)

Reply to "Acess token for anonymous user"