Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provide options for users to choose which account they want to use when publishing information to Wikidata #166

Open
kunfang98927 opened this issue Nov 1, 2024 · 1 comment
Open

Provide options for users to choose which account they want to use when publishing information to Wikidata #166

kunfang98927 opened this issue Nov 1, 2024 · 1 comment

Comments

@kunfang98927
Copy link
Contributor

kunfang98927 commented Nov 1, 2024
edited
Loading

  1. Use UMIL's publish Wikidata account;
  2. Use user's own Wikidata account
@kunfang98927
Copy link
Contributor Author

For the account authentication, here is some information for reference.

What's the difference between the CSRF token and the OAuth access token when calling Wikidata API?

1. OAuth Access Token

  • The OAuth access token is a long-term token that grants your application permission to act on behalf of a user or account (like UMIL’s public account).
  • Once you have an OAuth access token, you no longer need the user’s username and password, nor do you need to manually retrieve a CSRF token.
  • OAuth tokens handle authentication and permissions. With an OAuth token, your API requests are inherently authorized without needing extra authentication steps.

2. CSRF Token

  • The CSRF token is a short-term, single-use token that’s primarily used to prevent unauthorized actions by malicious scripts or cross-site requests.
  • If you’re using a username and password directly (rather than OAuth), you must fetch a CSRF token each time you make an editing request to authenticate the specific action.

Key Difference

  • When using OAuth: The OAuth access token replaces both the username/password and the CSRF token, meaning you don’t need to retrieve a CSRF token for each request. The OAuth token itself serves as the authorization mechanism for any edits or data publishing.
  • When not using OAuth: If you’re relying on direct login with a username and password, the API requires a CSRF token for each action to confirm that it’s an authorized request.

Simplified Process with OAuth

With an OAuth access token:

  1. Obtain the OAuth access token once (or refresh it as needed).
  2. For each API request, include the OAuth access token in the Authorization header.

Here's what an API call looks like with OAuth (without needing a CSRF token):

headers = {
    "Authorization": f"Bearer {access_token}",  # OAuth access token replaces CSRF requirement
    "Content-Type": "application/json",
}

response = requests.post(
    "https://www.wikidata.org/w/api.php?action=wbsetlabel&format=json&...other_parameters...",
    headers=headers,
    json=data_to_publish,
)

Summary

  • With OAuth: Just use the access token; no CSRF token needed.
  • Without OAuth: You need a CSRF token with each request when using username and password directly.

Switching to OAuth streamlines the process, eliminates the need for a CSRF token, and is considered more secure for automated, programmatic access.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@kunfang98927