[Labs-l] Storing oauth tokens in a tool account
Maximilian Doerr
maximilian.doerr at gmail.com
Fri Feb 3 03:00:51 UTC 2017
As long as the information isn't permanently stored, and the storage location is secure, you can go ahead and do that, BUT such storage must be disclosed to the user in a very visible manner, like a tool ToS, similar to what https://tools.wmflabs.org/iabot/ does for first time use, that discloses what it stores, why it's being stored, and how long it's being stored for, so users can make an informed decision on whether or not to use your tool and if they are comfortable with that condition.
Cyberpower678
English Wikipedia Account Creation Team
English Wikipedia Administrator
Global User Renamer
-----Original Message-----
From: Labs-l [mailto:labs-l-bounces at lists.wikimedia.org] On Behalf Of Sam Wilson
Sent: Thursday, February 2, 2017 21:14
To: WMF-labs list <labs-l at lists.wikimedia.org>
Subject: [Labs-l] Storing oauth tokens in a tool account
Hello labradors (that's the collective noun, yes?),
I'm working on a tool http://tools.wmflabs.org/ia-upload/test/ that needs to do some time-consuming file processing before uploading the result to Commons. To do this, it saves users' oauth access tokens in local (non-web-accessible) files and then a separate CLI process comes along and uses the tokens to do the upload. Then the token is deleted.
I realise that it's probably not a very good idea to store people's credentials like this! Are there any guidelines about how to do this?
What is the best way? I don't really want to have to ask users to come back and do the upload (although, it could email them when their file is ready, if tokens shouldn't be stored at all).
Thanks,
Sam.
_______________________________________________
Labs-l mailing list
Labs-l at lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/labs-l
More information about the Labs-l
mailing list