Page MenuHomePhabricator
Create Task
Maniphest T241867

Better support for callback URL updates
Open, Needs TriagePublic
Actions

Description

Currently, if an app is created, no changes can be applied to the callback URL. Therefore, if we need to update the URL's domain or route, there is no way to do it in the same app, so such app has to be discarded and start over.

It would be great if the OAuth extension can support

  1. allow updating callback URL through the update page like this, which currently doesn't either display nor updating callback URL - this seem most feasible and least breaking changes.
  2. allow supporting more flexible wildcard e.g. general RegEx - a simpler solution for making callback URL more

Reference: https://meta.wikimedia.org/wiki/Ask_a_question/Recent_questions#Ask_for_a_approval_for_a_Oauth_app

Related Objects

Event Timeline

Xinbenlv created this task.Jan 4 2020, 12:00 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 4 2020, 12:00 AM
Tgr subscribed.Jan 4 2020, 11:27 AM

We have T59631: OAuth developers should be able to change some of the parameters they registered an application with instead of having to submit a new application for updating the callback URL and other details before approval (mainly so that when reviewers point out mistakes, they can be fixed without having to register a new app).

After approval is a lot more tricky - the user has consented to the use of their account by an app, should we be able to automatically extend that consent to what's potentially a different app? Or maybe there should be some sort of reauthentication process, but that's not straightforward (we don't store the callback URL in user acceptance records currently) and does not seem much different from registering a new app, just a little more convenient.

I'm a little skeptical about how well people would be able to predict domain wildcards. For flexibility in the part after the domain name, we already have the callback prefix option.

Tgr mentioned this in T245475: OAuth 2.0 consumer form is not consistent with implementation.Feb 18 2020, 4:28 AM
Tgr mentioned this in T258854: Support multiple Callback URLs or regex pattern matching.Jul 25 2020, 11:32 AM
Don-vip awarded a token.Jan 25 2024, 8:54 PM
Don-vip subscribed.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL