The description of the authonlyprivate grant says Authentication only with access to real name and email address. When real names are disabled (via $wgHiddenPrefs) the grant description should not mention them.
|Open||None||T90925 General authentication improvements for MediaWiki|
|Open||None||T86869 Support a nice sso experience with MediaWiki's OAuth|
|Open||Tgr||T75062 OAuth permission screen needs redesign for better usability and comprehension|
|Open||Tgr||T91825 Improve text of OAuth authorization dialog|
|Open||None||T151516 Improve OAuth grant messages|
|Open||None||T151515 authonlyprivate OAuth grant should not mention real name when the wiki does not allow them|
This wording has been brought up as a concern by a user regarding the InternetArchiveBot's Management Interface. At least on the German-language Wikipedia, unless I'm mistaken there is no way to set a real name in the preferences, hence no real name can be revealed. Nevertheless, this raises questions especially for users who do not understand what kind of mechanism OAuth is.
The grant text is generated (among other things) by MWGrants::grantName() and there is no easy way to modify that, so probably the least painful approach is to use a hook such as MessageCache::get to show a different message when real names are disabled. (The message used is grant-mwoauth-authonlyprivate.)
We have commissioned a Wikimedia login plugin for Discourse (via OAuth) T215052: Add MediaWiki login support to Discourse that is almost ready to be deployed on Wikimedia Space. The plugin does not attempt to read real name, but the authorization pop-up mentions real name. In addition to it being misleading, we have reason to believe this could be triggering for some users (many probably won't recall that they never provided a real name to Wikimedia).
Can this text be tweaked?
Thanks @Lucas_Werkmeister_WMDE for the merge! With that the user-facing text is fixed.
I wrote to translators-l to give a heads-up about the new messages.
What is left (for another time) is fixing the grant name in the consumer registration form for developers, and maybe storing whether the grant included real names (see gerrit comments for details - that seems like a lot of work though and it's probably not important enough to merit it).