The description of the authonlyprivate grant says Authentication only with access to real name and email address. When real names are disabled (via $wgHiddenPrefs) the grant description should not mention them.
Description
Description
Details
Details
| Subject | Repo | Branch | Lines +/- | |
|---|---|---|---|---|
| Avoid mentioning real names on wikis which do not use it | mediawiki/extensions/OAuth | master | +36 -7 |
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Open | None | T90925 General authentication improvements for MediaWiki | |||
| Open | None | T86869 Support a nice sso experience with MediaWiki's OAuth | |||
| Open | None | T75062 OAuth permission screen needs redesign for better usability and comprehension | |||
| Open | None | T151516 Improve OAuth grant messages | |||
| Resolved | None | T151515 authonlyprivate OAuth grant should not mention real name when the wiki does not allow them |
Event Timeline
Comment Actions
This wording has been brought up as a concern by a user regarding the InternetArchiveBot's Management Interface. At least on the German-language Wikipedia, unless I'm mistaken there is no way to set a real name in the preferences, hence no real name can be revealed. Nevertheless, this raises questions especially for users who do not understand what kind of mechanism OAuth is.
Comment Actions
@Tgr Could you quickly outline how this could be fixed? (E.g. where to place the check and how to check) Thanks!
Comment Actions
The grant text is generated (among other things) by MWGrants::grantName() and there is no easy way to modify that, so probably the least painful approach is to use a hook such as [[https://www.mediawiki.org/wiki/Manual:Hooks/MessageCache::get|MessageCache::get]] to show a different message when real names are disabled. (The message used is grant-mwoauth-authonlyprivate.)
Comment Actions
We have commissioned a Wikimedia login plugin for Discourse (via OAuth) T215052: Add MediaWiki login support to Discourse that is almost ready to be deployed on Wikimedia Space. The plugin does not attempt to read real name, but the authorization pop-up mentions real name. In addition to it being misleading, we have reason to believe this could be triggering for some users (many probably won't recall that they never provided a real name to Wikimedia).
Can this text be tweaked?
Comment Actions
Change 536788 had a related patch set uploaded (by Gergő Tisza; owner: Gergő Tisza):
[mediawiki/extensions/OAuth@master] Avoid mentioning real names on wikis which do not use it
Comment Actions
Change 536788 merged by jenkins-bot:
[mediawiki/extensions/OAuth@master] Avoid mentioning real names on wikis which do not use it
Comment Actions
Thanks @Lucas_Werkmeister_WMDE for the merge! With that the user-facing text is fixed.
I wrote to translators-l to give a heads-up about the new messages.
What is left (for another time) is fixing the grant name in the consumer registration form for developers, and maybe storing whether the grant included real names (see gerrit comments for details - that seems like a lot of work though and it's probably not important enough to merit it).
Comment Actions
The non-fixed part is that the form at https://meta.wikimedia.org/wiki/Special:OAuthConsumerRegistration/propose/oauth1a still says User identity verification only with access to real name and email address, no ability to read pages or act on a user's behalf. which is confusing since it doesn't actually give access to real names. Developers are more likely to understand that that part is bogus than users, but still not ideal.