Page MenuHomePhabricator

Update Phabricator OAuth scopes in documentation
Open, LowPublic

Description

Repeating some of what I put into the code review of https://github.com/python-social-auth/social-core/pull/169
I suspect that the default OAuth scope is actually scope.always. Check out https://secure.phabricator.com/D15621 , which removed previous scopes offline_access and whoami as no longer needed, but added a new one.
Phabricator has no published defined scopes, as noted at https://github.com/ofbeaton/oauth2-phabricator#managing-scopes , and "This section has not been written yet." on https://secure.phabricator.com/book/phabcontrib/article/using_oauthserver/ .
If true, this deserves special mention as Phabricator is very odd in that regard; not many other OAuth providers have no scopes at all.
If we do figure out the scopes, maybe there is a documentation task to be done ... :P
But as I mentioned above, it looks like the scope scope.always exists, and I wouldnt be surprised if the myriad other scopes in phabricator also work via OAuth.
A bit more investigation needed (however the GCI task criteria have been met, and so it is approved).

Event Timeline

divadsn created this task.Jan 22 2018, 8:40 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 22 2018, 8:40 AM
divadsn added a comment.EditedJan 22 2018, 8:51 AM

Looking at the current source of Phabricator on GitHub, the "required" scope for user.whoami is referring to self::SCOPE_ALWAYS, therefore the docs for https://github.com/ofbeaton/oauth2-phabricator should be updated to list that scope.

Same applies to the PR made by me for python-social-auth: https://github.com/python-social-auth/social-core/pull/169

divadsn triaged this task as Low priority.Jan 22 2018, 8:53 AM

Is this about some local change specific to Wikimedia's instance of Phabricator, or does this apply to any Phabricator in general (which would make this an upstream issue)?

divadsn added a comment.EditedJan 22 2018, 4:07 PM

Is this about some local change specific to Wikimedia's instance of Phabricator, or does this apply to any Phabricator in general (which would make this an upstream issue)?

It applies to Phabricator in general, as the docs at Phabricator are incomplete here: https://secure.phabricator.com/book/phabcontrib/article/using_oauthserver/

I also noticed that they've disabled registration for new contributors, so I am forwarding the question to @jayvdb on how to update the docs at Phabricator.

Edit: The research will save the work for us later at Wikimedia :)

Restricted Application added a project: Upstream. · View Herald TranscriptFeb 6 2018, 1:24 PM