The next step would be for someone from OIT to set up OpenID Connect. The callback URL is https://discourse-mediawiki.wmflabs.org/auth/google_oauth2/callback and there is a step-by-step tutorial here.

@bbogaert what would be the process to get this task triaged by OIT?

Hi @Tgr ,

Adding me to this ticket is fine.

I can help set this up.

Can you let me the values for:

• Email address
  • <Google Group, needs to be one I (bbogaert@wikimedia.org) manage, but not nessecarily a member>
• Product name shown to users
• Homepage URL (Optional)
  • https:// or http://
• Product logo URL (Optional)
  • http://www.example.com/logo.png
  • Max size: 120x120 px
• Privacy policy URL
  • Optional until you deploy your app
  • https:// or http://
• Terms of service URL (Optional)

I fill this out, then I'll securely send you the Client OAuth Secret/ID, or by sneaker net.

Also, more than happy to schedule a meeting and complete this then. Should not take too long.

Thanks,
Byron

Thanks! The email should probably be @Qgil's or yours (I don't think it makes much difference in practice), the product name would be Wikimedia Developer Support, the homepage is https://discourse-mediawiki.wmflabs.org/ . We don't have a logo, privacy policy or ToS yet. For privacy policy, the footer links to the WMF policy which is probably a bad thing to do given we run on wmflabs.org and can't provide most of those privacy guarantees for now. Filed {T187125}. The task for the ToS is T184373: Discourse-MediaWiki instance needs Terms of Use.

Hi @Tgr,

I have set this up and can send the secrets. Should I send via PGP or give you an usb in person, or something else? If I'm sending by PGP, can you email your fingerprint?

Thanks,
Byron

(Why/what is "Email address" needed for? If it has some non-decorational functionality then having one personal email sounds like a single point of failure.)

@Aklapper,

I set the email address to the Google Group discourse-oauth@wikimedia.org, which I am an Manager of. Who should be a member and receive emails here if they are sent?

Thanks,
Byron

Thanks @bbogaert! My PGP fingerprint is C34FEC97E6257F96.

Hi @Tgr,

Let us know if the "secrets" worked.

Thanks,
Byron

Enabled, tested, works fine. Thanks @bbogaert!
Disabled for now pending {T187125} (or someone deciding we shouldn't care).

Is there anything left to do in this task? Asking as all other mentioned tasks or blockers have been resolved.

I think this is technically done; if we wanted to use Google login we could. discourse-mediawiki uses SUL login now, in SSO mode (it was used as the test platform for enabling that configuration on Space). SSO mode does not allow for alternative login methods. We can revisit that decision later; anyway, as you say, there's nothing left to do here.