Page MenuHomePhabricator

Support browser-based API clients with OAuth 2.0 client IDs
Open, Needs TriagePublic

Description

"As a Developer, I want to deploy my API client as a client-side browser-based app, because the Web is a great way to deliver open, cross-platform, multi-device apps."

We want to support browser-based JavaScript applications that use the API. The main issue is that, if the client needs to have an API key, a user can use browser features to extract the API key and use it elsewhere.

There are a number of ways to manage this; we'll need to decide on which ways we can.

There are probably two main classes of Web apps we'd talk about: MediaWiki gadgets (run in the context of the main Web UI), and external Web apps.

https://www.oauth.com/oauth2-servers/single-page-apps/ covers a lot of the issues with this kind of app.