In T244473 I wanted to look at how big a task this was - i.e. how many existing consumers would need to be changed. I realised that we expose some information about the OAuth consumers on index.php special pages, but not via api.php and not via the database replicas.
I therefore propose we partially expose oauth_registered_consumer:
- oarc_id
- oarc_consumer_key - I think this is an identifier of the consumer e.g. part of the URL in https://meta.wikimedia.org/w/index.php?title=Special:OAuthListConsumers/view/fa88fc9efa0e08429863160d038f70a9 ?
- oarc_name
- oarc_user_id
- oarc_version
- oarc_callback_url
- oarc_callback_is_prefix
- oarc_description
- oarc_owner_only - don't know if this is already exposed?
- oarc_wiki - don't know if this is already exposed?
- oarc_grants - don't know if this is already exposed?
- oarc_registration
- oarc_stage
- oarc_stage_timestamp
- oarc_deleted
- oarc_oauth_version
- oarc_oauth2_allowed_grants - don't know if this is already exposed?
- oarc_oauth2_is_confidential - commented as OAuth2 flag indicating if consumer can be trusted with keeping secrets in schema/OAuth.sql - don't know if this is already exposed?
but not:
- oarc_email
- oarc_email_authenticated - tied to the above, possibly fine to do but probably not useful
- oarc_developer_agreement - don't remember what this is
- oarc_secret_key
- oarc_rsa_key
- oarc_restrictions - I think this contains IP addresses, and with owner-only consumers and things... if this isn't already exposed we probably should think twice before exposing it. would not be helpful for my use case anyway.
And all of this only on the basis that oarc_deleted=0.
Note it's possible some of this isn't already exposed somewhere. I have not dived deep into the OAuth extension codebase.
I made a patch for this but have been told they will require the WMF security team to sign off.