Page MenuHomePhabricator
Create Task
Maniphest T249783

Define "Manage apps" flow
Closed, ResolvedPublic
Actions

Assigned To
apaskulin
Authored By
apaskulin
Apr 9 2020, 12:54 AM
Tags
Referenced Files
F31831947: Screen Shot 2020-05-18 at 11.39.23 AM.png
May 18 2020, 6:41 PM
F31820299: Screen Shot 2020-05-15 at 2.04.53 PM.png
May 15 2020, 9:07 PM
F31820301: Screen Shot 2020-05-15 at 2.05.06 PM.png
May 15 2020, 9:07 PM
F31820297: Screen Shot 2020-05-15 at 1.38.38 PM.png
May 15 2020, 9:07 PM
F31820303: Screen Shot 2020-05-15 at 2.05.13 PM.png
May 15 2020, 9:07 PM
F31744982: Screen Shot 2020-04-08 at 2.14.13 PM.png
Apr 9 2020, 12:55 AM
F31744966: Screen Shot 2020-04-08 at 2.14.13 PM.png
Apr 9 2020, 12:54 AM
Subscribers
Aklapper
apaskulin
BPirkle
eprodromou

Description

The app management flow allow users to view, disable, and reset their clients in the API Portal.

Status: Gathering feedback

Requirements for app management flow

User stories: epic 4, stories 3, 5, and 8

  • List my apps (nice to have: display client ID in list)
  • Display app details (name, description, client ID, return URL, rate limit)
  • Provide an option to reset a client secret
  • Provide an option to disable an app
Prototype
Screen Shot 2020-05-15 at 1.38.38 PM.png (1×1 px, 100 KB)
Screen Shot 2020-05-18 at 11.39.23 AM.png (1×1 px, 95 KB)
Screen Shot 2020-05-15 at 2.05.06 PM.png (814×1 px, 74 KB)
Screen Shot 2020-05-15 at 2.05.13 PM.png (234×772 px, 25 KB)
Terminology

app
“App” is synonymous with “client”.

client ID
A value created when registering a client in the API Portal. A user can access the client ID for their client when logged in to the API Portal.

client secret
A value created when registering an app in the API Portal. A client secret is shown to the user once on creation and can only be accessed again by resetting it.

access token
A value generated in one of two ways:

  • Created by the API Portal when registering a client authorized to act on behalf of a single user (the user creating the client). In this case, the access token has identical rights, roles, and permissions to that user.
  • Created by an OAuth Extension API request /oauth/access_token as part of a user-authorization flow

rate limit
A rate limit is applied to a client based on client ID. Rate limits can differ between clients, so a user should be able to see the rate limit for each of their clients when logged in to the API Portal.

Questions
  • Should we include options to update the Public RSA key and allowed IP ranges as shown above?
    • No, these options aren't included in the Create app flow.
  • Meta doesn't currently offer the ability for non-admins to disable clients. (epic 4, user story 5)
References

Client management options on Meta:

Screen Shot 2020-04-08 at 2.14.13 PM.png (1×1 px, 101 KB)

Related Objects
Search...

StatusSubtypeAssignedTask
 Resolved eprodromouT235270 Wikimedia API Gateway
 ResolvedapaskulinT247837 Create API Portal MVP
 ResolvedapaskulinT249783 Define "Manage apps" flow

Event Timeline

apaskulin created this task.Apr 9 2020, 12:54 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 9 2020, 12:54 AM
apaskulin updated the task description. (Show Details)Apr 9 2020, 12:55 AM
apaskulin added a parent task: T247837: Create API Portal MVP.
apaskulin updated the task description. (Show Details)Apr 9 2020, 1:09 AM
apaskulin triaged this task as Medium priority.Apr 9 2020, 4:22 PM
apaskulin renamed this task from Manage apps to Define "Manage apps" flow.Apr 17 2020, 10:50 PM
apaskulin updated the task description. (Show Details)Apr 28 2020, 9:07 PM
apaskulin updated the task description. (Show Details)Apr 29 2020, 11:03 PM
apaskulin updated the task description. (Show Details)May 12 2020, 9:17 PM
apaskulin updated the task description. (Show Details)May 15 2020, 9:07 PM
apaskulin updated the task description. (Show Details)May 15 2020, 9:10 PM
apaskulin updated the task description. (Show Details)May 15 2020, 9:12 PM
apaskulin added subscribers: eprodromou, BPirkle.

Pinging @eprodromou and @BPirkle for review :)

apaskulin claimed this task.May 15 2020, 9:17 PM
apaskulin moved this task from Backlog to Waiting for Review on the Platform Team Workboards (Green) board.
BPirkle added a comment.May 18 2020, 4:31 PM

Should the Details page also list the "Return URL"?

From the Task Description, I'm not sure the part I bolded below regarding access tokens is correct:

Created by the API Portal when registering a client authorized to act on behalf of a single user (the user creating the client). In this case, the access token has identical rights, roles, and permissions to that user. An access token generated in this way is shown to the user once on creation and can only be accessed again by resetting it.

It looks to me like you can still create a single-user (bot) client with fewer grants than the associated user. For example, the user the bot client is acting as might have rights to edit the wiki, but you could still create a client with only read access. The resulting client would be able to read but not write. (Note: I did not actually try this, but I can if needed).

I suggest removing the bolded sentence.

apaskulin updated the task description. (Show Details)May 18 2020, 6:41 PM
apaskulin updated the task description. (Show Details)

Thanks, @BPirkle! I've added Return URL to the details view and removed the sentence about access token permissions.

apaskulin closed this task as Resolved.Jun 3 2020, 1:19 AM
apaskulin updated the task description. (Show Details)

Reviewed and approved by Evan during our 1:1

apaskulin moved this task from Waiting for Review to Done on the Platform Team Workboards (Green) board.Aug 12 2020, 4:17 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL