Page MenuHomePhabricator

Define "Manage apps" flow
Closed, ResolvedPublic

Description

The app management flow allow users to view, disable, and reset their clients in the API Portal.

Status: Gathering feedback

Requirements for app management flow

User stories: epic 4, stories 3, 5, and 8

  • List my apps (nice to have: display client ID in list)
  • Display app details (name, description, client ID, return URL, rate limit)
  • Provide an option to reset a client secret
  • Provide an option to disable an app
Prototype
Terminology

app
“App” is synonymous with “client”.

client ID
A value created when registering a client in the API Portal. A user can access the client ID for their client when logged in to the API Portal.

client secret
A value created when registering an app in the API Portal. A client secret is shown to the user once on creation and can only be accessed again by resetting it.

access token
A value generated in one of two ways:

  • Created by the API Portal when registering a client authorized to act on behalf of a single user (the user creating the client). In this case, the access token has identical rights, roles, and permissions to that user.
  • Created by an OAuth Extension API request /oauth/access_token as part of a user-authorization flow

rate limit
A rate limit is applied to a client based on client ID. Rate limits can differ between clients, so a user should be able to see the rate limit for each of their clients when logged in to the API Portal.

Questions
  • Should we include options to update the Public RSA key and allowed IP ranges as shown above?
    • No, these options aren't included in the Create app flow.
  • Meta doesn't currently offer the ability for non-admins to disable clients. (epic 4, user story 5)
References

Client management options on Meta:

Related Objects

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 9 2020, 12:54 AM
apaskulin updated the task description. (Show Details)Apr 9 2020, 1:09 AM
apaskulin triaged this task as Medium priority.Apr 9 2020, 4:22 PM
apaskulin renamed this task from Manage apps to Define "Manage apps" flow.Apr 17 2020, 10:50 PM
apaskulin updated the task description. (Show Details)Apr 28 2020, 9:07 PM
apaskulin updated the task description. (Show Details)Apr 29 2020, 11:03 PM
apaskulin updated the task description. (Show Details)May 12 2020, 9:17 PM
apaskulin updated the task description. (Show Details)May 15 2020, 9:07 PM
apaskulin updated the task description. (Show Details)May 15 2020, 9:10 PM
apaskulin updated the task description. (Show Details)May 15 2020, 9:12 PM
apaskulin added subscribers: eprodromou, BPirkle.

Pinging @eprodromou and @BPirkle for review :)

Should the Details page also list the "Return URL"?

From the Task Description, I'm not sure the part I bolded below regarding access tokens is correct:

Created by the API Portal when registering a client authorized to act on behalf of a single user (the user creating the client). In this case, the access token has identical rights, roles, and permissions to that user. An access token generated in this way is shown to the user once on creation and can only be accessed again by resetting it.

It looks to me like you can still create a single-user (bot) client with fewer grants than the associated user. For example, the user the bot client is acting as might have rights to edit the wiki, but you could still create a client with only read access. The resulting client would be able to read but not write. (Note: I did not actually try this, but I can if needed).

I suggest removing the bolded sentence.

apaskulin updated the task description. (Show Details)May 18 2020, 6:41 PM
apaskulin updated the task description. (Show Details)

Thanks, @BPirkle! I've added Return URL to the details view and removed the sentence about access token permissions.

apaskulin closed this task as Resolved.Jun 3 2020, 1:19 AM
apaskulin updated the task description. (Show Details)

Reviewed and approved by Evan during our 1:1