Page MenuHomePhabricator

Add API endpoint to propose a new OAuth consumer
Closed, ResolvedPublic

Description

Adds API support for proposing new OAuth consumers for wikis/apps that are not the OAuth central wiki.

  • API endpoint would only be enabled if $wgMWOAuthCentralWiki is false and $wgMWOAuthEnableProposeAPI is true.
  • API endpoint may support a subset of the parameters accepted by the web interface for proposing consumers. See T249781.

Event Timeline

@BPirkle Can you please comment on the parameters necessary for this API?

Assumptions:

  1. for purposes of this endpoint, we only care about creating OAuth2 clients. In other words, it is not possible to create an OAuth1 consumer via this endpoint
  1. this endpoint should support usages other than the API Portal, and therefore should accept fields that (to simplify signup for developers) do not appear on the API Portal OAuth client creation form.

Based in part on digging through the code an in part on https://gerrit.wikimedia.org/g/mediawiki/extensions/OAuth/+/45bff8f0b6ceb54588f76f5e88c2b9e89fef94c8/src/Control/ConsumerSubmitControl.php#78 , it looks like necessary fields are:

  • Name (required)
  • Description (required)
  • Version (optional, default to 1.0 if not supplied)
  • Owner-only client checkbox (required)
  • Callback URL (required for non-owner-only clients)
  • Confidential checkbox (required)
  • OAuth2 Grant Types (required, these are the flows: authorization_code, refresh_token, client_credentials)
  • Email (required)
  • Wiki (optional, default to *, meaning all wikis)
  • Grants (the specific grants to use, or either authonly or authonlyprivate if no specific grants are required)
  • Callback is prefix (optional, default to empty string)
  • Allowed IP ranges (optional, default to "0.0.0.0/0\n::/0")

Fields you may notice on the big metawiki form that do not appear here:

  • OAuth version: always OAuth 2, so no reason to offer this.
  • RSA Key: not applicable to OAuth 2
  • Grant Type: this does not correspond to a db field. Instead, it affects what is stored in the oarc_grants database field

I'm not sure what to do about the "Agreement" field. It is a required boolean field, stored in the database, but all it means is that the user agreed to our terms. I'm not sure if it is there for historical reasons - it appears to me were weren't collecting this at first, so maybe it was part of a migration - or if it is there for legal reasons.

  • Email (required)

Required but for no real reason. See T121330: OAuth consumer registration email address field seems pointless.

  • Callback is prefix (optional, default to empty string)

It's a boolean, it should default to false. MediaWiki forms are sloppy about types sometimes.

  • Allowed IP ranges (optional, default to "0.0.0.0/0\n::/0")

The business logic takes a JSON object describing restrictions (which currently only consist of the IP range but are supposed to be extensible), so that seems more suitable for the API.

I'm not sure what to do about the "Agreement" field. It is a required boolean field, stored in the database, but all it means is that the user agreed to our terms. I'm not sure if it is there for historical reasons - it appears to me were weren't collecting this at first, so maybe it was part of a migration - or if it is there for legal reasons.

Yeah, it's for legal reasons and when it was added (five years ago, maybe?) there were some vague ideas for doing something about the old consumers whose authors did not sign the agreement, but apparently no one really cared. The whole thing should just be removed, probably.

The MediaWiki interface displays mwoauthconsumerregistration-propose-text which OAuth admins use to communicate expectations. That should somehow be discoverable for the API users.