Page MenuHomePhabricator

OAuth2 docs seem confused/incomplete
Open, LowPublic

Description

From https://www.mediawiki.org/wiki/Topic:Vmwiwu073xo33eh5 (and a request on IRC)

Looking at https://www.mediawiki.org/wiki/OAuth/For_Developers#Authorization_2

When registering the application, you receive two pieces of credentials: the consumer token (a public ID for the application) and the secret token (sort of like a password).

Ask the user to authorize the application by sending them to oauth2/authorize under the wiki's REST endpoint (usually rest.php), with response_type=code and the client token (as client_id), and ideally also a request_url and state.

Where does the client token come from? Is it the "consumer token" mentioned above? If not, why is "client token" the only mention of "client token" in the documents?

Event Timeline

Looking at https://meta.wikimedia.org/wiki/Special:OAuthManageConsumers/approved "Consumer key" is then used...

"client token" isn't mentioned in i18n/en.json

@apaskulin I know that we've been working on harmonising these terms. Do you mind looking this over and changing to the right terminology?

I've made some quick updates to the page to help clarify things in relation to the terms used on Meta, and I've responded to the comment on the talk page. But I'd like to keep this task open considering that these inconsistencies need to be addressed across the docs and the interfaces in Meta. I'm hoping to get to work on this this year, but I'll hold off from assigning myself in case someone gets to it before I do.

Hey @apaskulin,
Please assign me this task, I would like to contribute to it under you mentorship.
Also let me know how to get this started and put this on-track.
Regards
Harsh