Currently, a developer can request that their client be manually disabled by a Steward (who have OAuth admin permissions) through a written request on the Steward_requests/Miscellaneous discussion page on Meta-Wiki.
This works via the Special:OAuthManageConsumers interface from the OAuth extension, which is an admin-only feature where one can disable anyone's client.
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | • eprodromou | T235270 Wikimedia API Gateway | |||
| Open | None | T255034 Wikimedia API Gateway Long-term Use | |||
| Open | Feature | None | T254190 Allow developers to disable their own OAuth clients | ||
| Resolved | bd808 | T411176 Disable OAuth User-only consumer |
I don't have any technical objection to this task. If there are (or were) policy/social reasons why we didn't allow this in the first place on metawiki, I don't know what they are (or were).
I do note that (unless we also make corresponding changes to metawiki), this would introduce a precedent for OAuth client management features being available only on the API Portal. I don't object to that either, I just want to make sure we're doing that intentionally and with awareness.
Adding @Tgr in case he has relevant historical knowledge.
As API Gateway is nowadays owned by serviceops, adding the serviceops project tag to open API Gateway tasks tagged with the deprecated/archived "Platform Team Initiatives (API Gateway)" tag at https://phabricator.wikimedia.org/project/profile/4321/, as part of Phabricator Housekeeping.
Merging a duplicate task and matching tags/columns:
@JTweed-WMF moved this task to Parking Lot on the MediaWiki-Platform-Team (Roadmap) board. 22 Jan 2025
When testing something on api.wikimedia.org I noticed that there is no way to disable a client after creating it. Neither from where I created it (https://api.wikimedia.org/wiki/Special:AppManagement), nor on the more general registry on Meta-Wiki that it extends (https://meta.wikimedia.org/wiki/Special:OAuthConsumerRegistration/list).
While log-less deletion of applications may be undesirable, this task proposes that the creator/owner of an application can deactive or disable their own client IDs.
To support the API Gateway, this feature should also be exposed via the MW REST API, so that developers can create and disable API Gateway clients from the same interface. This currently works via Special:AppManagement on https://api.wikimedia.org (implemented by the WikimediaApiPortalOAuth extension), which calls the OAuth REST API on Meta-Wiki to create clients, but currently offers no way to delete or disable a client after it is created.
TBH I am not sure about the value of exposing everything via REST API, rather than just making the API portal a special page of the OAuth extension, with direct database access. It's a lot of extra work to get reduced functionality. There's a standard way do expose client revocation functionality, but we are not implementing that, the chance of the API getting used outside the API Portal is slim. It feels like one of those "we weren't comfortable using MediaWiki so we built three extra layers of indirection around it" features.