Page MenuHomePhabricator

Improvements to Special:AppManagement
Closed, ResolvedPublic

Description

Following feedback from user testing, change the following elements on Special:AppManagement:

  • Use “key” as the identifying label for OAuth 2.0 clients instead of “client”. After some user testing, I think that “client”, while technically correct, is a bit unclear and overly technical. Using “key” makes the interface friendlier and easier to understand and gives us a category within which to differentiate OAuth 2.0 clients and Personal API tokens.
    • Change title of special page (and navigation label) to “API keys”
    • Change relevant labels to “key”
  • Add text at the top of the page that introduces API keys and links to relevant docs.
  • Change the permissions radio selector to check boxes. Instead of pre-combining the permissions into groups, let the user select each permission as a checkbox. This will support adding permissions in the future. The “Read” (basic) option should be pre-checked.
  • Add descriptive text to each field to help users understand each input.
  • Consolidate the “confidential” checkbox into the “type” selector: Words like “confidential” and “secure” have variable meaning based on experience and context. To make this as clear as possible while adhering to the existing policy, I’d like to change this from a confidential/non-confidential checkbox to focus on the type of app being created. To do this, I’d like to remove the “confidential” checkbox and add an option to the app type selector for “Mobile and desktop apps”. Checking this option will result in a client with the confidential flag set to false. This ensures that the policy is followed without having to make subtle distinctions between secret storage practices. This also reduces friction for users since it is more friendly and reduces confusion.

Screenshots


(red links due to local dev environment)

Event Timeline

Change 645537 had a related patch set uploaded (by Alex Paskulin; owner: Alex Paskulin):
[mediawiki/extensions/WikimediaApiPortalOAuth@master] ui: Improve user experience on special page

https://gerrit.wikimedia.org/r/645537

I’d like to remove the “confidential” checkbox and add an option to the app type selector for “Mobile and desktop apps”.

I'm curious about the distinction between traditional (server side) websites (which can maintain confidentiality) vs. single-page "web apps" (which cannot). Related links:

https://www.oauth.com/oauth2-servers/server-side-apps/
https://www.oauth.com/oauth2-servers/single-page-apps/
https://www.oauth.com/oauth2-servers/mobile-and-native-apps/

If I was creating a traditional website and was given a choice among "Web app", "Mobile or desktop app" and "Personal API Token", I'd be confused which to pick, as none of those would seem to apply.

If we don't want a "confidential" checkbox, I'd suggest choices of:

  • Traditional Website (or possibly "Web site"? Not sure if that properly contains a space or not...)
  • Mobile, Desktop, or Single-page Web app
  • Personal API token (for your use only)

If this has already been considered, then feel free to ignore this comment.

Thanks for this feedback, @BPirkle! I agree with the points you've made (and I've set the patch back to work-in-progress). I'd like to have "mobile/desktop/JavaScript app" and "other", but that's a bit awkward. I've also considered having a checkbox for "My app is a mobile/desktop/JavaScript app", but the flow of that turns out a bit weird in the form. What do you think of this wording for the three "type" options:

  • Server-side app (traditional websites and web server apps)
  • Client-side or installed app (mobile, desktop, and JavaScript apps)
  • Personal API token (for your use only)

I like those options. I'd consider using the term "Single-page" instead of "JavaScript" in the second option, because:

  1. almost every website, even traditional ones, uses JavaScript in some fashion
  2. some single page apps are coded in other languages (ex. TypeScript). (Although to be fair, these languages compile to JavaScript so the suggested wording isn't technically incorrect.)

However, I don't have strong feelings on that point and will be happy with whichever wording you choose.

Thanks, Bill! I've updated the patch.

Change 645537 merged by jenkins-bot:
[mediawiki/extensions/WikimediaApiPortalOAuth@master] ui: Improve user experience on special page

https://gerrit.wikimedia.org/r/645537

Verified in production