Page MenuHomePhabricator
Create Task
Maniphest T269491

Improvements to Special:AppManagement
Closed, ResolvedPublic
Actions

Description

Following feedback from user testing, change the following elements on Special:AppManagement:

  • Use “key” as the identifying label for OAuth 2.0 clients instead of “client”. After some user testing, I think that “client”, while technically correct, is a bit unclear and overly technical. Using “key” makes the interface friendlier and easier to understand and gives us a category within which to differentiate OAuth 2.0 clients and Personal API tokens.
    • Change title of special page (and navigation label) to “API keys”
    • Change relevant labels to “key”
  • Add text at the top of the page that introduces API keys and links to relevant docs.
  • Change the permissions radio selector to check boxes. Instead of pre-combining the permissions into groups, let the user select each permission as a checkbox. This will support adding permissions in the future. The “Read” (basic) option should be pre-checked.
  • Add descriptive text to each field to help users understand each input.
  • Consolidate the “confidential” checkbox into the “type” selector: Words like “confidential” and “secure” have variable meaning based on experience and context. To make this as clear as possible while adhering to the existing policy, I’d like to change this from a confidential/non-confidential checkbox to focus on the type of app being created. To do this, I’d like to remove the “confidential” checkbox and add an option to the app type selector for “Mobile and desktop apps”. Checking this option will result in a client with the confidential flag set to false. This ensures that the policy is followed without having to make subtle distinctions between secret storage practices. This also reduces friction for users since it is more friendly and reduces confusion.

Screenshots

Screen Shot 2020-12-04 at 7.02.40 PM.png (1×1 px, 218 KB)

Screen Shot 2020-12-04 at 6.58.43 PM.png (552×2 px, 125 KB)
(red links due to local dev environment)

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
ui: Improve user experience on special pagemediawiki/extensions/WikimediaApiPortalOAuthmaster+62 -43
Customize query in gerrit

Event Timeline

apaskulin created this task.Dec 5 2020, 3:04 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 5 2020, 3:04 AM
gerritbot added a comment.Dec 5 2020, 3:52 PM

Change 645537 had a related patch set uploaded (by Alex Paskulin; owner: Alex Paskulin):
[mediawiki/extensions/WikimediaApiPortalOAuth@master] ui: Improve user experience on special page

https://gerrit.wikimedia.org/r/645537

gerritbot added a project: Patch-For-Review.Dec 5 2020, 3:52 PM
apaskulin updated the task description. (Show Details)Dec 5 2020, 3:52 PM
BPirkle subscribed.Dec 9 2020, 2:51 AM

I’d like to remove the “confidential” checkbox and add an option to the app type selector for “Mobile and desktop apps”.

I'm curious about the distinction between traditional (server side) websites (which can maintain confidentiality) vs. single-page "web apps" (which cannot). Related links:

https://www.oauth.com/oauth2-servers/server-side-apps/
https://www.oauth.com/oauth2-servers/single-page-apps/
https://www.oauth.com/oauth2-servers/mobile-and-native-apps/

If I was creating a traditional website and was given a choice among "Web app", "Mobile or desktop app" and "Personal API Token", I'd be confused which to pick, as none of those would seem to apply.

If we don't want a "confidential" checkbox, I'd suggest choices of:

  • Traditional Website (or possibly "Web site"? Not sure if that properly contains a space or not...)
  • Mobile, Desktop, or Single-page Web app
  • Personal API token (for your use only)

If this has already been considered, then feel free to ignore this comment.

apaskulin added a comment.Dec 9 2020, 5:55 PM

Thanks for this feedback, @BPirkle! I agree with the points you've made (and I've set the patch back to work-in-progress). I'd like to have "mobile/desktop/JavaScript app" and "other", but that's a bit awkward. I've also considered having a checkbox for "My app is a mobile/desktop/JavaScript app", but the flow of that turns out a bit weird in the form. What do you think of this wording for the three "type" options:

  • Server-side app (traditional websites and web server apps)
  • Client-side or installed app (mobile, desktop, and JavaScript apps)
  • Personal API token (for your use only)
BPirkle added a comment.Dec 9 2020, 6:55 PM

I like those options. I'd consider using the term "Single-page" instead of "JavaScript" in the second option, because:

  1. almost every website, even traditional ones, uses JavaScript in some fashion
  2. some single page apps are coded in other languages (ex. TypeScript). (Although to be fair, these languages compile to JavaScript so the suggested wording isn't technically incorrect.)

However, I don't have strong feelings on that point and will be happy with whichever wording you choose.

apaskulin added a comment.Dec 9 2020, 7:21 PM

Thanks, Bill! I've updated the patch.

gerritbot added a comment.Dec 14 2020, 11:05 PM

Change 645537 merged by jenkins-bot:
[mediawiki/extensions/WikimediaApiPortalOAuth@master] ui: Improve user experience on special page

https://gerrit.wikimedia.org/r/645537

Maintenance_bot removed a project: Patch-For-Review.Dec 14 2020, 11:11 PM
ReleaseTaggerBot added a project: MW-1.36-notes (1.36.0-wmf.22; 2020-12-15).Dec 15 2020, 12:02 AM
apaskulin closed this task as Resolved.Dec 18 2020, 2:59 AM

Verified in production

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits