Page MenuHomePhabricator

Display API key permissions in details view
Open, MediumPublic

Description

Context

In the API Portal, when viewing API key details, display the permissions allowed for the key. These are the scopes in the API response.

Here's an example of the data returned to the API Portal from the OAuth server:

"scopes": [
  "basic",
  "editpage",
  "editmycssjs",
  "editmyoptions",
  "createeditmovepage",
  "viewmywatchlist",
  "editmywatchlist"
]

If the API Portal displayed only API keys created via the Portal, the Portal could simply add the same fields used in the create-key form:

Screen Shot 2021-12-03 at 10.45.11 AM.png (109×217 px, 8 KB)

However, because the Portal displays all OAuth 2.0 clients (created via the Portal or via Meta-Wiki), the Portal needs to be able to display all possible scopes a client could have. The complete list of scopes can be found on Special:ListGrants. One of the main reasons the Portal offers only a limited set from this list is because it can be hard to understand what each grant allows, especially just looking at the name.

Here are my assumptions:

  • If a user is viewing an API key on the Portal, it is more likely that they created that key via the Portal than via Meta
  • If a user has created API keys via Meta, they are already familiar with the complexity of selecting from the full grant list.

Here are the objectives I see for this task:

  • Provide a clear, simplified experience for users who have created their API keys via the Portal
  • Provide accurate information for users who have created their API keys via Meta-Wiki

Recommendation:
If an API key only has scopes offered by the Portal (basic, createeditmovepage, editprotected), display the message from the WikimediaApiPortalOAuth extension. If the key has other scopes, display the message from MediaWiki core and link to Special:ListGrants, similar to the form on Meta.

Cleaner solution:
De-duplicate messages between WikimediaApiPortalOAuth extension and MediaWiki Core. I think we could do this as long as we could change the message for the basic grant from "Basic rights" to "Read pages", although I don't know if there will be objections to that since the basic grant includes other rights besides just reading pages.

User Story

As an API Portal developer,
I want to view what permissions I'm granted
So that I can expect what operations I'm authorized to take

Acceptance Criteria
  • Given I am on the API Key page, when I select "View Details" I expect to view my permissions (Below the client ID)

image.png (1×1 px, 165 KB)

  • When viewing an API key with permissions other than basic, createeditmovepage, and editprotected, the key details view displays the grant name from MediaWiki core and links to Special:ListGrants:

Screen Shot 2021-12-07 at 12.38.48 PM.png (96×214 px, 7 KB)

Related Objects

Event Timeline

apaskulin triaged this task as Medium priority.Jan 11 2021, 11:38 PM
apaskulin moved this task from Backlog to New features on the API-Portal board.

Assumed this data is being provided by the meta OAuth extension API

@apaskulin For keys created in the API portal, are the following permissions granted for all keys?

  • Read pages
  • Create and edit pages
  • Edit protected pages

@sdkim No, keys created in the API Portal all have "Read pages", but they may or may not have one or both of the other two

Whoever takes on this task, let me know what you think about the two approaches to this I outlined in the task ("recommendation" and "cleaner solution"). I'd love some feedback on what you think would be the best approach