When creating a client key in the API Portal's form (https://api.wikimedia.org/wiki/Special:AppManagement), the redirect_uri field is required when the Server-Side App radio button is selected. It can be confusing to have to provide a redirect_uri when there are cases where it would not be used (e.g. App authentication flow for a non-user-facing application such as an API).
We should find a way to clarify the optional usage of the redirect_uri in these such cases.
Description
Related Objects
- Mentioned In
- T300570: Split out OAuth v1 and v2 forms
- Mentioned Here
- T266355: Clarify validation for redirect URI
Event Timeline
I notice that the OAuth extension, at least as it exists on my local dev, requires the redirect_uri (which it calls "OAuth "callback" URL") even for OAuth2 clients that request only the "Client credentials" grant.
I did not dig into the code to see whether this requirement is enforced at the form only, or if the underlying libraries require it.
I also notice we have this error in the RequestClient handler in the OAuth extension code:
callback_url is required for non-owner-only clients
The related validation code is at the bottom of OAuth/src/Rest/Handler/RequestClient.php.
So regardless of what we do with the form, the API Portal couldn't currently create a non-owner-only client without supplying a callback (aka redirect_uri). We'd need to make changes to the OAuth extension to allow that (if we decided to, and if the OAuth2 libraries would allow it).
I don't recall our specific discussions around this field when creating the API Portal. There probably were some, and we might be able to find them. I know that we made some tradeoffs on flexibility vs. simplicity, and sometimes leaned toward simplicity on the theory that anyone who wanted to do something more complicated than the API Portal would allow could do it on metawiki.
In this case, though, they couldn't because even metawiki doesn't allow it.