MediaWiki REST API supports multiple security mechanisms, but they're not documented in the OpenAPI description and aren't available in the sandbox. Current tokens allowed or expected on MediaWiki REST APIs include: CSRF, OAuth 1.0, OAuth 2.0, owner-only JWTs, and MediaWIki Session cookies to name a few. While these tokens do tend to be universally supported, there are some cases where they are required, such as CSRF tokens being required for edit endpoints, while also supporting anonymous editor requests. Clarifying these cases will make it easier for developers to engage with our APIs, by making it clear what is expected and required across our suite of endpoints.
The aim of this task is to add MediaWiki REST API security information to the OAD.
In an OpenAPI description, security information is collected in the following objects:
- Security schemes object (a map with security scheme objects), inside the components object at the top level of the description - contains information about all security schemes supported by the API.
- Security requirement object, inside the operation object or at the top level of the description - contains information about the subset of security schemes that can be used for a specific operation or for the entire API.
Scope
- T423552: [SPIKE] Add security scheme information to MediaWiki REST API description
- T423553: Add security requirement information to MediaWiki REST API description
Extra resources
- OpenAPI Specification 3.0.0: security scheme and security requirement
- OpenAPI description example: security schemes and security requirement