Page MenuHomePhabricator
Create Task
Maniphest T62380

OAuth developers should be able to change what grants their application asks for instead of having to submit a new application
Open, MediumPublic
Actions

Description

Right now, if an OAuth consumer wishes to add or remove grants that their application needs, they have to go through the approvals process again as a separate application. Consumers should have a way to update the grants for their application without having to do essentially create it as a new application.

See also: T59631: OAuth developers should be able to change some of the parameters they registered an application with instead of having to submit a new application, T142274: Changing grants for owner-only permissions should be easier

Details

Reference
bz60380

Related Objects
Search...

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 22 2014, 2:58 AM
bzimport added a project: MediaWiki-extensions-OAuth.
bzimport set Reference to bz60380.
bzimport added a subscriber: Unknown Object (MLST).
Deskana created this task.Jan 23 2014, 10:07 PM
Deskana added a comment.Jan 23 2014, 10:44 PM

I just want to note here that if we allow people to update the grants on their OAuth consumer, we'll need to give all users who have approved that consumer on their account a reconfirmation dialogue, so that they're aware that the consumer's granted rights have changed and that it applies to their account.

brion added a comment.Jan 24 2014, 12:21 AM

Can we actually trigger a reconfirmation dialog in that situation, and will client applications know how to handle it? Or would we just revoke the auth token and let the client treat it as a revocation?

Anomie added a comment.Jan 24 2014, 1:41 AM

When the end user authorizes the consumer, it saves the list of grants that the end user actually authorized. So it *should* work that the consumer would continue to be granted only the old set of permissions until such time as the it sends the end user through the authorization page again and the end user re-authorizes.

Jalexander added a comment.Jan 24 2014, 1:42 AM

(In reply to comment #3)

When the end user authorizes the consumer, it saves the list of grants that
the
end user actually authorized. So it *should* work that the consumer would
continue to be granted only the old set of permissions until such time as the
it sends the end user through the authorization page again and the end user
re-authorizes.

On a personal level this is the work flow that I'd like the most but I can certainly see arguments for trying to force it.

Deskana moved this task from Backlog to Consumer wants on the MediaWiki-extensions-OAuth board.Mar 6 2015, 10:39 PM
Tgr subscribed.Jun 23 2015, 1:07 AM

When an application asks for different grants than the ones it was approved for, it should most definitely go through the approvals process again. Otherwise I can register an application that asks for basic rights and claims to do something simple, then start asking for sensitive grants like viewdeleted or editinterface, and hope that some users don't notice and click through.

I take it this task is about the ability to change grants and get those changes approved, instead of having to register a new application. Which means we would have to store both the approved state and the pending state.

Tgr renamed this task from OAuth consumers should be able to update the grants for their application without having to go through the approvals process again to OAuth developers should be able to change what grants their application asks for instead of having to submit a new application.Jun 23 2015, 1:41 AM
Tgr mentioned this in T59631: OAuth developers should be able to change some of the parameters they registered an application with instead of having to submit a new application.
Tgr updated the task description. (Show Details)
Tgr set Security to None.
csteipp added a comment.Jun 23 2015, 4:21 PM

We already store the set of rights that a user approved on their authorization, in case we ever wanted to do this. So correct, the work would be on the consumer, tracking the current rights and a requested set of new rights.

Changing the callback url is the most common reason to re-approve an app, so might be good to address that as the primary case, and see if this can be fit into the same model?

Tgr added a parent task: T103587: Improve OAuth application approval workflow.Jun 23 2015, 7:40 PM
Ricordisamoa subscribed.Jun 29 2015, 8:51 PM
JtsMN subscribed.Feb 3 2016, 5:35 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 3 2016, 5:35 PM
Tgr mentioned this in T65712: OAuth: Developers should be able to revoke their own tool's approval.Jul 18 2016, 4:53 PM
Xaosflux subscribed.Jul 20 2016, 3:39 PM
tom29739 subscribed.Sep 9 2016, 7:37 AM
MarcoAurelio awarded a token.Mar 3 2017, 7:55 AM
MarcoAurelio subscribed.
Aklapper removed subscribers: Anomie, wikibugs-l-list.Oct 16 2020, 5:02 PM
Mitar subscribed.Apr 19 2022, 8:11 AM

Hm, should this be prioritized more? It is 8 years now.

Aklapper added a comment.Apr 19 2022, 8:31 AM

@Mitar: Please feel free to work on this so it becomes more of a priority. :) Age of a ticket does not influence relevance or urgency. Thanks!

Mitar added a comment.Apr 19 2022, 8:41 AM
This comment was removed by Mitar.
Tgr added a comment.Apr 19 2022, 10:00 AM

The extension is not actively developed, so prioritization largely means finding someone to spend free time on it. Not very likely for something as complex as this task.

The monster patch in https://gerrit.wikimedia.org/r/c/mediawiki/extensions/OAuth/+/316302 tries to address part of this (changing things before the grant is approved), but a single huge patch was an unwise approach to getting things changed in an extension that's not under active maintenance, so it would have to be reworked into something more granular.

As for changing approved consumers, seems to me like a lot of work for something that's not very different from the current workflow of just registering a new consumer. Maybe we could have a "create a new version of this consumer" link instead, which would pre-fill the form.

Mitar added a comment.Apr 19 2022, 10:19 AM

I was interested in this primarily for my own self-approved app used only by me. There it should be trivial to just change grants.

But yea, afterwards I figured out that I can just create a new app with same name just different version, which seems a pretty OK workaround. So maybe it should be clearer in text somewhere that you can reuse same name, just use different versions.

Tgr added a comment.Apr 19 2022, 11:30 AM
In T62380#7863739, @Mitar wrote:

I was interested in this primarily for my own self-approved app used only by me. There it should be trivial to just change grants.

That's T142274: Changing grants for owner-only permissions should be easier. Implementing it isn't entirely trivial though. The management UI has no concept of changing a consumer currently. That would have to be added, with appropriate permission management, plus automatic update of the consumer acceptance record.

Mitar added a comment.Apr 19 2022, 11:34 AM

Thanks for linking to that task.

Tgr mentioned this in T60937: Add "under development" stage before "proposed" stage for OAuth consumers.Oct 22 2023, 7:53 PM
Don-vip awarded a token.Jan 25 2024, 9:24 PM
Don-vip subscribed.
Tgr updated the task description. (Show Details)Jan 26 2024, 3:42 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL