Page MenuHomePhabricator

OAuth consumers should be automatically approved
Open, LowPublic

Description

OAuth consumer registrations should not be blocked by a human approval process. I've been waiting on approval for a consumer for over a week now and I've had similar problems in the past. This is disruptive to my development work and (I'm pretty sure) not necessary.

Expected behavior:

OAuth registration requires no approval (like Twitter, for example)

Actual behavior:

New OAuth consumer registrations take weeks or more to be approved.


Version: unspecified
Severity: normal

Details

Reference
bz65750

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 3:22 AM
bzimport set Reference to bz65750.
bzimport added a subscriber: Unknown Object (MLST).
Halfak created this task.May 25 2014, 9:53 PM

I'm not sure what the rationale for having a manual approval process is/was.

The Wikimedia stewards are generally very responsive... so I have a feeling that stewards may not yet be in charge of approvals? Or perhaps the queue isn't visible enough.

The slow approval process definitely sounds like there's a bug somewhere, though.

We made the decision to have the approval process at first because we weren't sure how it was going to be used, and what way we would need to extend the protocol (for example, Twitter still requires an approval process to us xAuth). We certainly discussed not having approvals in the future. Or having the application send a notification to the admins.

We can certainly add a feature flag for it the applications should be approved or not (Patches welcome. Adding features is something I do in my spare time, which I haven't had any of in a while). I'd like to finish turning the process over to the stewards and make sure that's what they want before flipping the switch though.

Sitic added a subscriber: Sitic.Mar 5 2015, 7:57 PM
bd808 triaged this task as Medium priority.Mar 6 2015, 1:37 AM
bd808 added a subscriber: bd808.
bd808 lowered the priority of this task from Medium to Low.Mar 6 2015, 10:38 PM
bd808 moved this task from Backlog to Consumer wants on the MediaWiki-extensions-OAuth board.
Tgr added a subscriber: Tgr.Jun 23 2015, 7:00 AM

Or having the application send a notification to the admins.

That's T61772.

Tgr added a comment.Oct 28 2015, 11:41 PM

Maybe we should have a feature flag that maps grants to approval required/not required. E.g. we probably don't want to require approval for authentication only apps, and maybe not for simple editing/uploading either. We probably want approval for access to private data and for admin-level stuff.

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 28 2015, 11:41 PM
Luke081515 closed this task as Declined.Feb 2 2016, 12:23 AM
Luke081515 added a subscriber: Luke081515.

Declined per T124354. There is no consensus for this change yet. Please reopen the task if consensus reached.

Luke081515 reopened this task as Open.Feb 2 2016, 12:45 AM

@dpatrick what do you think?

We discussed this in the weekly Security Team meeting. We came to no consensus. We discussed a few alternatives:

  • automatic approval;
  • automatic approval for a "general" class of applications, with an interstitial message indicating that the app in question has not been approved/reviewed; additional manual approval for an "approved" class of applications, which an OAuth admin has reviewed; and
  • a beta feature which, when enabled, allows access to unreviewed OAuth apps.

We discussed some of the the problems with the current review process -- that there are few community members who are interested in participating, that there is no way to ensure that the consumer is not modified after the review has been completed/there is no subsequent review to ensure an OAuth app is still behaving safely, etc.

For the time being, @Bawolff and I will keep and eye on the queue and work on approving requests. Additionally, we'd like to figure out some way to have notifications of the appearance of new requests, and could use some help on that.

Hi @dpatrick. Thanks for the update. Could you post some of the arguments against approving OAuth consumers by default? It seems that the only arguments discussed in your posts are call attention to how the current review process does not serve many of the needs we hoped it might.

I note that, since this task was filed, the process for approvals seems to have moved to the Stewards at https://meta.wikimedia.org/wiki/Steward_requests/Miscellaneous. We also now have owner-only consumers which are automatically approved.

Hi @dpatrick. Thanks for the update. Could you post some of the arguments against approving OAuth consumers by default? It seems that the only arguments discussed in your posts are call attention to how the current review process does not serve many of the needs we hoped it might.

The most compelling concerns (imho) were in regards to oauth being used as part of a phising attack.

I note that, since this task was filed, the process for approvals seems to have moved to the Stewards at https://meta.wikimedia.org/wiki/Steward_requests/Miscellaneous. We also now have owner-only consumers which are automatically approved.

The app registration page indicates that there is no standard procedure for approving OAuth consumers and references the RfC. My understanding, based on the talk page on the RfC, was that stewards weren't actively reviewing app proposals. However, having just looked at rejected requests and mwoauthconsumer log, I see that @MarcoAurelio, @Ajraddatz and others have been active in reviewing proposals. So I may have been incorrect in that assumption.

Is my understanding of the state of the hand-off process incorrect?

Hi @dpatrick. Thanks for the update. Could you post some of the arguments against approving OAuth consumers by default? It seems that the only arguments discussed in your posts are call attention to how the current review process does not serve many of the needs we hoped it might.

Hi @Halfak. In line with what Gergõ described on the talk page and in the RfC, I'm interpreting that there needs to be some party responsible for verifying that OAuth apps:

  • Adhere to our privacy policy, since those apps function to increase the area of privacy concern beyond code that we create and (ostensibly) audit; and
  • Behave in ways that do not abuse any advanced rights granted them (e.g., Upload new files, Block and unblock users, Send email to other users, etc.).

I think it's okay to auto approve "Authentication only, no API access" registrations (T67750#1764333), in addition to owner-only consumers (T67750#2455206).

I note that, since this task was filed, the process for approvals seems to have moved to the Stewards at https://meta.wikimedia.org/wiki/Steward_requests/Miscellaneous. We also now have owner-only consumers which are automatically approved.

The app registration page indicates that there is no standard procedure for approving OAuth consumers and references the RfC. My understanding, based on the talk page on the RfC, was that stewards weren't actively reviewing app proposals. However, having just looked at rejected requests and mwoauthconsumer log, I see that @MarcoAurelio, @Ajraddatz and others have been active in reviewing proposals. So I may have been incorrect in that assumption.
Is my understanding of the state of the hand-off process incorrect?

I just know that the stewards have been approving consumers, as you saw, and that the requests seem to be happening on that page. I haven't seen anything where anyone formally said that the hand-off happened, though.

I set up the mediawiki message directing people to SRM. Stewards have the technical ability to approve OAuth customers, but have been hesitant to do so and the full "hand-over" still has not happened. But we are helping to approve some requests from trusted sources to reduce the backlog.

Halfak set Security to None.Jul 15 2016, 7:26 PM
Halfak removed a subscriber: Halfak.

@dpatrick, OK. Looks like this is *wont fix*, so I'm unsub'd.

Aklapper removed dpatrick as the assignee of this task.Feb 19 2018, 11:21 AM
Jdlrobson added a subscriber: Jdlrobson.

Could we reboot this discussion, at least to allow auto-confirmation of read-only access of private content? I ran into this problem during the hackathon - wanting to setup an oauth account. My use case is for local development purposes - I would like to be able to query production APIs to access content such as watchlist and preferences in read-only mode.

You should be able to use an owner-only consumer for that.

Also, the owner of a (non-owner-only) consumer can use it while it's in the "proposed" state, intended for development and debugging.