OAuth consumer registrations should not be blocked by a human approval process. I've been waiting on approval for a consumer for over a week now and I've had similar problems in the past. This is disruptive to my development work and (I'm pretty sure) not necessary.
Expected behavior:
OAuth registration requires no approval (like Twitter, for example)
Actual behavior:
New OAuth consumer registrations take weeks or more to be approved.
Version: unspecified
Severity: normal
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Open | None | T103587 Improve OAuth application approval workflow | |||
| Open | None | T67750 OAuth consumers should be automatically approved |
I'm not sure what the rationale for having a manual approval process is/was.
The Wikimedia stewards are generally very responsive... so I have a feeling that stewards may not yet be in charge of approvals? Or perhaps the queue isn't visible enough.
The slow approval process definitely sounds like there's a bug somewhere, though.
We made the decision to have the approval process at first because we weren't sure how it was going to be used, and what way we would need to extend the protocol (for example, Twitter still requires an approval process to us xAuth). We certainly discussed not having approvals in the future. Or having the application send a notification to the admins.
We can certainly add a feature flag for it the applications should be approved or not (Patches welcome. Adding features is something I do in my spare time, which I haven't had any of in a while). I'd like to finish turning the process over to the stewards and make sure that's what they want before flipping the switch though.
Maybe we should have a feature flag that maps grants to approval required/not required. E.g. we probably don't want to require approval for authentication only apps, and maybe not for simple editing/uploading either. We probably want approval for access to private data and for admin-level stuff.
Declined per T124354. There is no consensus for this change yet. Please reopen the task if consensus reached.
We discussed this in the weekly Security Team meeting. We came to no consensus. We discussed a few alternatives:
We discussed some of the the problems with the current review process -- that there are few community members who are interested in participating, that there is no way to ensure that the consumer is not modified after the review has been completed/there is no subsequent review to ensure an OAuth app is still behaving safely, etc.
For the time being, @Bawolff and I will keep and eye on the queue and work on approving requests. Additionally, we'd like to figure out some way to have notifications of the appearance of new requests, and could use some help on that.
Hi @dpatrick. Thanks for the update. Could you post some of the arguments against approving OAuth consumers by default? It seems that the only arguments discussed in your posts are call attention to how the current review process does not serve many of the needs we hoped it might.
I note that, since this task was filed, the process for approvals seems to have moved to the Stewards at https://meta.wikimedia.org/wiki/Steward_requests/Miscellaneous. We also now have owner-only consumers which are automatically approved.
The most compelling concerns (imho) were in regards to oauth being used as part of a phising attack.
The app registration page indicates that there is no standard procedure for approving OAuth consumers and references the RfC. My understanding, based on the talk page on the RfC, was that stewards weren't actively reviewing app proposals. However, having just looked at rejected requests and mwoauthconsumer log, I see that @MarcoAurelio, @Ajraddatz and others have been active in reviewing proposals. So I may have been incorrect in that assumption.
Is my understanding of the state of the hand-off process incorrect?
Hi @Halfak. In line with what Gergõ described on the talk page and in the RfC, I'm interpreting that there needs to be some party responsible for verifying that OAuth apps:
I think it's okay to auto approve "Authentication only, no API access" registrations (T67750#1764333), in addition to owner-only consumers (T67750#2455206).
I just know that the stewards have been approving consumers, as you saw, and that the requests seem to be happening on that page. I haven't seen anything where anyone formally said that the hand-off happened, though.
I set up the mediawiki message directing people to SRM. Stewards have the technical ability to approve OAuth customers, but have been hesitant to do so and the full "hand-over" still has not happened. But we are helping to approve some requests from trusted sources to reduce the backlog.
Could we reboot this discussion, at least to allow auto-confirmation of read-only access of private content? I ran into this problem during the hackathon - wanting to setup an oauth account. My use case is for local development purposes - I would like to be able to query production APIs to access content such as watchlist and preferences in read-only mode.
You should be able to use an owner-only consumer for that.
Also, the owner of a (non-owner-only) consumer can use it while it's in the "proposed" state, intended for development and debugging.