HomePhabricator

Allow for "authentication-only" consumers

Description

Allow for "authentication-only" consumers

  • Add new grants "authonly" and "authonlyprivate", with no rights (but the latter has special significance for Special:OAuth/identify).
  • 'UserIsEveryoneAllowed' hook function can no longer assume hidden grants are allowed to everyone. To preserve optimization when OAuth isn't being used for a request, it now returns different values depending on the status of OAuth headers.
  • MWOAuthConsumerAcceptanceSubmitControl was assuming that "hidden" grants should always be granted, even if the consumer doesn't request them. Don't do that.
  • New UI on Special:OAuthConsumerRegistration/propose
  • Hide link to "manage" on Special:OAuthManageMyGrants when no rights can be managed.
  • New endpoint Special:OAuth/authenticate, which works exactly like /authorize except that it might not actually prompt the user.
  • We want to support "authonlyprivate" for getting the user's real name and email without having API access, which pretty much means it has to be included in the JWT. As a bonus, also include it there if the consumer has a grant giving viewmyprivateinfo.

Bug: T88757
Change-Id: I9acff6a23c578209ba49fb1c01579cca85cc8a25

Details