Allow for "authentication-only" consumers
- Add new grants "authonly" and "authonlyprivate", with no rights (but the latter has special significance for Special:OAuth/identify).
- 'UserIsEveryoneAllowed' hook function can no longer assume hidden grants are allowed to everyone. To preserve optimization when OAuth isn't being used for a request, it now returns different values depending on the status of OAuth headers.
- MWOAuthConsumerAcceptanceSubmitControl was assuming that "hidden" grants should always be granted, even if the consumer doesn't request them. Don't do that.
- New UI on Special:OAuthConsumerRegistration/propose
- Hide link to "manage" on Special:OAuthManageMyGrants when no rights can be managed.
- New endpoint Special:OAuth/authenticate, which works exactly like /authorize except that it might not actually prompt the user.
- We want to support "authonlyprivate" for getting the user's real name and email without having API access, which pretty much means it has to be included in the JWT. As a bonus, also include it there if the consumer has a grant giving viewmyprivateinfo.