==== Context
In the API Portal, when viewing API key details, display the permissions allowed for the key. These are the `scopes` in the API response.
Here's an example of the data returned to the API Portal from the OAuth server:
```
"scopes": [
"basic",
"editpage",
"editmycssjs",
"editmyoptions",
"createeditmovepage",
"viewmywatchlist",
"editmywatchlist"
]
```
If the API Portal displayed only API keys created via the Portal, the Portal could simply add the same fields used in the create-key form:
{F34823094}
However, because the Portal displays all OAuth 2.0 clients (created via the Portal or via Meta-Wiki), the Portal needs to be able to display all possible scopes a client could have. The complete list of scopes can be found on [Special:ListGrants](https://meta.wikimedia.org/wiki/Special:ListGrants). One of the main reasons the Portal offers only a limited set from this list is because it can be hard to understand what each grant allows, especially just looking at the name.
Here are my assumptions:
* If a user is viewing an API key on the Portal, it is more likely that they created that key via the Portal than via Meta
* If a user has created API keys via Meta, they are already familiar with the complexity of selecting from the full grant list.
Here are the objectives I see for this task:
* Provide a clear, simplified experience for users who have created their API keys via the Portal
* Provide accurate information for users who have created their API keys via Meta-Wiki
Recommendation:
If an API key only has scopes offered by the Portal (basic, createeditmovepage, editprotected), display the [message from the WikimediaApiPortalOAuth extension](https://github.com/wikimedia/mediawiki-extensions-WikimediaApiPortalOAuth/blob/master/i18n/en.json#L28-L30). If the key has other scopes, display the [message from MediaWiki core](https://gerrit.wikimedia.org/g/mediawiki/core/+/39ebbb075d850c07af114b65973368249ffb117e/languages/i18n/en.json#1366) and link to Special:ListGrants, similar to the [form on Meta](https://meta.wikimedia.org/wiki/Special:OAuthConsumerRegistration/propose).
Cleaner solution:
De-duplicate messages between WikimediaApiPortalOAuth extension and MediaWiki Core. I think we could do this as long as we could change the message for the basic grant from "Basic rights" to "Read pages", although I don't know if there will be objections to that since the basic grant includes other rights besides just reading pages.
==== User Story
> As an API Portal developer,
> I want to view what permissions I'm granted
> So that I can expect what operations I'm authorized to take
==== Acceptance Criteria
[ ] Given I am on the API Key page, when I select "View Details" I expect to view my permissions (Below the client ID)
{F34855976}