Auth systems/OAuth/Tasks

Outstanding Development tasks

~~flow for existing authorization key - Chris~~
~~MWOAuthUtils::getLocalUser, MWOAuthUtils::getCentralUser~~ - Aaron
~~Make sure empty token secrets don't work - https://gerrit.wikimedia.org/r/#/c/74643/~~

~~(blocker) default rights for grants - Brad - https://gerrit.wikimedia.org/r/#/c/76553/~~
~~(blocker) enforce 'oob' - Chris - (https://gerrit.wikimedia.org/r/#/c/74934/)~~
~~(blocker) api integration (https://gerrit.wikimedia.org/r/#/c/73977/) - Brad~~
~~Tooltips to explain grants better (JS?) - (https://gerrit.wikimedia.org/r/#/c/75994/) Aaron or Brad~~
(blocker) Give HMAC(token,$wgSecretSomething) to clients and checks against that rather than the raw token in the DB (make sure consumer management page handles this too via a separate action) - Aaron, Chris review on 7/25 (https://gerrit.wikimedia.org/r/#/c/75259/)

Week of July 29
- ~~(blocker) hooks to trigger CentralAuth autocreate for account for handshakes on non-central wikis - Chris or Brad?~~ [using global ids instead]
- ~~(blocker) change tagging hook handlers~~

~~(blocker) CentralAuth implement hooks to abort OAuth calls for non-global users - https://gerrit.wikimedia.org/r/#/c/77082/~~
~~Clean up /tests directory - Chris - https://gerrit.wikimedia.org/r/#/c/79298/~~
~~global to require HTTPS for handshake? - (https://gerrit.wikimedia.org/r/#/c/75490/)~~

(low) use htmlform in Special:MWOauth
(low priority) A special page to allow verification codes to be passed to mobile/bot consumers with no webserver (something like https://developers.google.com/accounts/images/OauthUX_nocallback.png)
~~(low priority) Allow Consumer owner to grant access for their user account, when application is in stage 'proposed'~~

Consumer Approval process:
- Who should have rights to do these?
- Who should have the rights to disable a mis-behaving consumer? (Stewards?)
Training for Consumer developers
- ~~Hong Kong training?~~
- Office hours?