Auth systems/OAuth/Tasks
Appearance
< Auth systems | OAuth
Outstanding Development tasks
[edit]Core
[edit]Raw Requests - https://gerrit.wikimedia.org/r/#/c/70747/
Extension
[edit]- Week of July 15
flow for existing authorization key - ChrisMWOAuthUtils::getLocalUser, MWOAuthUtils::getCentralUser- AaronMake sure empty token secrets don't work - https://gerrit.wikimedia.org/r/#/c/74643/
- Week of July 22
(blocker) default rights for grants - Brad - https://gerrit.wikimedia.org/r/#/c/76553/(blocker) enforce 'oob' - Chris - (https://gerrit.wikimedia.org/r/#/c/74934/)(blocker) api integration (https://gerrit.wikimedia.org/r/#/c/73977/) - BradTooltips to explain grants better (JS?) - (https://gerrit.wikimedia.org/r/#/c/75994/) Aaron or Brad(blocker) Give HMAC(token,$wgSecretSomething) to clients and checks against that rather than the raw token in the DB (make sure consumer management page handles this too via a separate action) - Aaron, Chris review on 7/25 (https://gerrit.wikimedia.org/r/#/c/75259/)
- Week of July 29
(blocker) hooks to trigger CentralAuth autocreate for account for handshakes on non-central wikis - Chris or Brad?[using global ids instead](blocker) change tagging hook handlers
(blocker) CentralAuth implement hooks to abort OAuth calls for non-global users - https://gerrit.wikimedia.org/r/#/c/77082/Clean up /tests directory - Chris - https://gerrit.wikimedia.org/r/#/c/79298/global to require HTTPS for handshake? - (https://gerrit.wikimedia.org/r/#/c/75490/)
- Future
- let consumers opt out of secret keys and only use RSA keys
- (low) use htmlform in Special:MWOauth
- (low priority) A special page to allow verification codes to be passed to mobile/bot consumers with no webserver (something like https://developers.google.com/accounts/images/OauthUX_nocallback.png)
(low priority) Allow Consumer owner to grant access for their user account, when application is in stage 'proposed'
Outstanding Deployment tasks
[edit]- Deploy to beta - Week of July 22
- Deploy to test2, mediawiki.org - Week of August 19th
- Deploy to all - late August
Outstanding Process decisions / work
[edit]- Consumer Approval process:
- Who should have rights to do these?
- Who should have the rights to disable a mis-behaving consumer? (Stewards?)
- Training for Consumer developers
Hong Kong training?- Office hours?