Platform Engineering Team/API Value Stream/API Demo Sept 02, 2021

Notes/Q&A

 * How does an Auth strategy impact our authentication flows that were demoed?
 * We do have a sense that the way we are hosting our api web services that they have gone and leveraged some data from api1 to api2.
 * [NN] Different methods of authentication result in challenges because not all clients can use Oauth
 * [BP] from a production standpoint we have a split mind on authentication.
 * Mediawiki has the capabilities to authenticate through Oauth
 * Legacy system
 * [CC] not sure if it is an implementation issue or issue more generally with Oauth
 * [BP] +1 problem isn;t Oath itself
 * Having the right code and right endpoints in order to complete an interaction
 * [NN] existing tickets log these issues
 * https://phabricator.wikimedia.org/T275571
 * [BP] if we see you are a valid person
 * Authentication vs authorization
 * Mediawiki core is the authorization server that determines what capabilities we already have
 * [SK] from the perspective of is it more upstream or downstream, there are definite end-user issues because of the inconsistencies of the user authentication methods
 * Dependency on what security decides auth should be
 * Right now we are straddling across Cloud Services and Kubernetes
 * How are we doing it right now?
 * Initially chose Oauth without ensuring everyone was
 * What is WMCS doing now?
 * Use bot passwords: Manual:Bot passwords - MediaWiki
 * How does Auth impact Rate limiting and other capabilities
 * You have the keys and so you have a certain amount of assurances to create a hash that contains the rate limiting information
 * Api key = client identity that gets generated by Oauth right now
 * [CC] There would be a lot of wins for us to create our own authentication component that is not tied to core mediawiki
 * Maintain a sweet of extensions for auth called Pluggable Auth that let you connect to Mediawiki from multiple different authenticators
 * [BP] https://meta.wikimedia.org/wiki/User:BPirkle_(WMF)/Stuff/MediaWiki_Framework_Thoughts
 * Key vs token
 * Key identifies the application
 * Usinet client secret to validate
 * Tokens - are access tokens that have longer lives
 * Can we look at solving for authentication at the user persona