Auth systems/OAuth/Tasks

Core

 * Raw Requests - https://gerrit.wikimedia.org/r/#/c/70747/

Extension

 * Week of July 15
 * flow for existing authorization key - Chris
 * MWOAuthUtils::getLocalUser, MWOAuthUtils::getCentralUser - Aaron
 * Make sure empty token secrets don't work - https://gerrit.wikimedia.org/r/#/c/74643/


 * Week of July 22
 * (blocker) default rights for grants - Brad?
 * (blocker) enforce 'oob' - Chris
 * (blocker) api integration (https://gerrit.wikimedia.org/r/#/c/73977/) - Brad
 * Tooltips to explain grants better (JS?) - Aaron or Brad
 * (blocker) Give HMAC(token,$wgSecretSomething) to clients and checks against that rather than the raw token in the DB (make sure consumer management page handles this too via a separate action) - Aaron, Chris review on 7/25


 * Week of July 29
 * (blocker) hooks to trigger CentralAuth autocreate for account for handshakes on non-central wikis - Chris or Brad?
 * Clean up /tests directory - Chris
 * global to require HTTPS for handshake?


 * Future
 * let consumers opt out of secret keys and only use RSA keys
 * (low) use htmlform in Special:MWOauth
 * (low priority) A special page to allow verification codes to be passed to mobile/bot consumers with no webserver (something like https://developers.google.com/accounts/images/OauthUX_nocallback.png)
 * (low priority) Allow Consumer owner to grant access for their user account, when application is in stage 'proposed'

Outstanding Deployment tasks

 * Deploy to beta - Week of July 22
 * Deploy to test2, mediawiki.org - Week of July 29
 * Deploy to all - sometime in August (schedule around Wikimania)

Outstanding Process decisions / work

 * Consumer Approval process:
 * Who should have rights to do these?
 * Who should have the rights to disable a mis-behaving consumer? (Stewards?)
 * Training for Consumer developers
 * Hong Kong training?
 * Office hours?