User:APaskulin (WMF)/OAuth 2.0 notes

Current OAuth 2.0 flow
Wikimedia wikis use the MediaWiki OAuth extension, which supports OAuth 1.0a and 2.0. Meta is configured as the central OAuth wiki for Wikimedia wikis.

Step 1: Meta wiki form
Developers can register for three types of Wikimedia OAuth 2.0 consumers at m:Special:OAuthConsumerRegistration/propose on Meta:
 * User authorization (Consumer can be authorized by a user to act on their behalf in specific ways)
 * Required information
 * Callback URL
 * Grant types
 * User identity verification only (Either with or without access to real name and email address. No ability to read pages or act on a user’s behalf. No API access.)
 * Owner-only consumers (Authorized to act on behalf of a single user, such as a bot account.)

Step 2: Manual review (user authorization consumers only)
User authorization consumers require manual review. Developers requesting a new consumer can post a request to Steward_requests/Miscellaneous on Meta. These requests can be approved by users with the mwoauthmanageconsumer right. For Wikimedia, this right is associated with these groups:
 * OAuth admins group
 * Staff group
 * Stewards group

Key management
Once registered, developers can perform these actions via m:Special:OAuthConsumerRegistration/list on Meta:
 * Update the Allowed IP ranges for the key
 * Reset the secret key to a new value
 * Update the public RSA key

Step 1: Ask the user to authorize the app
Registering for this type of consumer gets you a “client application key” and a “client application secret”. You can use these credentials to ask users to authorize your app for the permissions you specified when you registered.

To ask a user to authorize the app, send the user to the Meta authorization server at:

The server displays the authorization dialog for the user and gives them the option to approve or deny. If the user approves, the authorization server sends the user back to your app with an authorization code. If they approve, it redirects them to your app with the code in a query parameter.

Step 2: Get an access token
Use your authorization code to get an access token.

Returns an access token and a refresh token.

Step 3: Call the API on behalf of an authorized user
Include the access token to call the API on behalf of an authorized user.

User identity verification flow
Returns username, groups, status, etc.

Owner-only consumer flow
Registering for this type of consumer gets you a “client application key”, “client application secret”, and “access token”.

Dev portal prototype API key flow
https://lcij4a.axshare.com/#id=uwqv8b&p=my_account_key_manage
 * Single-step create a key via form
 * View key
 * Delete key
 * See historical usage date (# of calls per key per day)
 * Developer can receive notifications if their keys are blocked, limits reached, etc.

OAuth 2.0 documentation

 * https://www.mediawiki.org/wiki/Extension:OAuth#OAuth_2.0_REST_endpoints
 * https://www.mediawiki.org/wiki/OAuth/For_Developers#OAuth_2
 * https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/OAuth/+/master/src/Rest/Handler

OAuth 1.0(a) documentation

 * https://www.mediawiki.org/wiki/OAuth/For_Developers#OAuth_1.0a
 * https://docs.google.com/presentation/d/1537HnwSaSzH-b8hINcz48SNhT8ElAUPC39to0_O1iNA/edit#slide=id.g15105b408d_0_287
 * https://tools.wmflabs.org/oauth-hello-world/index.php
 * https://www.mediawiki.org/wiki/Manual:Pywikibot/OAuth/Wikimedia

Outside references

 * https://developers.google.com/identity/protocols/OAuth2
 * https://oauth.net/code/python/
 * https://tools.ietf.org/html/rfc6749#section-4.1
 * https://developer.github.com/apps/building-oauth-apps/authorizing-oauth-apps/
 * https://www.oauth.com/oauth2-servers/authorization/the-authorization-request/
 * https://aaronparecki.com/oauth-2-simplified/
 * https://oauth.net/2/