Core Platform Team/Initiative/OAuth2/Epics, User Stories, and Requirements

Epic 1 - Add OAuth2 support to MediaWiki for use by web-based clients
Personas:


 * Server: wiki that is used as an OAuth identity provider
 * Admin: administrator of a wiki used as an OAuth identity provider
 * Client: client web application that uses a wiki as the OAuth identity provider
 * User: user of a client web application requesting authentication

Non-functional requirements:


 * OAuth 1.0 and OAuth 2.0 must be able to coexist
 * Implementation in an extension: OAuth2
 * Code must be extensible to support API-based clients in Epic 2
 * The MediaWiki code should not depend upon a particular client in any way
 * Possibly test with Wikimedia-hosted Discourse instance
 * Security review of all new code
 * Implement on top of new MediaWiki REST API support, if possible
 * Use existing library, if possible
 * https://github.com/thephpleague/oauth2-server (needs security review)

Epic 2 - Add OAuth 2.0 support to MediaWiki REST API
In Phabricator: https://phabricator.wikimedia.org/T234665

In this stage, we will use OAuth 2.0 as the primary authorization mechanism for the MediaWiki REST API.

Note: "client ID" is another word for "API key".

Personas:


 * Developer - a software developer that uses the MediaWiki REST API on their own behalf or on behalf of users
 * User - a person who reads, contributes to, curates or administrates a MediaWiki

Support for OAuth 2.0 in the Action API and Core REST API would be supported after implementation of Epic 2, since Epic 2 will provide a SessionProvider. In future epics, other APIs supported inside the organization would also support OAuth 2.0 authorization.