Auth systems/OAuth/Tasks

Core

 * Raw Requests - https://gerrit.wikimedia.org/r/#/c/70747/

Extension

 * Week of July 15
 * flow for existing authorization key - Chris
 * MWOAuthUtils::getLocalUser, MWOAuthUtils::getCentralUser - Aaron
 * Make sure empty token secrets don't work - https://gerrit.wikimedia.org/r/#/c/74643/


 * Week of July 22
 * (blocker) default rights for grants - Brad - https://gerrit.wikimedia.org/r/#/c/76553/
 * (blocker) enforce 'oob' - Chris - (https://gerrit.wikimedia.org/r/#/c/74934/)
 * (blocker) api integration (https://gerrit.wikimedia.org/r/#/c/73977/) - Brad
 * Tooltips to explain grants better (JS?) - (https://gerrit.wikimedia.org/r/#/c/75994/) Aaron or Brad
 * (blocker) Give HMAC(token,$wgSecretSomething) to clients and checks against that rather than the raw token in the DB (make sure consumer management page handles this too via a separate action) - Aaron, Chris review on 7/25 (https://gerrit.wikimedia.org/r/#/c/75259/)


 * Week of July 29
 * (blocker) hooks to trigger CentralAuth autocreate for account for handshakes on non-central wikis - Chris or Brad? [using global ids instead]
 * (blocker) change tagging hook handlers
 * (blocker) CentralAuth implement hooks to abort OAuth calls for non-global users
 * Clean up /tests directory - Chris
 * global to require HTTPS for handshake? - (https://gerrit.wikimedia.org/r/#/c/75490/)


 * Future
 * let consumers opt out of secret keys and only use RSA keys
 * (low) use htmlform in Special:MWOauth
 * (low priority) A special page to allow verification codes to be passed to mobile/bot consumers with no webserver (something like https://developers.google.com/accounts/images/OauthUX_nocallback.png)
 * (low priority) Allow Consumer owner to grant access for their user account, when application is in stage 'proposed'

Outstanding Deployment tasks

 * Deploy to beta - Week of July 22
 * Deploy to test2, mediawiki.org - Week of August 19th
 * Deploy to all - late August

Outstanding Process decisions / work

 * Consumer Approval process:
 * Who should have rights to do these?
 * Who should have the rights to disable a mis-behaving consumer? (Stewards?)
 * Training for Consumer developers
 * Hong Kong training?
 * Office hours?