Auth systems/OAuth/Tasks

Core

 * Raw Requests - https://gerrit.wikimedia.org/r/#/c/70747/

Extensions

 * api integration (https://gerrit.wikimedia.org/r/#/c/73977/) - Brad
 * flow for existing authorization key - Chris
 * MWOAuthUtils::getLocalUser, MWOAuthUtils::getCentralUser - Aaron
 * enforce 'oob' - Chris
 * Tooltips - Aaron
 * Make sure empty token secrets don't work - https://gerrit.wikimedia.org/r/#/c/74643/
 * Give HMAC(token,$wgSecretSomething) to clients and checks against that rather than the raw token in the DB (make sure consumer management page handles this too via a separate action)
 * Tooltips to explain grants better (JS?)
 * Clean up /tests directory
 * fix getGrantsHtml redundancy (use Utils class)
 * use htmlform in Special:MWOauth
 * global to require HTTPS for handshake?
 * hooks to trigger CentralAuth autocreate for account for handshakes on non-central wikis
 * default rights for grants
 * (low priority) A special page to allow verification codes to be passed to mobile/bot consumers with no webserver (something like https://developers.google.com/accounts/images/OauthUX_nocallback.png)
 * (low priority) Allow Consumer owner to grant access for their user account, when application is in stage 'proposed'

Outstanding Deployment tasks

 * Deploy to labs
 * Deploy to beta
 * Deploy to production

Outstanding Process decisions / work

 * Consumer Approval process:
 * Who should have rights to do these?
 * Who should have the rights to disable a mis-behaving consumer? (Stewards?)
 * Training for Consumer developers
 * Hong Kong training?
 * Office hours?