Core Platform Team/Initiative/OAuth2/Epics, User Stories, and Requirements

Epic 1 - Add OAuth2 support to MediaWiki for use by web-based clients
Personas:


 * Server: wiki that is used as an OAuth identity provider
 * Admin: administrator of a wiki used as an OAuth identity provider
 * Client: client web application that uses a wiki as the OAuth identity provider
 * User: user of a client web application requesting authentication

Non-functional requirements:


 * OAuth 1.0 and OAuth 2.0 must be able to coexist
 * Implementation in an extension: OAuth2
 * Code must be extensible to support API-based clients in Epic 2
 * The MediaWiki code should not depend upon a particular client in any way
 * Possibly test with Wikimedia-hosted Discourse instance
 * Security review of all new code
 * Implement on top of new MediaWiki REST API support, if possible
 * Use existing library, if possible
 * https://github.com/thephpleague/oauth2-server (needs security review)

Epic 2 - Add OAuth 2.0 support to MediaWiki REST API
In Phabricator: https://phabricator.wikimedia.org/T234665

In this stage, we will use OAuth 2.0 as the primary authorization mechanism for the MediaWiki REST API.

Note: "client ID" is another word for "API key".

Personas:


 * Developer - a software developer that uses the MediaWiki REST API on their own behalf or on behalf of users
 * User - a person who reads, contributes to, curates or administrates a MediaWiki

Epic 3 - Add OAuth 2.0 as an optional authz method for Action API
In the future, we will enable using OAuth 2.0 in the Action API.

Epic 4 - Add OAuth 2.0 as an optional authz method for RESTBase
In the future, we will enable using OAuth 2.0 in the RESTBase API.

In future epics, other APIs supported inside the organization would also support OAuth 2.0 authorization.