Core Platform Team/Initiative/OAuth2/Epics, User Stories, and Requirements


 * Epic 1 - Add OAuth2 support to MediaWiki for use by web-based clients
 * Admin adds a new OAuth 2.0 client to a MediaWiki instance
 * Admin generates client ID and secret to provide to client
 * Can initially be a script, but could provide a self-service interface in the future
 * Admin configures redirect URI of the form https://DISCOURSE_HOST/auth/oauth2_basic/callback
 * Admin provides authorization URL and token URL to client
 * Admin removes an existing OAuth 2.0 client from a MediaWiki instance
 * Information for the given client ID is deleted
 * Client application requests authorization token using authorization URL
 * Client application requests token using token URL
 * Client application requests user information, providing an authorization token
 * returns user id and username
 * optionally returns name and email
 * Admin configures user-based authorization (“Do you authorize Discourse to use your account?”) whitelist
 * User is able to click on button in Discourse and login when not logged in
 * User, if not whitelisted, gets authorization permission dialog
 * User is able to click on button in Discourse and be logged in when already logged in
 * User is able to click on button and log out Log-out
 * Admin configures logout behavior
 * OAuth 2.0 code passes security review
 * Implement OAuth 2.0 configuration variables in MediaWiki
 * Implement authorization workflow for Discourse
 * Test with Wikimedia-hosted Discourse instance
 * Security review of OAuth 2.0 code
 * Non-functional requirements:
 * OAuth 1.0 and OAuth 2.0 must be able to coexist in the codebase
 * OAuth 2.0 scopes must be defined (id, read, write, admin, ...)
 * Epic 2 - Add OAuth2 support to MediaWiki for use by API-based clients
 * Implement internal classes for using OAuth 2.0 tokens in API calls
 * Add OAuth 2.0 as an optional authorization method for one first API (REST API, probably)
 * Add OAuth 2.0 as an optional authz method for Action API
 * Add OAuth 2.0 as an optional authz method for RESTBase
 * Interface for requesting, managing, and deleting API keys
 * Interface for users to list and delete tokens
 * Clear all OAuth 2.0 tokens when password changes
 * Clear all OAuth 2.0 tokens on request
 * Security review