Requests for comment/OAuth app guidelines

The following request for comments is closed. Closing for sheer inactivity for over a year. Feel free to reopen if that changes. Effeietsanders (talk) 06:49, 2 September 2018 (UTC)[reply]


Background

edit

OAuth is a standard way of sharing authorization between a website and external applications, by which a user can tell the website that an external application is allowed to perform certain actions in the user's name. Wikimedia sites have implemented this standard in late 2013, but due to very limited resources, there never was much attention given to the administration of these applications, which is now done by a random group of developers on a very ad hoc basis. This is bad for OAuth admins who have to come up with guidelines on the spot, bad for transparency, and especially bad for developers who tend to find out the hard way when they have done something inadvisable.

Proposal

edit

I wrote a draft guideline for OAuth app development and review: OAuth app guidelines. I would appreciate comments. If there is support, I will mark the page as a guideline and over time work the relevant parts into the OAuth management UI as well (tracked in T159789).

This is mostly the codification of established practice (or so I'd hope). Most of it is taken from a related earlier discussion, Requests_for_comment/OAuth_handover#Draft_approval_policy.

A note on terminology: I am trying to get rid of the OAuth specification's term for applications ("consumer") as it is obscure even for most developers. I wanted to avoid "tool" which gives the wrong idea (command line tool, Tool labs or the like - OAuth can be useful for those, but also for things like browser plugins, mobile apps or third-party websites using Wikipedia for authentication). "Application" is in general a good choice but it felt very confusing when talking about the registration process (am I talking about the software that wants to use OAuth or the form that needs to be submitted with the description of what the software is for?). That leaves "app", which I am no huge fan of, but it is pretty standard for other sites which allow OAuth (e.g. "Facebook apps", Google's "connected apps & sites").

Comments

edit

Pinging OAuth admins: @Aaron Schulz, Anomie, BDavis (WMF), DPatrick (WMF), Deskana (WMF), Eloquence, EpochFail, Hoo man, Magnus Manske, Reedy, Ruslik0, and YuviPanda: --Tgr (WMF) (talk) 10:14, 15 May 2017 (UTC) (Also @Bawolff:) --Tgr (WMF) (talk) 10:16, 19 May 2017 (UTC)[reply]

Some comments:
  • Ideally the responsibility would be officially assumed by the community rather than continuing to be handled by "a random group of developers" plus a few Stewards, even with these guidelines.
  • I wish someone could come up with a better solution than "it must be owner-only" for things like mobile apps, because that effectively means "the end user has to figure out how to register an owner-only app".
Anomie (talk) 12:26, 15 May 2017 (UTC)[reply]
@Anomie: I don't think we can get rid of the requirement for separate application secret for every instance of the mobile app. I have some thoughts on how it could be handled in a more user-friendly way at T165219. --Tgr (WMF) (talk) 12:44, 15 May 2017 (UTC)[reply]