Page MenuHomePhabricator

Add "under development" stage before "proposed" stage for OAuth consumers
Open, LowPublic

Description

The OAuth extension allows a developer to propose a consumer, then use the proposed consumer on their own account for testing purposes before it is approved. This has led to a lot of "test consumer, do not approve" applications building up in the queue for consumer applications.

We should break these off into their own separate section so that it's clearer how many consumer requests are actually waiting.

New consumers should be created in an "under development" stage and the developer should have to move them manually into the "proposed" stage.

This would also make it simpler to allow changing the grants before the request is approved (T62380: OAuth developers should be able to change what grants their application asks for instead of having to submit a new application).

Event Timeline

bzimport raised the priority of this task from to Low.Nov 22 2014, 2:24 AM
bzimport set Reference to bz58937.
bzimport added a subscriber: Unknown Object (MLST).
Deskana renamed this task from Add 'Queue of test consumer requests' to OAuth to Add 'Queue of test/experimental consumer requests' to OAuth.Mar 6 2015, 10:33 PM
Deskana moved this task from Backlog to Consumer wants on the MediaWiki-extensions-OAuth board.
Deskana set Security to None.

Shouldn't we instead define a test status in which the application shows up in a different queue, then the owner can request approval to put it in the normal queue, then it can be approved? (That's T96157 if I understand the intent behind that ticket correctly.) It seems pointless to duplicate applications.

Or maybe having a separate test app would be useful for testing updates to an already approved app? (In that case, wouldn't it be better to just automatically add a different test key/mode for each app?)

In T60937#1391002, @Tgr wrote:

Shouldn't we instead define a test status in which the application shows up in a different queue, then the owner can request approval to put it in the normal queue, then it can be approved? (That's T96157 if I understand the intent behind that ticket correctly.) It seems pointless to duplicate applications.

This sounds like a sane way to go. If we have "Beta" (or "Test" or "Dev") as a stage that can be optionally set on the application form, and then allow on the management form to transition the app to "ready for review" (or something like that), I think that would address both this and T96157.

I think I also added a task about marking apps as "Personal user" or "Bot only"-- where the user who's making the request is the only intended consumer (so users can store the tokens instead of a username/password on their bot servers). That could be implemented in a similar way, so it might be good to start in this direction.

I think I also added a task about marking apps as "Personal user" or "Bot only"

Yes, T87395.

Tgr renamed this task from Add 'Queue of test/experimental consumer requests' to OAuth to Add "under development" stage before "proposed" stage for OAuth consumers.Dec 23 2015, 11:31 PM
Tgr updated the task description. (Show Details)

Change 316302 had a related patch set uploaded (by Gergő Tisza):
[WIP] Add development stage, refactor approval workflow

https://gerrit.wikimedia.org/r/316302