Requests for Comment/OAuth policy

OAuth is a tool for granting an application/website access to the API in your name, with limited permissions of course. Additionally, in MediaWiki, it can also be used as a way to identify users.

This RfC attempts to establish a policy for non-owner only consumers, meaning, OAuth consumers that can be used by people other than their creator. Currently, we have no such thing, meaning it is pretty much up to whoever wants to do these, which in practice is no-one as the potential reviewer has no idea what to look for. OrangeStar (talk) 19:31, 4 May 2023 (UTC)

Proposal 1: Handling of OAuth consumer reviews
Site reliability engineers in the MediaWiki team are in charge of OAuth consumer reviews. OrangeStar (talk) 19:31, 4 May 2023 (UTC)

Support

 * 1)  This is the current status quo. While Wikimedia has a dedicated group in charge of these, I figured we don't need such a thing here. Anyone wanting to volunteer in this may be interested in joining SRE. OrangeStar (talk) 19:31, 4 May 2023 (UTC)

Proposal 2: Consumer permissions
Consumers must strive to only request the least amount of permissions required to perform their function. OrangeStar (talk) 19:31, 4 May 2023 (UTC)

Support

 * 1)  This is just good security hygiene. For example, it doesn't make sense for a consumer like the one used to verify users in Discord to request stuff like access to CheckUser and Oversight permissions, or for a mass-edit tool to request access to the DataDump permissions. OrangeStar (talk) 19:31, 4 May 2023 (UTC)

Proposal 3: Consumer scope
The consumer must be for a tool directly related to Miraheze. Usage of the consumer for non-Miraheze purposes is forbidden and is grounds for its revocation. OrangeStar (talk) 19:31, 4 May 2023 (UTC)

Support

 * 1)  No fun allowed. This is for stuff like trying to use the consumer as a SSO system (which you can do technically), which has nothing to do with either Miraheze or a Miraheze wiki. OrangeStar (talk) 19:31, 4 May 2023 (UTC)