Page MenuHomePhabricator

Better support for callback URL updates
Open, Needs TriagePublic

Description

Currently, if an app is created, no changes can be applied to the callback URL. Therefore, if we need to update the URL's domain or route, there is no way to do it in the same app, so such app has to be discarded and start over.

It would be great if the OAuth extension can support

  1. allow updating callback URL through the update page like this, which currently doesn't either display nor updating callback URL - this seem most feasible and least breaking changes.
  2. allow supporting more flexible wildcard e.g. general RegEx - a simpler solution for making callback URL more

Reference: https://meta.wikimedia.org/wiki/Ask_a_question/Recent_questions#Ask_for_a_approval_for_a_Oauth_app

Event Timeline

We have T59631: OAuth developers should be able to change some of the parameters they registered an application with instead of having to submit a new application for updating the callback URL and other details before approval (mainly so that when reviewers point out mistakes, they can be fixed without having to register a new app).

After approval is a lot more tricky - the user has consented to the use of their account by an app, should we be able to automatically extend that consent to what's potentially a different app? Or maybe there should be some sort of reauthentication process, but that's not straightforward (we don't store the callback URL in user acceptance records currently) and does not seem much different from registering a new app, just a little more convenient.

I'm a little skeptical about how well people would be able to predict domain wildcards. For flexibility in the part after the domain name, we already have the callback prefix option.