OAuth

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

OAuth

Chris Steipp
As mentioned earlier this week, we deployed an initial version of the OAuth
extension to the test wikis yesterday. I wanted to follow up with a few
more details about the extension that we deployed (although if you're just
curious about OAuth in general, I recommend starting at oauth.net, or
https://www.mediawiki.org/wiki/Auth_systems/OAuth):

* Use it: https://www.mediawiki.org/wiki/Extension:OAuth#Using_OAuth should
get you started towards using OAuth in your application.

* Demo: Anomie setup a excellent initial app (I think counts as our first
official, approved consumer) here
https://tools.wmflabs.org/oauth-hello-world/. Feel free to try it out, so
you can get a feel for the user experience as a user!

* Timeline: We're hoping to get some use this week, and deploy to the rest
of the WMF wikis next week if we don't encounter any issues.

* Bugs: Please open bugzilla tickets for any issues you find, or
enhancement requests--
https://bugzilla.wikimedia.org/enter_bug.cgi?product=MediaWiki%20extensions&component=OAuth


And some other details for the curious:

* Yes, you can use this on your own wiki right now! It's meant to be used
in a single or shared environment, so the defaults will work on a
standalone wiki. Input and patches are welcome, if you have any issues
setting this up on your own wiki.

* TLS: Since a few of you seem to care about https... The extension
currently implements OAuth 1.0a, which is designed to be used without https
(except to deliver the shared secret to the app owner, when the app is
registered). So calls to the API don't need to use https.

* Logging: All edits are tagged with the consumer's id (CID), so you can
see when OAuth was used to contribute an edit.

Enjoy!
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: OAuth

Dan Andreescu
This is highly anticipated on my part and awesome.  I will integrate it
into wikimetrics asap.

Dan


On Tue, Aug 20, 2013 at 9:15 PM, Chris Steipp <[hidden email]> wrote:

> As mentioned earlier this week, we deployed an initial version of the OAuth
> extension to the test wikis yesterday. I wanted to follow up with a few
> more details about the extension that we deployed (although if you're just
> curious about OAuth in general, I recommend starting at oauth.net, or
> https://www.mediawiki.org/wiki/Auth_systems/OAuth):
>
> * Use it: https://www.mediawiki.org/wiki/Extension:OAuth#Using_OAuthshould
> get you started towards using OAuth in your application.
>
> * Demo: Anomie setup a excellent initial app (I think counts as our first
> official, approved consumer) here
> https://tools.wmflabs.org/oauth-hello-world/. Feel free to try it out, so
> you can get a feel for the user experience as a user!
>
> * Timeline: We're hoping to get some use this week, and deploy to the rest
> of the WMF wikis next week if we don't encounter any issues.
>
> * Bugs: Please open bugzilla tickets for any issues you find, or
> enhancement requests--
>
> https://bugzilla.wikimedia.org/enter_bug.cgi?product=MediaWiki%20extensions&component=OAuth
>
>
> And some other details for the curious:
>
> * Yes, you can use this on your own wiki right now! It's meant to be used
> in a single or shared environment, so the defaults will work on a
> standalone wiki. Input and patches are welcome, if you have any issues
> setting this up on your own wiki.
>
> * TLS: Since a few of you seem to care about https... The extension
> currently implements OAuth 1.0a, which is designed to be used without https
> (except to deliver the shared secret to the app owner, when the app is
> registered). So calls to the API don't need to use https.
>
> * Logging: All edits are tagged with the consumer's id (CID), so you can
> see when OAuth was used to contribute an edit.
>
> Enjoy!
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: OAuth

Nicolas Vervelle-4
In reply to this post by Chris Steipp
Hi,

I'm completely new to OAuth, so bear with me if my questions are basic or I
missed a point ;-)
It seems interesting, but seems very oriented for web applications, not so
much for desktop applications.

I'm interested in developing this for WPCleaner [1], which is a desktop
application.
Is the callback URL required ? If so, which one should you use for a
desktop application ?

Has anyone implemented the connection to WMF wikis using OAuth under Java ?

For this to work, you request client tokens (including secret key) for the
client : do this tokens need to be kept privately ?
I'm wondering, because keeping secrets for an open source desktop
application is not easy.

Nico

[1] http://en.wikipedia.org/wiki/Wikipedia:WPCleaner



On Wed, Aug 21, 2013 at 6:15 AM, Chris Steipp <[hidden email]> wrote:

> As mentioned earlier this week, we deployed an initial version of the OAuth
> extension to the test wikis yesterday. I wanted to follow up with a few
> more details about the extension that we deployed (although if you're just
> curious about OAuth in general, I recommend starting at oauth.net, or
> https://www.mediawiki.org/wiki/Auth_systems/OAuth):
>
> * Use it: https://www.mediawiki.org/wiki/Extension:OAuth#Using_OAuthshould
> get you started towards using OAuth in your application.
>
> * Demo: Anomie setup a excellent initial app (I think counts as our first
> official, approved consumer) here
> https://tools.wmflabs.org/oauth-hello-world/. Feel free to try it out, so
> you can get a feel for the user experience as a user!
>
> * Timeline: We're hoping to get some use this week, and deploy to the rest
> of the WMF wikis next week if we don't encounter any issues.
>
> * Bugs: Please open bugzilla tickets for any issues you find, or
> enhancement requests--
>
> https://bugzilla.wikimedia.org/enter_bug.cgi?product=MediaWiki%20extensions&component=OAuth
>
>
> And some other details for the curious:
>
> * Yes, you can use this on your own wiki right now! It's meant to be used
> in a single or shared environment, so the defaults will work on a
> standalone wiki. Input and patches are welcome, if you have any issues
> setting this up on your own wiki.
>
> * TLS: Since a few of you seem to care about https... The extension
> currently implements OAuth 1.0a, which is designed to be used without https
> (except to deliver the shared secret to the app owner, when the app is
> registered). So calls to the API don't need to use https.
>
> * Logging: All edits are tagged with the consumer's id (CID), so you can
> see when OAuth was used to contribute an edit.
>
> Enjoy!
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: OAuth

Petr Onderka
In reply to this post by Chris Steipp
Shouldn't Special:MWOAuth with no other parameters do something better than
just returning an error?

Also, how is normal user supposed to learn about
Special:MWOAuthManageMyGrants?
I would expect this to be available from Preferences, but I didn't find
anything there.

Petr Onderka
[[en:User:Svick]]


On Wed, Aug 21, 2013 at 6:15 AM, Chris Steipp <[hidden email]> wrote:

> As mentioned earlier this week, we deployed an initial version of the OAuth
> extension to the test wikis yesterday. I wanted to follow up with a few
> more details about the extension that we deployed (although if you're just
> curious about OAuth in general, I recommend starting at oauth.net, or
> https://www.mediawiki.org/wiki/Auth_systems/OAuth):
>
> * Use it: https://www.mediawiki.org/wiki/Extension:OAuth#Using_OAuthshould
> get you started towards using OAuth in your application.
>
> * Demo: Anomie setup a excellent initial app (I think counts as our first
> official, approved consumer) here
> https://tools.wmflabs.org/oauth-hello-world/. Feel free to try it out, so
> you can get a feel for the user experience as a user!
>
> * Timeline: We're hoping to get some use this week, and deploy to the rest
> of the WMF wikis next week if we don't encounter any issues.
>
> * Bugs: Please open bugzilla tickets for any issues you find, or
> enhancement requests--
>
> https://bugzilla.wikimedia.org/enter_bug.cgi?product=MediaWiki%20extensions&component=OAuth
>
>
> And some other details for the curious:
>
> * Yes, you can use this on your own wiki right now! It's meant to be used
> in a single or shared environment, so the defaults will work on a
> standalone wiki. Input and patches are welcome, if you have any issues
> setting this up on your own wiki.
>
> * TLS: Since a few of you seem to care about https... The extension
> currently implements OAuth 1.0a, which is designed to be used without https
> (except to deliver the shared secret to the app owner, when the app is
> registered). So calls to the API don't need to use https.
>
> * Logging: All edits are tagged with the consumer's id (CID), so you can
> see when OAuth was used to contribute an edit.
>
> Enjoy!
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: OAuth

Alex Monk
On Wed, Aug 21, 2013 at 1:00 PM, Petr Onderka <[hidden email]> wrote:

> Also, how is normal user supposed to learn about
> Special:MWOAuthManageMyGrants?
> I would expect this to be available from Preferences, but I didn't find
> anything there.


There's a link to it on the first page of preferences. Under basic
information, it's labelled "OAuth consumer access".
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: OAuth

Tyler Romeo
In reply to this post by Nicolas Vervelle-4
On Wed, Aug 21, 2013 at 5:05 AM, Nicolas Vervelle <[hidden email]>wrote:

> I'm completely new to OAuth, so bear with me if my questions are basic or I
> missed a point ;-)
> It seems interesting, but seems very oriented for web applications, not so
> much for desktop applications.
>

I cannot speak for MediaWiki's implementation of OAuth, but the OAuth spec
does provide different authentication methods so that desktop applications
can be used. It's just a matter of whether MW has it.

*-- *
*Tyler Romeo*
Stevens Institute of Technology, Class of 2016
Major in Computer Science
www.whizkidztech.com | [hidden email]
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: OAuth

Chris Steipp
In reply to this post by Nicolas Vervelle-4
On Wed, Aug 21, 2013 at 2:05 AM, Nicolas Vervelle <[hidden email]>wrote:

> Hi,
>
> I'm completely new to OAuth, so bear with me if my questions are basic or I
> missed a point ;-)
> It seems interesting, but seems very oriented for web applications, not so
> much for desktop applications.
>

This is true, for exactly the reason you were asking about-- the secret key
needs to be kept private, which is impossible when you distribute the
application to other users. OAuth 2 has a framework for dealing with this,
but it makes controlling consumers nearly impossible. So we wanted to start
with OAuth 1 while everyone gets familiar with the concepts, and we see
which use cases actually get used. We may extend the framework to allow
situations like this in the future.

The best workaround now is probably to have each user register their copy
of your desktop application as its own consumer. It's a little ugly having
to give your user instructions on cutting and pasting tokens and keys
around, but it can work (in the early days of Salesforce, several OAuth
apps were configured this way).


>
> I'm interested in developing this for WPCleaner [1], which is a desktop
> application.
> Is the callback URL required ? If so, which one should you use for a
> desktop application ?
>

For bots too, I'd like to have the extension implement something like
https://developers.google.com/accounts/images/OauthUX_nocallback.png directly
in the extension, but that wasn't something we were able to finish before
this release.


>
> Has anyone implemented the connection to WMF wikis using OAuth under Java ?
>

No, not yet.


>
> For this to work, you request client tokens (including secret key) for the
> client : do this tokens need to be kept privately ?
> I'm wondering, because keeping secrets for an open source desktop
> application is not easy.
>
> Nico
>
> [1] http://en.wikipedia.org/wiki/Wikipedia:WPCleaner
>
>
>
> On Wed, Aug 21, 2013 at 6:15 AM, Chris Steipp <[hidden email]>
> wrote:
>
> > As mentioned earlier this week, we deployed an initial version of the
> OAuth
> > extension to the test wikis yesterday. I wanted to follow up with a few
> > more details about the extension that we deployed (although if you're
> just
> > curious about OAuth in general, I recommend starting at oauth.net, or
> > https://www.mediawiki.org/wiki/Auth_systems/OAuth):
> >
> > * Use it:
> https://www.mediawiki.org/wiki/Extension:OAuth#Using_OAuthshould
> > get you started towards using OAuth in your application.
> >
> > * Demo: Anomie setup a excellent initial app (I think counts as our first
> > official, approved consumer) here
> > https://tools.wmflabs.org/oauth-hello-world/. Feel free to try it out,
> so
> > you can get a feel for the user experience as a user!
> >
> > * Timeline: We're hoping to get some use this week, and deploy to the
> rest
> > of the WMF wikis next week if we don't encounter any issues.
> >
> > * Bugs: Please open bugzilla tickets for any issues you find, or
> > enhancement requests--
> >
> >
> https://bugzilla.wikimedia.org/enter_bug.cgi?product=MediaWiki%20extensions&component=OAuth
> >
> >
> > And some other details for the curious:
> >
> > * Yes, you can use this on your own wiki right now! It's meant to be used
> > in a single or shared environment, so the defaults will work on a
> > standalone wiki. Input and patches are welcome, if you have any issues
> > setting this up on your own wiki.
> >
> > * TLS: Since a few of you seem to care about https... The extension
> > currently implements OAuth 1.0a, which is designed to be used without
> https
> > (except to deliver the shared secret to the app owner, when the app is
> > registered). So calls to the API don't need to use https.
> >
> > * Logging: All edits are tagged with the consumer's id (CID), so you can
> > see when OAuth was used to contribute an edit.
> >
> > Enjoy!
> > _______________________________________________
> > Wikitech-l mailing list
> > [hidden email]
> > https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: OAuth

Brad Jorsch (Anomie)
In reply to this post by Nicolas Vervelle-4
On Wed, Aug 21, 2013 at 5:05 AM, Nicolas Vervelle <[hidden email]>wrote:

> I'm completely new to OAuth, so bear with me if my questions are basic or
> I missed a point ;-)
>

You have some good questions here.


> I'm interested in developing this for WPCleaner [1], which is a desktop
> application.
> Is the callback URL required ? If so, which one should you use for a
> desktop application ?
>

A callback URL is required.

In general with OAuth, a desktop or mobile app has to direct the user to a
web browser in some manner to go to the site, log in, and authorize the
application.

If you embed a web browser control right in your application, you can
probably watch for it to be directed to your specific callback URL, remove
the web browser control, and proceed to process the response. On the other
hand, and end user shouldn't necessary trust a web browser control to not
be sniffing their password as they log into the site to authorize (but on
the gripping hand, the desktop app might sniff the keystrokes even with an
external browser, so...))

If you open an external browser, chances are you can't catch the callback
URL, so your options are limited to basically having a web page somewhere
that just displays the necessary verification token for the user to copy
back into your application. Perhaps we should allow for the callback URL to
be left empty, in which case the OAuth extension would do just this.

For that matter, it's possible the app is unable to open a browser at all.
In that case, the app could always just display the URL (possibly using a
shortener), instruct the user to visit that from a full-featured computer,
and then enter the verification code as mentioned in the above paragraph.

Has anyone implemented the connection to WMF wikis using OAuth under Java ?
>

I don't think the MediaWiki OAuth extension does anything particularly
unusual, so you should be able to start with any other Java implementation
of an OAuth 1.0a client.

For this to work, you request client tokens (including secret key) for the
> client : do this tokens need to be kept privately ?
> I'm wondering, because keeping secrets for an open source desktop
> application is not easy.
>

That is a good point. I hope someone will correct me if I'm wrong, but I
can't think of any way to prevent a determined attacker from extracting the
keys from a desktop or mobile app (open or closed source) and impersonating
it. Which means that there's no way for MediaWiki to know that the app is
really who it says it is, meaning that the OAuth CID tags for such apps
aren't any more reliable than the existing method of including something
like "([[WP:TW|TW]])" in the edit summary. On the other hand, this in
itself shouldn't compromise end-user security, because the malicious app
would still have to steal the access token from the legitimate app's
storage on the end user's computer.

As far as I can tell from looking around, no one really has a solution for
this. There are reports that Twitter blocks the consumer key if it finds it
has been compromised, which is widely criticized. On the opposite end, it
seems Google just lets such apps use "anonymous" for the consumer secret,
and presumably doesn't try to positively identify the consumer at all.


--
Brad Jorsch (Anomie)
Software Engineer
Wikimedia Foundation
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: OAuth

Nicolas Vervelle-4
In reply to this post by Chris Steipp
On Wed, Aug 21, 2013 at 5:04 PM, Chris Steipp <[hidden email]> wrote:

> On Wed, Aug 21, 2013 at 2:05 AM, Nicolas Vervelle <[hidden email]
> >wrote:
>
> > Hi,
> >
> > I'm completely new to OAuth, so bear with me if my questions are basic
> or I
> > missed a point ;-)
> > It seems interesting, but seems very oriented for web applications, not
> so
> > much for desktop applications.
> >
>
> This is true, for exactly the reason you were asking about-- the secret key
> needs to be kept private, which is impossible when you distribute the
> application to other users. OAuth 2 has a framework for dealing with this,
> but it makes controlling consumers nearly impossible. So we wanted to start
> with OAuth 1 while everyone gets familiar with the concepts, and we see
> which use cases actually get used. We may extend the framework to allow
> situations like this in the future.
>
> The best workaround now is probably to have each user register their copy
> of your desktop application as its own consumer. It's a little ugly having
> to give your user instructions on cutting and pasting tokens and keys
> around, but it can work (in the early days of Salesforce, several OAuth
> apps were configured this way).
>

Seems very complex for users, so I won't go that way for WPCleaner.
Is it possible to use only one client, with the secret key included in the
distribution ?
(A user with enough determination will be able to extract it)
This would mean that there's not 100% certainty about the client being the
true one.
But, the attacker would only be able to impersonate the application, not
the user.



> >
> > I'm interested in developing this for WPCleaner [1], which is a desktop
> > application.
> > Is the callback URL required ? If so, which one should you use for a
> > desktop application ?
> >
>
> For bots too, I'd like to have the extension implement something like
> https://developers.google.com/accounts/images/OauthUX_nocallback.pngdirectly
> in the extension, but that wasn't something we were able to finish before
> this release.
>

Ok, so unless there's a mechanism to work without callback URL, there's no
way for a desktop application to work.
I something like that is implemented, I will look again at OAuth for
WPcleaner.

Nico
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: OAuth

Brad Jorsch (Anomie)
On Fri, Aug 23, 2013 at 10:38 AM, Nicolas Vervelle <[hidden email]>wrote:

> On Wed, Aug 21, 2013 at 5:04 PM, Chris Steipp <[hidden email]>
> wrote:
>
> > For bots too, I'd like to have the extension implement something like
> >
> https://developers.google.com/accounts/images/OauthUX_nocallback.pngdirectly
> > in the extension, but that wasn't something we were able to finish before
> > this release.
>
> Ok, so unless there's a mechanism to work without callback URL, there's no
> way for a desktop application to work.
> I something like that is implemented, I will look again at OAuth for
> WPcleaner.
>

https://gerrit.wikimedia.org/r/#/c/80569/


--
Brad Jorsch (Anomie)
Software Engineer
Wikimedia Foundation
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: OAuth

Petr Bena
I am just wondering if we really need so complicated names like

[[Special:MWOAuthManageMyGrants]]

Couldn't it be just [[Special:MWOAuthManage]]

or  [[Special:MWOAuthGrants]]



On Fri, Aug 23, 2013 at 5:52 PM, Brad Jorsch (Anomie)
<[hidden email]> wrote:

> On Fri, Aug 23, 2013 at 10:38 AM, Nicolas Vervelle <[hidden email]>wrote:
>
>> On Wed, Aug 21, 2013 at 5:04 PM, Chris Steipp <[hidden email]>
>> wrote:
>>
>> > For bots too, I'd like to have the extension implement something like
>> >
>> https://developers.google.com/accounts/images/OauthUX_nocallback.pngdirectly
>> > in the extension, but that wasn't something we were able to finish before
>> > this release.
>>
>> Ok, so unless there's a mechanism to work without callback URL, there's no
>> way for a desktop application to work.
>> I something like that is implemented, I will look again at OAuth for
>> WPcleaner.
>>
>
> https://gerrit.wikimedia.org/r/#/c/80569/
>
>
> --
> Brad Jorsch (Anomie)
> Software Engineer
> Wikimedia Foundation
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: OAuth

Chris Steipp
In reply to this post by Nicolas Vervelle-4
On Fri, Aug 23, 2013 at 7:38 AM, Nicolas Vervelle <[hidden email]>wrote:

> > The best workaround now is probably to have each user register their copy
> > of your desktop application as its own consumer. It's a little ugly
> having
> > to give your user instructions on cutting and pasting tokens and keys
> > around, but it can work (in the early days of Salesforce, several OAuth
> > apps were configured this way).
> >
>
> Seems very complex for users, so I won't go that way for WPCleaner.
> Is it possible to use only one client, with the secret key included in the
> distribution ?
> (A user with enough determination will be able to extract it)
> This would mean that there's not 100% certainty about the client being the
> true one.
> But, the attacker would only be able to impersonate the application, not
> the user.


Unfortunately, no. This is one of the subtleties of OAuth 1. Since we don't
require HTTPS for getting the user token, or using a user token, it's
possible to impersonate a user by compromising the consumer's secret key if
the attacker has also been able to sniff traffic generated by that consumer
also.

It does sound like the current iteration of the extension may not be the
best fit. But it's good to know about these use cases, so we can set
priorities for future development.
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: OAuth

Chris Steipp
In reply to this post by Petr Bena
On Fri, Aug 23, 2013 at 8:59 AM, Petr Bena <[hidden email]> wrote:

> I am just wondering if we really need so complicated names like
>
> [[Special:MWOAuthManageMyGrants]]
>
> Couldn't it be just [[Special:MWOAuthManage]]
>
> or  [[Special:MWOAuthGrants]]
>
>
I think it would make sense. Could you open an enhancement bug so we don't
loose track of it?
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: OAuth

Helder .
Done:
https://bugzilla.wikimedia.org/show_bug.cgi?id=53322


On Fri, Aug 23, 2013 at 1:22 PM, Chris Steipp <[hidden email]> wrote:

> On Fri, Aug 23, 2013 at 8:59 AM, Petr Bena <[hidden email]> wrote:
>
> > I am just wondering if we really need so complicated names like
> >
> > [[Special:MWOAuthManageMyGrants]]
> >
> > Couldn't it be just [[Special:MWOAuthManage]]
> >
> > or  [[Special:MWOAuthGrants]]
> >
> >
> I think it would make sense. Could you open an enhancement bug so we don't
> loose track of it?
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l