Platform Engineering Team/API Value Stream/API Demo Sept 02, 2021

API DEMO 2021-09-02

Topic Objectives Presenter
Overview of API Process A high level as to how and what API team will produce Seve Kim
OAuth Flows Different OAuth Flows that exist in the API Portal Nikki Nikkhoui


  • How does an Auth strategy impact our authentication flows that were demoed?
    • We do have a sense that the way we are hosting our api web services that they have gone and leveraged some data from api1 to api2.
    • [NN] Different methods of authentication result in challenges because not all clients can use Oauth
    • [BP] from a production standpoint we have a split mind on authentication.
      • Mediawiki has the capabilities to authenticate through Oauth
      • Legacy system
    • [CC] not sure if it is an implementation issue or issue more generally with Oauth
      • [BP] +1 problem isn;t Oath itself
      • Having the right code and right endpoints in order to complete an interaction
    • [NN] existing tickets log these issues
    • [BP] if we see you are a valid person
      • Authentication vs authorization
      • Mediawiki core is the authorization server that determines what capabilities we already have
    • [SK] from the perspective of is it more upstream or downstream, there are definite end-user issues because of the inconsistencies of the user authentication methods
      • Dependency on what security decides auth should be
    • Right now we are straddling across Cloud Services and Kubernetes
  • How are we doing it right now?
    • Initially chose Oauth without ensuring everyone was
  • What is WMCS doing now?
    • Use bot passwords: Manual:Bot passwords - MediaWiki
  • How does Auth impact Rate limiting and other capabilities
    • You have the keys and so you have a certain amount of assurances to create a hash that contains the rate limiting information
  • Api key = client identity that gets generated by Oauth right now
  • [CC] There would be a lot of wins for us to create our own authentication component that is not tied to core mediawiki
  • Key vs token
    • Key identifies the application
      • Usinet client secret to validate
    • Tokens - are access tokens that have longer lives
  • Can we look at solving for authentication at the user persona