Platform Engineering Team/API Value Stream/API Demo Sept 02, 2021
API DEMO 2021-09-02
editTopic | Objectives | Presenter |
---|---|---|
Overview of API Process | A high level as to how and what API team will produce | Seve Kim |
OAuth Flows | Different OAuth Flows that exist in the API Portal | Nikki Nikkhoui |
Notes/Q&A
edit- How does an Auth strategy impact our authentication flows that were demoed?
- We do have a sense that the way we are hosting our api web services that they have gone and leveraged some data from api1 to api2.
- [NN] Different methods of authentication result in challenges because not all clients can use Oauth
- [BP] from a production standpoint we have a split mind on authentication.
- Mediawiki has the capabilities to authenticate through Oauth
- Legacy system
- [CC] not sure if it is an implementation issue or issue more generally with Oauth
- [BP] +1 problem isn;t Oath itself
- Having the right code and right endpoints in order to complete an interaction
- [NN] existing tickets log these issues
- [BP] if we see you are a valid person
- Authentication vs authorization
- Mediawiki core is the authorization server that determines what capabilities we already have
- [SK] from the perspective of is it more upstream or downstream, there are definite end-user issues because of the inconsistencies of the user authentication methods
- Dependency on what security decides auth should be
- Right now we are straddling across Cloud Services and Kubernetes
- How are we doing it right now?
- Initially chose Oauth without ensuring everyone was
- What is WMCS doing now?
- Use bot passwords: Manual:Bot passwords - MediaWiki
- How does Auth impact Rate limiting and other capabilities
- You have the keys and so you have a certain amount of assurances to create a hash that contains the rate limiting information
- Api key = client identity that gets generated by Oauth right now
- [CC] There would be a lot of wins for us to create our own authentication component that is not tied to core mediawiki
- Maintain a sweet of extensions for auth called Pluggable Auth that let you connect to Mediawiki from multiple different authenticators
- [BP] https://meta.wikimedia.org/wiki/User:BPirkle_(WMF)/Stuff/MediaWiki_Framework_Thoughts
- Key vs token
- Key identifies the application
- Usinet client secret to validate
- Tokens - are access tokens that have longer lives
- Key identifies the application
- Can we look at solving for authentication at the user persona