Provide OAuth access to Conduit
Open, Needs TriagePublic
Actions

Assigned To

None

Authored By

	rjkaplan
	Feb 17 2015, 10:38 PM

Description

The problem

We have an internal website (let's call it error-viewer) for triaging errors in a particular service. We want to integrate this website with maniphest by adding the ability to associate a maniphest task with each error. We'd like this to be possible without ever having to leave error-viewer.

Specifically, each item in error-viewer should be in one of two states:

(1) Associated with a maniphest task, in which case the item should have some visual indication of whether the task is open or closed. Users should be able to mark a maniphest task as open/closed without ever leaving error-viewer.
(2) Not associated with a maniphest task, in which case the item should have a button that lets me create a maniphest task without leaving error-viewer.

When a task is created, opened or closed from error-viewer, the associated task in maniphest should show which user closed the task. It shouldn't say "Maniphest-bot closed this task" -- it should say "rjkaplan closed this task".

Considered solutions

Create tasks by sending an email to bugs@ourphabricatorinstance.com. This doesn't provide a way to update tasks or query their status from error-viewer.
Ask the user for their conduit API certificate and use the conduit API to make these requests. This is an annoyance for each new person to use our website (they have to find their certificate in the phabricator UI and give it to us). It's also less secure in all the ways that single-certificate based auth is less secure than OAuth. Won't go into that here.
Create an admin user "Conduit-API-bot" and use its conduit API certificate and the "actAsUser" feature in the conduit API to pretend to be whatever user is logged in. But the "actAsUser" functionality is deprecated (for good reason).
Use OAuth! This seems ideal (much easier to go through an OAuth flow than to find your certificate in the phabricator UI and give it to us - also feels less sketchy) but you can't create tasks through the OAuth API because ManiphestCreateTaskConduitAPIMethod::getRequiredScope resolves to ConduitAPIMethod::getRequiredScope which returns PhabricatorOAuthServerScope::SCOPE_NOT_ACCESSIBLE.

Revisions and Commits

rPHU libphutil
	D15628	rPHU22a0253e08fd Allow ConduitClient to use OAuth access tokens for authentication
rP Phabricator
	D15621	rP5dec03af323f Make OAuth scope handling more flexible
	D15620	rP8dfc7d4201fd Allow OAuth applications to be disabled instead of destroyed
	D15609	rP57f016b166de Convert OAuthServer to Transactions + EditEngine
	D15606	rP5f957807a725 Update OAuthServer for modern SearchEngine fields
	D15594	rPe55522cade3f Implement "auth.logout" Conduit API method
	D15593	rP60133b6fa5d5 Begin cleaning up OAuth scope handling
	D15592	rP694a8543d809 Modernize some OAuth Server code

Related Objects
Search...

Status	Assigned	Task
Open	None	T9303 Improve Phacility Onboarding/NUX
Resolved	epriestley	T7673 Make "Log Out" on Phacility instances behave in a way better aligned with user expectation
Open	None	T7303 Provide OAuth access to Conduit
Resolved	epriestley	T5873 Update Conduit for ApplicationTransactions, CustomFields and Edges
Resolved	epriestley	T9132 Build an ApplicationEditor abstraction
Resolved	epriestley	T5752 Navigation menus should work correctly on mobile by default
Resolved	chad	T8099 Mid-2015 Phabricator Redesign
Resolved	chad	T8338 Unable to re-arrange Maniphest tasks into 1st row when dragging (redesign branch)
Resolved	chad	T8339 Allow setting of icons in maniphest.status
Resolved	chad	T8341 Identify anywhere we didn't use icons where barColor was used
Resolved	chad	T8342 Design a new PHUIPagerView, allow setting to objects
Resolved	chad	T8549 Feedback on 2015 Redesign
Open	None	T9690 Remove calls to methods deprecated by newPage()
Resolved	None	T9871 Some PHUI form controls do not have identifiable "disabled" states
Duplicate	None	T9913 ApplicationEditor stacked comment actions can't be removed on mobile

Event Timeline

rjkaplan created this task.Feb 17 2015, 10:38 PM

rjkaplan raised the priority of this task from to Needs Triage.

rjkaplan updated the task description. (Show Details)

rjkaplan added a project: Maniphest.

rjkaplan updated the task description. (Show Details)

rjkaplan added a subscriber: rjkaplan.

This is probably at least partially blocked on T5873, which we should sort out before expanding API access.

angie added a project: Restricted Project.May 20 2015, 5:05 PM

epriestley mentioned this in T8835: Replacement for actAsUser in Conduit API.Jul 14 2015, 2:20 PM

epriestley mentioned this in T7304: Add CORS support to Conduit API.Sep 10 2015, 1:35 AM

angie added subscribers: angie, jhurwitz.Sep 10 2015, 4:51 PM

epriestley moved this task from Backlog to vNext on the Maniphest board.Dec 4 2015, 7:11 PM

epriestley renamed this task from Provide a way to create/edit tasks through the OAuth API to Provide OAuth access to Conduit.Dec 4 2015, 7:58 PM

epriestley edited projects, added Conduit; removed Maniphest.

epriestley moved this task from Backlog to Future on the Conduit board.Dec 8 2015, 10:50 PM

eadler added a project: Restricted Project.Jan 9 2016, 1:05 AM

eadler moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.

igoldberg added a subscriber: igoldberg.Jan 27 2016, 10:02 AM

Any update here? As far as I can tell it's also impossible to use any of the differential API endpoints using OAuth .

Please see Planning. We update tasks when new information is available, we don't have a secret shadow tracker with lots of juicy secrets that we aren't sharing.

epriestley mentioned this in T5020: Phabricator as a login provider.Apr 3 2016, 1:29 PM

epriestley merged a task: T5020: Phabricator as a login provider.

epriestley added subscribers: edibiase, jithu.

Herald added a subscriber: eadler. · View Herald TranscriptApr 3 2016, 1:29 PM

epriestley added a parent task: T7673: Make "Log Out" on Phacility instances behave in a way better aligned with user expectation.Apr 3 2016, 1:31 PM

This is the only difficult blocker for T7673, a bad behavior which is annoying and sort of user-hostile, so I'd like to at least plan our way through it.

This is probably not difficult to implement, but seems somewhat difficult to design. In particular, I would like both users and administrators to have granular control over what third-party applications are permitted to do so that OAuth isn't a convenient button which gives away the keys to the kingdom.

Maybe the flow goes like this:

Permissions are granular: an exhaustive list of callable Conduit methods.
OAuth Applications (in the "host" Phabricator) have controls for configuring application access. You can set each method to "Allowed" or "Disallowed". If a method is disallowed, the application is never permitted to request access for it.
Users confirm that they want to allow access.

So an application that wants to do something needs to get permission from the administrator via the application, and permission from the user via scope workflow. That seems fairly reasonable, and better than the Facebook/GitHub/etc case because the administrator is usually not the application owner here so this is a meaningful check on application power, while they usually are in those cases so it's pointless for an application to restrict access.

One possible issue is that Conduit methods may not be granular enough. For example, providing access to project.edit allows a client to both create and update projects. T7673 will add some sort of auth.logout method -- do applications need separate permission to log out their own tokens/sessions vs log out all web sessions vs log out all sessions across all token types?

I can't really think of any use cases where this particularly matters and isn't reasonably navigable, though.

This does mean that administrative configuration of OAuth server applications will be a huge pain if they need a lot of permissions, but I think that's generally fine, and we could make the UI easier down the road.

epriestley added a revision: D15592: Modernize some OAuth Server code.Apr 3 2016, 2:27 PM

epriestley added a revision: D15593: Begin cleaning up OAuth scope handling.Apr 3 2016, 3:41 PM

epriestley added a revision: D15594: Implement "auth.logout" Conduit API method.Apr 3 2016, 4:13 PM

epriestley added a revision: D15606: Update OAuthServer for modern SearchEngine fields.Apr 4 2016, 2:15 PM

epriestley added a commit: rP694a8543d809: Modernize some OAuth Server code.Apr 4 2016, 4:11 PM

epriestley added a commit: rP60133b6fa5d5: Begin cleaning up OAuth scope handling.

epriestley added a commit: rPe55522cade3f: Implement "auth.logout" Conduit API method.

epriestley added a commit: rP5f957807a725: Update OAuthServer for modern SearchEngine fields.

epriestley added a revision: D15609: Convert OAuthServer to Transactions + EditEngine.Apr 4 2016, 6:05 PM

epriestley added a commit: rP57f016b166de: Convert OAuthServer to Transactions + EditEngine.Apr 5 2016, 8:55 AM

epriestley added a revision: D15620: Allow OAuth applications to be disabled instead of destroyed.Apr 5 2016, 5:15 PM

epriestley added a revision: D15621: Make OAuth scope handling more flexible.Apr 5 2016, 6:11 PM

epriestley added a commit: rP8dfc7d4201fd: Allow OAuth applications to be disabled instead of destroyed.Apr 5 2016, 8:22 PM

epriestley added a commit: rP5dec03af323f: Make OAuth scope handling more flexible.Apr 5 2016, 8:53 PM

epriestley added a revision: D15628: Allow ConduitClient to use OAuth access tokens for authentication.Apr 5 2016, 10:00 PM

epriestley added a commit: rPHU22a0253e08fd: Allow ConduitClient to use OAuth access tokens for authentication.Apr 5 2016, 10:19 PM

eadler moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Jul 4 2016, 9:15 PM

epriestley mentioned this in T11277: Provide a generic SSH public key store for users.Jul 6 2016, 2:42 PM

• ctrladel mentioned this in T11863: A way to set task creator and creation time using the api.Nov 15 2016, 3:43 AM

epriestley mentioned this in T11951: Make conduit more secure.Dec 5 2016, 6:43 PM

epriestley closed subtask T5873: Update Conduit for ApplicationTransactions, CustomFields and Edges as Resolved.Aug 25 2017, 2:29 PM

Herald added a subscriber: alexmv. · View Herald TranscriptAug 25 2017, 2:29 PM

epriestley mentioned this in T12984: Support issues don't have hovercards.Sep 14 2017, 5:46 PM

arend.danielek awarded a token.Apr 5 2018, 11:05 PM

arend.danielek added a subscriber: arend.danielek.

Are there any obvious ways to see scope requirements/availability today, even if it means spelunking into the source code?

Conduit API methods define a getRequiredScope() method, which tells you the scope they require.

Today, there are only actually two scopes, "always" and "never". These methods can "always" be called (any OAuth token is sufficient):

user.whoami
maniphest.status.search
maniphest.priority.search
conduit.query
conduit.getcapabilities
auth.logout

All other methods can never be called.

@epriestley any timing/plans for expanding? Would love to replace our older user token flows with an OAuth flow. We'd need a few other methods though:

maniphest.createtask
maniphest.edit
maniphest.search
project.search
user.search

Plans, yes. Timing is trickier. Currently, we only have one outstanding request for this feature (PHI760, which mostly wants project.search). So it's in queue somewhere, but currently beyond the forecasting horizon.

Even with OAuth, you still can't make AJAX requests to Conduit from client-side JavaScript, right? Is the idea that the backend code uses OAuth to talk to Conduit on a user's behalf?

Provide OAuth access to ConduitOpen, Needs TriagePublicActions