Liam --
Thank you for this. I know this wasn't an easy pivot to ask for, and I really appreciate it. It's only fair that we do something in return, so ..
- I'll help review the revised version of the proposal (feel free to poke me directly); - We'll help to give you and Dan pointers (to the right people if needed) re: the use of OAuth, existing libraries, etc. - If we get underway, we'll help think through options for a long term hosting strategy with you (in Labs or beyond).
I'm overall very supportive of the aims of the project -- I think a truly specialized tool for GLAMs would go a long way to attract them to our movement. To start with, here are a few notes & pointers:
1) I checked with our product team if they see any blockers for GWT to use OAuth. Dan Garry, who PM'd the initial OAuth implementation, didn't. These especially relevant permissions are already available:
- uploadfile, which supports only uploading new files - uploadeditmovefile, which supports uploading, editing and moving files - highvolume, which allows making a large number of requests in a short timeframe
2) There are a number of existing libraries and implementations of MW OAuth that may serve as good examples. In Python we have http://pythonhosted.org/mwoauth/ , and Magnus' tools are also a great place to look.
3) Please note that the OAuth implementation is designed for _web_ use; it won't work yet for downloadable applications. (In short, a different security model applies when you're distributing code to the end user, and that requires a bit more work on our end and a later version of the protocol.) The overall OAuth experience should be reasonable; we're working through the set of issues tracked in https://phabricator.wikimedia.org/T86869 to make it really solid.
We _will_ help you with this if you encounter issues as you go.
Erik