Chris has an epic in the mw-core backlog tracking OAuth fixes that we could focus on instead of SOA Auth.
https://phabricator.wikimedia.org/T86869
There are a few things that are compelling about considering a shift of focus to this for me: * We already have a list of things to work on! * Erik is *really* interested in improving OAuth * We started this project and know that there are things we'd like to polish up * This has a more visible impact than core code cleanup * We can probably come up with metrics to go along with it
The down sides: * Authn/z will need work eventually * We need to keep working on SOA Auth RfC either way
Thoughts? I'd be happy to have a conference call with the current team and anyone else who is interested to discuss this if it seems like that would be more efficient.
Bryan