For those who run one of our 76(!) approved OAuth apps, or are using OAuth extension on their own wiki..

We have a patch [1] from Mitar to allow OAuth apps to pass a configurable callback during the OAuth handshake. This will probably make a lot of app author's lives easier, but can also open up a couple avenues of abuse-- specifically, it's needed for covert redirect attacks [2]. If OAuth app authors chose loose callback requirements, which we can assume will happen if we make approvals automatic (bug 65750), and we ever allow public consumers (huggle was asking for that for a long time), then it would be possible for attackers to abuse our OAuth setup.

So far, I've been really conservative about how we use OAuth (there are two other features we would have to enable to make this attack likely). I'd like to hear other's thoughts about:

* Assuming we implement one or two of: dynamic callbacks, automatic approval of apps, or public consumers, but not all three, which are most desired?

* If we do implement all three, we can limit how the callback can differ from what is registered. I put some suggestions on the gerrit patch, but would that cause more confusion than help?

[1] - https://gerrit.wikimedia.org/r/153983 [2] - http://tetraph.com/covert_redirect/oauth2_openid_covert_redirect.html