Currently, we don't have a flow that allows refreshing an owner-only OAuth 2.0 token. This isn't that big a deal since the token is set to effectively infinite expiration, but if we ever wanted to allow expiration, we'd need a way to refresh the token after the expiry time.
Description
Description
Related Objects
Related Objects
Event Timeline
Comment Actions
I think there's a strong argument to be made for NEVER having an expiration on owner-only tokens, btw. Since the user and the developer are the same person, they have a lot of other ways of disabling use of the token, such as disabling the key, or... just not running their code.
Comment Actions
The code could be ran by someone else. The token basically acts like a password; if the password is stolen, there must be a way to invalidate it. Disabling the key works, as long as whatever system consumes the token does check whether the key is valid. But the parent task talks about "APIs implemented in NodeJS or another system, which depend on the JavaScript Web Token (JWT) data to tell if a token is expired"; it doesn't make a lot of sense for such a system to not check with MediaWiki whether the token has been revoked, but do check whether the key has been disabled, so I assume it would do neither and just rely on the token as a cryptographic proof of authorization. In that case, infinite expiry does raise the exact same problem for owner-only tokens.
(Also, even if disabling the key would work, the developer would need to understand that that needs to be done and merely resetting the access token is not enough, which is not the case with the current UI.)
Comment Actions
I'll be bold and decline this. Not having to know what OAuth is / to use an OAuth library and explicit authorization flow, and being able to just authenticate by adding a static header is a very appealing feature of OAuth 2 owner-only consumers and I'd like to keep that. If this starts causing issues with non-MediaWiki services which do not verify MediaWiki-issued access tokens, we can revisit.