See T136117: Make OAuth session persistent in CopyPatrol and https://www.mediawiki.org/wiki/OAuth/For_Developers#Avoid_repetitive_login_prompts. It would be awesome if Phabricator worked this way, taking a step out of logging in every time and making it feel more seamlessly integrated into SUL.
Description
Description
Related Objects
Related Objects
- Mentioned Here
- T136117: Make OAuth session persistent in CopyPatrol
Event Timeline
Comment Actions
Could you elaborate which steps you perform that require you to log in every time?
I'm not sure I understand what is requested here... :-/
Comment Actions
- Be logged in on SUL
- Click log in button
- Click Login or register: MediaWiki button
- Have to re-allow Phabricator to access OAuth data
Comment Actions
Current https://www.mediawiki.org/w/index.php?title=OAuth/For_Developers&oldid=6456529 says:
Applications which only need minimal privileges (have been registered as User identity verification only) can use /authenticate instead of /authorize in step 2. This works the same way, but the user will only see the authorisation dialog if they have not authorised this application before; otherwise the authorisation will silently succeed.
So this is "just" about replacing the URI in getAuthorizeTokenURI() at https://gitlab.wikimedia.org/repos/phabricator/extensions/-/blob/wmf/stable/src/oauth/PhutilMediaWikiAuthAdapter.php#L85-87 ?
Comment Actions
Says User identity verification only above, that's the case only for phabricator-production Consumer version 1.2 listed on https://www.mediawiki.org/w/index.php?title=Special:OAuthListConsumers ; not for 1.1 and 1.0 listed. (I'm clueless how to find the used version and remove unused consumes there.)
Comment Actions
I tested it. If you click "log in with MediaWiki", it redirects to a URL https://www.mediawiki.org/w/index.php?title=Special%3AOAuth%2Fauthorize&oauth_token=5c419d9d28497dc21ec88d074626bd41&oauth_consumer_key=515956f268dcf5738beabe21154df11f
The consumer key 515956f268dcf5738beabe21154df11f corresponds to https://www.mediawiki.org/wiki/Special:OAuthListConsumers/515956f268dcf5738beabe21154df11f, which is version 1.3.1 The value 5c419d9d28497dc21ec88d074626bd41 is different for every request, and the specific URL there won't work because I already used it.
If I manually munge that URL to https://www.mediawiki.org/w/index.php?title=Special%3AOAuth%2Fauthenticate&oauth_token=5c419d9d28497dc21ec88d074626bd41&oauth_consumer_key=515956f268dcf5738beabe21154df11f then it automatically logs me in without an allow button, so yet, it's just what you said it was
You would have to ask one of the OAuth administrators on Meta . The active ones are @Tgr and @bd808
Comment Actions
Yeah, that's the magic trick on the OAuth request side: using return $this->getWikiPageURI('Special:OAuth/authenticate'); as the redirect target.
https://meta.wikimedia.org/wiki/Special:OAuthListConsumers/view/515956f268dcf5738beabe21154df11f is the grant that is being actively used. This can be determined by examining the URL sent by Phabricator to www.mediawiki.org when attempting to authenticate via OAuth. The 515956f268dcf5738beabe21154df11f consumer key is present in that URL.
I have gone ahead and marked the 4 older grants listed at https://meta.wikimedia.org/wiki/Special:OAuthListConsumers?name=phabricator-production&stage=-1 as disabled.