@hoo approved my new consumer, switching phabricator to use the new one now.

And that's done. I was able to log in with oauth after inputting the new oauth consumer keys.

@csteipp: I am relatively sure that this couldn't enable a major security breach since the oauth provider on mediawiki.org does not enable any api access, however, I may not fully understand the implications. Am I missing anything? Does this need to be treated as a potential security breach?

Hi @mmodell , I can't say that I understand the oAuth stuff deeply enough to be in the escalation path for this. I might be able to take ownership of the general "escalation path" issue (not just for oAuth, but generally as part of a decision tree that includes oAuth), but I would need the help of a lot of people to put us on an incremental path toward a reasonably robust solution. I seem to recall that there's a task about this already (possibly even assigned to me). Mukunda, do you anticipate that the escalation path problem for oAuth will likely be an urgent 24x7 problem in the near term?

@RobLa-WMF I don't think so. It was mainly a misunderstanding - I didn't realize I could re-generate the token without anyone's approval. (See my last edit to this task's description)

The only remaining issue is for csteipp to confirm that I haven't underestimated the severity of what I did. The old oauth token was disabled within a few minutes and I don't really think it is possible for the token to be used for seriously damaging purposes. Despite all that, I would appreciate someone checking my assumptions before I close this task.

Thanks for the explanation, @mmodell! I'm glad you got a little jumpy when you weren't sure if you'd opened up a big security hole; it's great knowing people are diligent about security concerns.

Just FYI, the "escalation path" issue from my earlier comment is T115852, which I'm suggesting we treat as an TechCom-RFC.

Glad this got resolved! @mmodell, feel free to call/text/hangout me in the future if you need me right away.

@csteipp: I am relatively sure that this couldn't enable a major security breach since the oauth provider on mediawiki.org does not enable any api access, however, I may not fully understand the implications. Am I missing anything? Does this need to be treated as a potential security breach?

Yeah, the risk if very low from this since all of the Consumers have had no grants-- so even if someone used it and phished users into approving it, they wouldn't be able to do anything as the user.

We should revoke the old key, 038ec949b263dc807b0079fd88538f37. I'll do that.

Oh, looks like you reset the secret. That's good enough.

And it would probably be good to reset the secret for e3da7a1b8fcd55b28316c9913e1688b7 that you posted on this ticket. Just so it's not available in Phab content.

If someone can MITM the connection between Phabricator and mediawiki.org, they could also forge identity assertions if they have that secret, so best to not leave it around anywhere it doesn't have to be.

@csteipp: Ok I'll reset the secret once again, it will definitely be safer to not have it stored somewhere that's easily exposed. And thank you for checking my assumptions.

I apologize for being careless and also for pinging a bunch of people on a sunday.

Probably no reason to.