Page MenuHomePhabricator

"Can only obtain a centralauthtoken when using CentralAuth sessions" during auto-creation
Open, Needs TriagePublic

Description

It seems that during auto-creation of a local account (for an existing global user), you can not use CentralAuth tokens.

See T119736#2451220:

2016-07-10 13:41:27 [V4JQhwpAEHwAAEgXGxgAAAAV] mw1144 commonswiki 1.28.0-wmf.9 exception ERROR: [V4JQhwpAEHwAAEgXGxgAAAAV] /w/api.php?action=query&format=json&origin=https%3A%2F%2Fpl%2Ewikipedia%2Eorg&centralauthtoken=REDACTED&meta=userinfo&uiprop=groups%7Crights   UsageException from line 1487 of /srv/mediawiki/php-1.28.0-wmf.9/includes/api/ApiBase.php: Can only obtain a centralauthtoken when using CentralAuth sessions {"exception_id":"V4JQhwpAEHwAAEgXGxgAAAAV"}
[Exception UsageException] (/srv/mediawiki/php-1.28.0-wmf.9/includes/api/ApiBase.php:1487) Can only obtain a centralauthtoken when using CentralAuth sessions
  #0 /srv/mediawiki/php-1.28.0-wmf.9/extensions/CentralAuth/includes/api/ApiCentralAuthToken.php(51): ApiBase->dieUsage(string, string)
  #1 /srv/mediawiki/php-1.28.0-wmf.9/includes/api/ApiMain.php(1406): ApiCentralAuthToken->execute()
  #2 /srv/mediawiki/php-1.28.0-wmf.9/includes/api/ApiMain.php(471): ApiMain->executeAction()
  #3 /srv/mediawiki/php-1.28.0-wmf.9/extensions/Echo/includes/ForeignWikiRequest.php(39): ApiMain->execute()
  #4 /srv/mediawiki/php-1.28.0-wmf.9/extensions/Echo/includes/ForeignWikiRequest.php(78): EchoForeignWikiRequest->getCentralAuthToken(User)
  #5 /srv/mediawiki/php-1.28.0-wmf.9/extensions/Echo/includes/ForeignWikiRequest.php(58): EchoForeignWikiRequest->getQueryParams(string)
  #6 /srv/mediawiki/php-1.28.0-wmf.9/extensions/Echo/includes/ForeignWikiRequest.php(25): EchoForeignWikiRequest->getRequestParams()
  #7 /srv/mediawiki/php-1.28.0-wmf.9/extensions/Echo/includes/NotifUser.php(710): EchoForeignWikiRequest->execute()
  #8 /srv/mediawiki/php-1.28.0-wmf.9/extensions/Echo/includes/NotifUser.php(741): MWEchoNotifUser->getForeignData()
  #9 /srv/mediawiki/php-1.28.0-wmf.9/extensions/Echo/includes/NotifUser.php(488): MWEchoNotifUser->getForeignCount(string)
  #10 /srv/mediawiki/php-1.28.0-wmf.9/extensions/Echo/Hooks.php(1147): MWEchoNotifUser->resetNotificationCount()
  #11 /srv/mediawiki/php-1.28.0-wmf.9/includes/Hooks.php(195): EchoHooks::onUserSaveSettings(User)
  #12 /srv/mediawiki/php-1.28.0-wmf.9/includes/user/User.php(3952): Hooks::run(string, array)
  #13 /srv/mediawiki/php-1.28.0-wmf.9/includes/auth/AuthManager.php(1678): User->saveSettings()
  #14 /srv/mediawiki/php-1.28.0-wmf.9/includes/Setup.php(861): MediaWiki\Auth\AuthManager->autoCreateUser(User, string, boolean)
  #15 /srv/mediawiki/php-1.28.0-wmf.9/includes/WebStart.php(137): include(string)
  #16 /srv/mediawiki/php-1.28.0-wmf.9/api.php(38): include(string)
  #17 /srv/mediawiki/w/api.php(3): include(string)
  #18 {main}

Echo has been changed in rECHOe63b8799a480: ForeignWikiRequest: Bail early for non-global users (also backported) to stop trying to use CentralAuth here, but I'm wondering if we want this to/it could work.

Event Timeline

Restricted Application added subscribers: Zppix, Aklapper. · View Herald TranscriptJul 12 2016, 4:44 PM

You also can't use API action=centralauthtoken when the user is authenticated using OAuth, which Echo trying to do seems to be what's behind T140006: With some accounts but not others, API throws badsession error on OAuth options update. Removing the requirement for a CentralAuthSession to be in use probably wouldn't fix that since the followup would just fail from having multiple top-priority SessionInfos, unless you're really good about isolating the recursive requests from any main-request state.

IMO FauxRequests to ApiMain are a bad idea in the first place, and all the more so when you're trying to do it before the local user is even set up completely.

jayvdb added a subscriber: jayvdb.Jul 13 2016, 12:25 AM
Tgr added a comment.Jul 18 2016, 6:05 PM

For OAuth this approach won't work in general as the client secret would be needed to sign the subrequest. What would be needed here is a way for a wiki to send a trusted request to another wiki in the same farm, kind of like sudo -u. Which is kind of scary security-wise. Also it's not clear how grants should be handled (when an OAuth consumer which does not have right X makes a request that does not need X on the target wiki but triggers a subrequest to another wiki which does need X).

You also can't use API action=centralauthtoken when the user is authenticated using OAuth, which Echo trying to do seems to be what's behind T140006: With some accounts but not others, API throws badsession error on OAuth options update.

The use of centralauthtoken in saveSettings is resolved, but we still use it if they query ApiEchoUnreadNotificationPages or ApiEchoNotifications (latter depending on parameters). This shouldn't impact random people doing non-Echo things, but I've filed it as T140963: ForeignWikiRequest and getFromForeign will fail if OAuth or bot passwords are in use.