Page MenuHomePhabricator
Create Task
Maniphest T140963

ForeignWikiRequest and getFromForeign will fail if OAuth or bot passwords are in use
Open, Needs TriagePublic
Actions

Description

If a request is being made via OAuth or bot passwords, then getFromForeign and ForeignWikiRequest (used by ApiEchoUnreadNotificationPages and ApiEchoNotifications (with 'wikis' parameter other than current)) will fail.

This shouldn't cause unexpected side effects IIUC, so for now it's just "sorry, that doesn't work". But it is a limitation that will affect Tool Labs, etc. tools people might want to write. This apparently caused T140006: With some accounts but not others, API throws badsession error on OAuth options update when the transition flags were still on.

See discussion at T140127: "Can only obtain a centralauthtoken when using CentralAuth sessions" during auto-creation.

Related Objects

Event Timeline

Mattflaschen-WMF created this task.Jul 21 2016, 12:17 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 21 2016, 12:17 AM
Mattflaschen-WMF mentioned this in T140127: "Can only obtain a centralauthtoken when using CentralAuth sessions" during auto-creation.EditedJul 21 2016, 12:17 AM

We also need to be careful to avoid (if at all possible) triggering this from hooks, etc. in the future, if it could cause side effects.

Mattflaschen-WMF updated the task description. (Show Details)Jul 21 2016, 12:19 AM
Mattflaschen-WMF updated the task description. (Show Details)
Tgr subscribed.Jul 21 2016, 12:47 AM

Also when using bot passwords.

Mattflaschen-WMF renamed this task from ForeignWikiRequest and getFromForeign will fail if OAuth is in use to ForeignWikiRequest and getFromForeign will fail if OAuth or bot passwords are in use.Jul 21 2016, 2:08 AM
Mattflaschen-WMF updated the task description. (Show Details)
In T140963#2482650, @Tgr wrote:

Also when using bot passwords.

Thanks, added.

Anomie subscribed.Jul 21 2016, 2:22 PM
Tgr added a comment.Jul 21 2016, 9:26 PM

The centralauthtoken API will record a token in the central session data and use that to authenticate requests. The only way to access the central session data is via the session ID (to be more specific the session cookie contains a key which addresses the local session data, and that data includes the address of the central session data), so it cannot be done on an OAuth request (or any other request with a nonstandard authentication mechanism such as bot passwords, centralauthtoken, or some other session provider in use on some third-party wiki).

The token could be stored under a key that's computed from the user name or ID in a deterministic fashion; then it could be set up regardless of how the current request was authenticated. Not sure what the security implications of that would be. (The handling of requests from different sessions belonging to the same user would also require some thought.)

Mattflaschen-WMF added a project: Collaboration-Team-Triage.Aug 2 2016, 1:45 AM
Aklapper edited projects, added Growth-Team; removed Collaboration-Team-Triage.Oct 12 2019, 4:13 AM
Aklapper removed subscribers: Anomie, Mattflaschen-WMF.Oct 16 2020, 5:01 PM
MBinder_WMF added a project: Growth-Team-Filtering.Apr 15 2021, 6:59 PM
Ivi104 subscribed.Jan 6 2024, 11:05 PM
Michael mentioned this in T367190: MediaWiki\Extension\Notifications\Api\ApiEchoUnreadNotificationPages::getUnreadNotificationPagesFromForeign: Unexpected API response from {wiki}.Tue, Jun 11, 2:51 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits