Page MenuHomePhabricator
Create Task
Maniphest T167813

Requests with an owner-only consumers results in a "Invalid signature" error
Closed, InvalidPublic
Actions

Description

I have an owner-only OAuth consumer. When I make a request to:
https://meta.wikimedia.org/wiki/Special:OAuth/identify
I get the following error:

An error occurred in the OAuth protocol: Invalid signature

Or if I make a request to:
https://meta.wikimedia.org//w/api.php?action=query&format=json&list=users&usprop=blockinfo%7Cgroups%7Ceditcount%7Cregistration%7Cemailable%7Cgender&ususers=DBarratt+(WMF)

I get the following error:

The authorization headers in your request are not valid: Invalid signature
See https://meta.wikimedia.org/w/api.php for API usage. Subscribe to the mediawiki-api-announce mailing list at <https://lists.wikimedia.org/mailman/listinfo/mediawiki-api-announce> for notice of API deprecations and breaking changes.

I've tried this with mediawiki/oauthclient, Guzzle OAuth Subscriber, and Postman with the same result(s). I've also tried SHA1 and RSA signature methods. My only conclusion is that owner-only OAuth consumers do not work. :(

Related Objects

Event Timeline

dbarratt created this task.Jun 13 2017, 4:10 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 13 2017, 4:10 PM
dbarratt mentioned this in T167187: Epic ⚡️ : Implement DMCA and CP takedown report tools.Jun 13 2017, 4:14 PM
dbarratt updated the task description. (Show Details)Jun 13 2017, 4:18 PM
dbarratt added a subscriber: Tgr.Jun 13 2017, 4:27 PM
Reedy removed a project: MediaWiki-extensions-OAuthAuthentication.Jun 13 2017, 4:53 PM
Tgr added a comment.Jun 20 2017, 4:05 PM

When I make a request to:
https://meta.wikimedia.org/wiki/Special:OAuth/identify
I get the following error:
An error occurred in the OAuth protocol: Invalid signature

That's a known bug (T59500): you need to use https://meta.wikimedia.org/w/index.php?title=Special:OAuth/identify
(Maybe it didn't affect /identify in the past, only /initiate and such? I can't remember)

Other than that, works fine for me with a brand new consumer:

import jwt
import requests
requests_oauthlib import OAuth1

auth = OAuth1('consumer_key', 'consumer_secret', 'access_key', 'access_secret')

r=requests.get(url='https://meta.wikimedia.org/w/index.php', params={'title': 'Special:OAuth/identify'}, auth=auth)
jwt.decode(r.text, verify=False)
# {u'username': u'Tgr (WMF)', ...

requests.get(url='https://meta.wikimedia.org/w/api.php', params={'action': 'query', 'list': 'users', 'ususers': 'DBarratt (WMF)', 'usprop': 'blockinfo|groups|editcount|registration|emailable|gender', 'format': 'json'}, auth=auth).json()
# {u'batchcomplete': u'', u'query': {u'users': [{u'editcount': 6, u'name': u'DBarratt (WMF)', u'gender': u'unknown', u'userid': 16136791, u'groups': [u'*', u'user', u'autoconfirmed'], u'registration': u'2017-05-30T16:26:09Z', u'emailable': u''}]}}
Tgr added a comment.Jul 4 2017, 4:09 PM

Would you be able to provide step-by-step reproduction steps for the problem?

Tgr closed this task as Invalid.Oct 31 2017, 9:42 PM

Closing as non-reproducible.

Capt_Swing mentioned this in T247474: Unable to get edit token - invalid signature in authorization header.Mar 11 2020, 11:03 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits