Page MenuHomePhabricator

Korean OAuth redirects when using identify and won't accept signatures using the URL being redirected to
Closed, ResolvedPublic

Description

On the Korean Wikipedia, when attempting to run /identify using the URL https://ko.wikipedia.org/w/index.php?title=Special:OAuth/identify and a signature with said URL encoded, OAuth will redirect to https://ko.wikipedia.org/wiki/%ED%8A%B9%EC%88%98:MWO%EC%9D%B8%EC%A6%9D/identify and reject the signature.

When attempting to run /identify with the URL https://ko.wikipedia.org/wiki/%ED%8A%B9%EC%88%98:MWO%EC%9D%B8%EC%A6%9D/identify encoded into the signature, OAuth will still reject it, thus making OAuth unusable on kowiki.

Event Timeline

Restricted Application added subscribers: revi, Aklapper. · View Herald TranscriptMay 31 2018, 7:52 PM

The redirect is happening from SpecialPageFactory::executePath(). We could avoid it by either making "OAuth" the canonical local name for the special page in the alias file, or just override SpecialPage::getLocalName() in SpecialMWOAuth to return 'OAuth' when OAuth headers are present.

Change 436621 had a related patch set uploaded (by Anomie; owner: Anomie):
[mediawiki/extensions/OAuth@master] Avoid SpecialPageFactory redirect of Special:OAuth

https://gerrit.wikimedia.org/r/436621

Tgr added a comment.May 31 2018, 8:07 PM

Affected wikis are ar, arz, ko, lrc, ur (and maybe languages which have these in the fallback chain). We should probably send some notification.

Change 436621 merged by jenkins-bot:
[mediawiki/extensions/OAuth@master] Avoid SpecialPageFactory redirect of Special:OAuth

https://gerrit.wikimedia.org/r/436621

Tgr closed this task as Resolved.Jun 3 2018, 1:45 PM

Affected wikis are ar, arz, ko, lrc, ur (and maybe languages which have these in the fallback chain). We should probably send some notification.

I mass-messaged the affected Wikipedias with

== Change in OAuth behavior in your language ==
Hi,

the behavior of the [[mw:Extension:OAuth|OAuth extension]] in the ar, arz, ko, lrc, ur languages will change next week. OAuth is an extension used by external tools to get permission from editors to act in their name. Currently the page [[Special:OAuth]] will redirect to the translated version of the special page name;
 starting next week, when used by an external tool (that is, when the request has an Authorization: header), that won't happen anymore.

This makes the behavior of the extension more consistent and intuitive, but migh
t break current tools (which need to update the URL they use). If your language
community has Wikimedia tool developers, please notify them.

See [[phab:T196102]] for more information. Thanks! --[[m:User:Tgr (WMF)|Tgr (WMF)]] ([[m:User talk:Tgr (WMF)|talk]] ~~~~~

and sent an email to wikitech-l and cloud-announce. That should be enough communication.

Vvjjkkii renamed this task from Korean OAuth redirects when using identify and won't accept signatures using the URL being redirected to to 1vbaaaaaaa.Jul 1 2018, 1:06 AM
Vvjjkkii reopened this task as Open.
Vvjjkkii removed Anomie as the assignee of this task.
Vvjjkkii triaged this task as High priority.
Vvjjkkii updated the task description. (Show Details)
Vvjjkkii edited subscribers, added: Anomie; removed: gerritbot, Aklapper.
Cyberpower678 renamed this task from 1vbaaaaaaa to Korean OAuth redirects when using identify and won't accept signatures using the URL being redirected to.Jul 1 2018, 2:14 PM
Cyberpower678 closed this task as Resolved.
Cyberpower678 assigned this task to Anomie.
Cyberpower678 raised the priority of this task from High to Needs Triage.
Cyberpower678 updated the task description. (Show Details)
Cyberpower678 edited subscribers, added: Aklapper, GerritBot; removed: Anomie.