When you register on Phabricator using MediaWiki OAuth, it will prompt you for an email address, then send you through an email verification process, even though MediaWiki provides it with an already verified email address. That's a crappy user experience. (It's extra crappy when it happens during Phabricator's own OAuth process, such as in the case of a https://discuss-space.wmflabs.org login-registration, since during email verification Phabricator completely abandons the original action that caused it to prompt the user to register, so the Discourse registration process gets restarted.)
Description
Details
Title | Reference | Author | Source Branch | Dest Branch | |
---|---|---|---|---|---|
Allow to change email address (from MediaWiki SUL) at account registration | repos/phabricator/phabricator!54 | aklapper | T230590customEmailAddress | wmf/stable | |
Preset MediaWiki SUL email address via OAuth at account registration | repos/phabricator/extensions!35 | aklapper | T230590accountRegEmail | wmf/stable |
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Stalled | Feature | Aklapper | T343647 Require WMF email address when registering Phab user account with a WMF SUL account | ||
Resolved | Feature | Aklapper | T230590 Phabricator should reuse confirmed MediaWiki email during registration |
Event Timeline
during email verification Phabricator completely abandons the original action that caused it to prompt the user to register, so the Discourse registration process gets restarted
To be a little clearer, this is how it should work:
- user clicks on "register" in Discourse (discuss-space)
- user is sent to Phab for OAuth authorization
- user is not logged in, Phab shows "login" screen (ie. mediawiki.org SUL login button)
- user clicks button
- user is sent to mediawiki.org for the OAuth authorization (for Phab app)
- user accepts authorization dialog
- Phab copies verified mediawiki.org email address
- user is sent back to Phab
- Phab shows its own OAuth authorization dialog (for Discourse app)
- user accepts
- user is sent back to Discourse and logged in
In actual reality, step 7 doesn't happen, and instead of step 9 Phab asks the user to provide an email address, then sends a verification email, then (after verification) doesn't send him anywhere.
Phab copies verified mediawiki.org email address
Does MediaWiki allow accessing a user's email address and/or OAuth allow passing the email address?
Consumers with either the mwoauth-authonlyprivate or the privateinfo grant can use the OAuth profile endpoint to get the email address. (Consumers with privateinfo can also just use the API, e.g. userinfo.)
@Tgr: Thanks for that info. Without it I would not have given this a try! <3
I tried locally (still had a MediaWiki 1.41.0-alpha (bb40716) from 18 July 2023 in parallel to local Phab) and for some reason I do not succeed:
- http://mediawiki.localhost/index.php?title=Special:Preferences shows that my MediaWiki user A123456 has an email address defined.
- Docs at https://www.mediawiki.org/wiki/OAuth/For_Developers say "the response will be a JWT (a signed JSON object) including [...] the email address if the application was registered with the right grant type)."
- My approved local OAuth consumer at http://mediawiki.localhost/index.php?title=Special:OAuthManageConsumers/bdece44fef1db16cb685da2910ec7f24 says:
- OAuth protocol version: OAuth 1.0a
- Allow consumer to specify a callback in requests and use "callback" URL above as a required prefix: Yes
- Applicable grants: User identity verification only with access to real name and email address, no ability to read pages or act on a user's behalf.
- Applicable project: *
Still, after $this->userinfo = $this->decodeAndVerifyJWT($body, $nonce); in https://gitlab.wikimedia.org/repos/phabricator/extensions/-/blob/wmf/stable/src/oauth/PhutilMediaWikiAuthAdapter.php?ref_type=heads#L120 , a json_encode($this->userinfo) shows that the email address of the MediaWiki user is not included in the data:
'{"userid":17,"username":"A123456","groups":["sysop","*","user","autoconfirmed"],"blocked":false,"editcount":0}' at [/var/www/html/wmfphab/deployment/libext/misc/src/oauth/PhutilMediaWikiAuthAdapter.php:122]
I can successfully register an account via MediaWiki OAuth in my local Phab and the username gets set as the default username in Phab's account registration form, so things generally work. I just do not get the email address of the MediaWiki user, for reasons I don't understand.
You need to confirm the email address (via the button at the bottom of Special:Preferences, or the email you get right after signup, or by using shell.php and doing something like MW::user('my-username')->confirmEmail()). Although you should still have an email field without that, it's just empty. And other data is missing too (the response should have fields like confirmed_email, registered, rights) so I assume this data is already somewhat post-processed?
aklapper opened https://gitlab.wikimedia.org/repos/phabricator/extensions/-/merge_requests/35
Preset MediaWiki SUL email address via OAuth at account registration
aklapper opened https://gitlab.wikimedia.org/repos/phabricator/phabricator/-/merge_requests/54
Allow to change email address (from MediaWiki SUL) at account registration
brennen merged https://gitlab.wikimedia.org/repos/phabricator/phabricator/-/merge_requests/54
Allow to change email address (from MediaWiki SUL) at account registration
brennen merged https://gitlab.wikimedia.org/repos/phabricator/extensions/-/merge_requests/35
Preset MediaWiki SUL email address via OAuth at account registration