Page MenuHomePhabricator
Create Task
Maniphest T234677

Support Free and Open Source software API clients with OAuth 2.0
Closed, ResolvedPublic
Actions

Description

"As a Developer, I want to release my API client software under a Free and Open Source software license, so that [I can empower users, follow my personal principles, and garner support from other software developers]."

(There are probably another hundred reasons someone wants to release software as FLOSS; I don't think that it's important to describe those. I'm happy to change the justification to "because I want to" if we get too hung up on the reasons.)

Our use of OAuth 2.0 client IDs needs to support FLOSS clients. They can't easily keep a client ID/client secret pair secret because the source code is available (although there are options, like providing the key at build time), so we need to have other mechanisms or flows that work.

This isn't a user story on https://www.mediawiki.org/wiki/Core_Platform_Team/Initiatives/OAuth2 , but an open question. I decided to make it a user story here so we can think of it as a problem to solve.

Related Objects
Search...

Event Timeline

eprodromou created this task.Oct 4 2019, 5:17 PM
eprodromou removed a subscriber: sbassett.Oct 4 2019, 6:53 PM
tstarling subscribed.Nov 12 2019, 6:14 AM

My interpretation of RFC 6749 is that the client_id is not secret, regardless of source code license. Section 2.2 says "The client identifier is not a secret; it is exposed to the resource owner and MUST NOT be used alone for client authentication." So I'm not sure if there is any special problem we need to solve here.

tstarling mentioned this in T234666: Use OAuth 2.0 With Client Developer's Authorization.Nov 12 2019, 6:22 AM
eprodromou updated the task description. (Show Details)Nov 20 2019, 5:43 PM
In T234677#5655125, @tstarling wrote:

My interpretation of RFC 6749 is that the client_id is not secret, regardless of source code license. Section 2.2 says "The client identifier is not a secret; it is exposed to the resource owner and MUST NOT be used alone for client authentication." So I'm not sure if there is any special problem we need to solve here.

Thanks for the note. I updated it to point out that the client ID/client secret pair needs to be kept secret, not the ID itself.

eprodromou added a comment.Nov 20 2019, 6:15 PM

I think the state of the art is to not provide a client secret for Open Source, native, or browser-based clients. https://aaronparecki.com/oauth-2-simplified/#creating-an-app

Chicocvenancio awarded a token.Jan 21 2020, 2:00 PM
CCicalese_WMF edited projects, added Core Platform Team Initiatives (MW REST API in PHP); removed Core Platform Team Initiatives (OAuth 2.0).Mar 18 2020, 9:48 PM
Aklapper removed EvanProdromou as the assignee of this task.May 25 2021, 8:39 PM
Aklapper added a subscriber: EvanProdromou.
LucasWerkmeister mentioned this in T323867: Clarify use of non-confidential OAuth 2.0 clients.Nov 27 2022, 12:38 PM
LucasWerkmeister subscribed.Nov 27 2022, 12:43 PM

My understanding is that this task is mostly done, because MediaWiki nominally supports non-confidential clients now: you can indicate at consumer registration time whether a client should be confidential or not, and non-confidential clients can get an access token and make authenticated requests based on only their client ID, without using the client secret.

That said, there’s at least one remaining issue with non-confidential clients (T323855: OAuth 2.0 non-confidential clients cannot use refresh tokens), and also, MediaWiki still generates a client secret for non-confidential clients (contrary to the “state of the art” mentioned above), which is confusing: I’m seeking some clarification in T323867: Clarify use of non-confidential OAuth 2.0 clients.

LucasWerkmeister mentioned this in T322944: Allow authenticated requests via OAuth to the Action API from any origin.Nov 27 2022, 12:55 PM
LucasWerkmeister added a project: MediaWiki-extensions-OAuth.
waldyrious awarded a token.Jun 4 2023, 6:15 PM
waldyrious subscribed.
TuukkaH subscribed.Jun 29 2023, 3:16 PM
Tgr closed this task as Resolved.Jul 1 2023, 11:30 PM
Tgr subscribed.

FWIW, FLOSS is a distraction here: if you include the client secret in your application and distribute your application to users, it's not a secret anymore. Not being FLOSS just makes it slightly harder to extract. So the task should really be about supporting clients which are under the control of the user (as opposed to a web application) - "public clients", as the OAuth 2 spec calls them.

As @LucasWerkmeister says this is done though, we follow RFC 7636 and require a PKCE challenge for public clients. Minor issues are probably better discussed in separate tasks.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL