Page MenuHomePhabricator

Client Developer uses OAuth 2.0 for authorization
Closed, ResolvedPublic

Description

"As a Client Developer, I want to have a single API key that I use across all Wikimedia projects and language versions, so I have one relationship to manage with the organization."

Event Timeline

@hnowlan I don't believe there's anything you have to do for Envoy here. We're going to be using bearer tokens for OAuth 2.0 which come in as HTTP headers. As long as we're not doing something crazy like stripping all HTTP headers (!?!), this should just work.

eprodromou triaged this task as High priority.Jun 19 2020, 4:17 PM
eprodromou reassigned this task from eprodromou to hnowlan.Jul 23 2020, 3:05 PM

@hnowlan assigning to you since you're configuring Envoy. I don't think there's a lot of work here, but it's important that we make sure it works.

I don't think the user story matches with my work on the API gateway beyond the basics - staging testing has indicated that we're not mangling any headers specific to authorisation. What would constitute done for this task?

Naike reassigned this task from hnowlan to eprodromou.Aug 7 2020, 11:59 AM
nosmo@ocasey ~ $ curl -H "Authorization: Bearer BAD_TOKEN" https://api.wikimedia.org/core/v1/wikipedia/zh/foo/abc && echo
Jwt is not in the form of Header.Payload.Signature with two dots and 3 sections

This demonstrates that the headers are being passed properly and not mangled by envoy before being checked.

This isn't working for me.

Here's what I do:

Evans-MBP:~ eprodromou$ export TOKEN=`<wikimedia.token` # JWT is in this file
Evans-MBP:~ eprodromou$ curl -H "Authorization: Bearer $TOKEN" https://api.wikimedia.org/core/v1/wikipedia/en/search/page?q=pizza
{"httpCode":401,"httpReason":"Jwt issuer is not configured"}
Evans-MBP:~ eprodromou$ curl -H "Authorization: Bearer $TOKEN" https://en.wikipedia.org/w/rest.php/v1/search/page?q=pizza
# Lots of data

Where is wikimedia.token coming from in this case?

hnowlan claimed this task.Aug 26 2020, 2:18 PM
hnowlan moved this task from Ready to Doing on the Platform Team Workboards (Green) board.

Change 622794 had a related patch set uploaded (by Hnowlan; owner: Hnowlan):
[operations/deployment-charts@master] api-gateway: Make JWT issuer configurable.

https://gerrit.wikimedia.org/r/622794

Change 622799 had a related patch set uploaded (by Hnowlan; owner: Hnowlan):
[operations/deployment-charts@master] api-gateway: Make JWT issuer configurable.

https://gerrit.wikimedia.org/r/622799

Change 622794 merged by jenkins-bot:
[operations/deployment-charts@master] api-gateway: Make JWT issuer configurable.

https://gerrit.wikimedia.org/r/622794

Our OAuth2 tokens do not specify issuer. This isn't a violation of the standard but Envoy 1.15 insists on having this specified - there is a fix in Envoy 1.16 . I think I can hack around this short-term, but until that's done we can't use Mediawiki's tokens with Envoy.

Change 625942 had a related patch set uploaded (by Hnowlan; owner: Hnowlan):
[operations/deployment-charts@master] api-proxy: Set password for ratelimit

https://gerrit.wikimedia.org/r/625942

Change 625942 merged by jenkins-bot:
[operations/deployment-charts@master] api-proxy: Set password for ratelimit

https://gerrit.wikimedia.org/r/625942

I'm still seeing an error here. If I check my token on jwt.io, it shows the "iss" property, but I still get {"httpCode":401,"httpReason":"Jwt issuer is not configured"}

Change 626342 had a related patch set uploaded (by Hnowlan; owner: Hnowlan):
[operations/deployment-charts@master] api-gateway: Fix isser to match one used by meta

https://gerrit.wikimedia.org/r/626342

Change 626342 merged by jenkins-bot:
[operations/deployment-charts@master] api-gateway: Fix isser to match one used by meta

https://gerrit.wikimedia.org/r/626342

Change 622799 abandoned by Hnowlan:
[operations/deployment-charts@master] api-gateway: Make JWT issuer configurable.

Reason:

https://gerrit.wikimedia.org/r/622799

Can this ticket be closed? JWTs from meta are now valid for use with the gateway.

eprodromou closed this task as Resolved.Sep 22 2020, 5:16 PM