Page MenuHomePhabricator
Create Task
Maniphest T235277

Client Developer uses OAuth 2.0 for authorization
Closed, ResolvedPublic
Actions

Description

"As a Client Developer, I want to have a single API key that I use across all Wikimedia projects and language versions, so I have one relationship to manage with the organization."

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
api-gateway: Make JWT issuer configurable.operations/deployment-chartsmaster+29 -15
api-gateway: Fix isser to match one used by metaoperations/deployment-chartsmaster+3 -3
api-proxy: Set password for ratelimitoperations/deployment-chartsmaster+5 -3
api-gateway: Make JWT issuer configurable.operations/deployment-chartsmaster+29 -15
Customize query in gerrit

Related Objects
Search...

Event Timeline

eprodromou created this task.Oct 11 2019, 3:17 PM
eprodromou edited projects, added Story, Platform Team Workboards (User Stories); removed Platform Team Workboards (Epics), Epic.Oct 11 2019, 3:19 PM
eprodromou removed a project: Platform Engineering.Oct 11 2019, 3:59 PM
eprodromou added a project: Core Platform Team Initiatives (API Gateway).Oct 11 2019, 4:03 PM
eprodromou edited parent tasks, added: T255030: Wikimedia API Gateway MVP; removed: T235271: Wikimedia public API domain.Jun 10 2020, 3:19 PM
eprodromou mentioned this in T246267: Client Developer uses OAuth 2.0 for authorization.Jun 10 2020, 3:29 PM
eprodromou added a subscriber: hnowlan.Jun 19 2020, 4:05 PM

@hnowlan I don't believe there's anything you have to do for Envoy here. We're going to be using bearer tokens for OAuth 2.0 which come in as HTTP headers. As long as we're not doing something crazy like stripping all HTTP headers (!?!), this should just work.

eprodromou triaged this task as High priority.Jun 19 2020, 4:17 PM
eprodromou reassigned this task from eprodromou to hnowlan.Jul 23 2020, 3:05 PM
eprodromou edited projects, added Platform Team Workboards (Green); removed Platform Team Workboards (User Stories).

@hnowlan assigning to you since you're configuring Envoy. I don't think there's a lot of work here, but it's important that we make sure it works.

eprodromou moved this task from Backlog to Doing on the Platform Team Workboards (Green) board.Jul 27 2020, 11:50 AM
WDoranWMF moved this task from Doing to User Story Review on the Platform Team Workboards (Green) board.Jul 30 2020, 1:46 PM
hnowlan added a comment.Jul 30 2020, 2:36 PM

I don't think the user story matches with my work on the API gateway beyond the basics - staging testing has indicated that we're not mangling any headers specific to authorisation. What would constitute done for this task?

WDoranWMF added a project: Platform Team Sprints Board (Sprint 0).Jul 31 2020, 12:21 PM
Naike edited projects, added Platform Team Sprints Board (Sprint 1); removed Platform Team Sprints Board (Sprint 0).Aug 7 2020, 10:30 AM
Naike reassigned this task from hnowlan to eprodromou.Aug 7 2020, 11:59 AM
hnowlan added a comment.Aug 14 2020, 4:00 PM
nosmo@ocasey ~ $ curl -H "Authorization: Bearer BAD_TOKEN" https://api.wikimedia.org/core/v1/wikipedia/zh/foo/abc && echo
Jwt is not in the form of Header.Payload.Signature with two dots and 3 sections

This demonstrates that the headers are being passed properly and not mangled by envoy before being checked.

eprodromou added a comment.Aug 20 2020, 7:53 PM

This isn't working for me.

Here's what I do:

Evans-MBP:~ eprodromou$ export TOKEN=`<wikimedia.token` # JWT is in this file
Evans-MBP:~ eprodromou$ curl -H "Authorization: Bearer $TOKEN" https://api.wikimedia.org/core/v1/wikipedia/en/search/page?q=pizza
{"httpCode":401,"httpReason":"Jwt issuer is not configured"}
Evans-MBP:~ eprodromou$ curl -H "Authorization: Bearer $TOKEN" https://en.wikipedia.org/w/rest.php/v1/search/page?q=pizza
# Lots of data
 Pchelolo moved this task from User Story Review to Ready on the Platform Team Workboards (Green) board.Aug 20 2020, 7:55 PM
hnowlan added a comment.Aug 26 2020, 10:01 AM
Where is wikimedia.token coming from in this case?
hnowlan claimed this task.Aug 26 2020, 2:18 PM
hnowlan moved this task from Ready to Doing on the Platform Team Workboards (Green) board.
gerritbot added a comment.Aug 27 2020, 11:15 AM
Change 622794 had a related patch set uploaded (by Hnowlan; owner: Hnowlan):

[operations/deployment-charts@master] api-gateway: Make JWT issuer configurable.



https://gerrit.wikimedia.org/r/622794
gerritbot added a project: Patch-For-Review.Aug 27 2020, 11:15 AM
gerritbot added a comment.Aug 27 2020, 11:58 AM
Change 622799 had a related patch set uploaded (by Hnowlan; owner: Hnowlan):

[operations/deployment-charts@master] api-gateway: Make JWT issuer configurable.



https://gerrit.wikimedia.org/r/622799
gerritbot added a comment.Aug 27 2020, 1:43 PM
Change 622794 merged by jenkins-bot:

[operations/deployment-charts@master] api-gateway: Make JWT issuer configurable.



https://gerrit.wikimedia.org/r/622794
hnowlan added a comment.Aug 27 2020, 2:49 PM
Our OAuth2 tokens do not specify issuer. This isn't a violation of the standard but Envoy 1.15 insists on having this specified - there is a fix in Envoy 1.16 . I think I can hack around this short-term, but until that's done we can't use Mediawiki's tokens with Envoy.
hnowlan moved this task from Doing to Blocked on the Platform Team Workboards (Green) board.Aug 27 2020, 3:49 PM
hnowlan mentioned this in T254910: Metrics and dashboards for API Gateway.Sep 7 2020, 3:01 PM
gerritbot added a comment.Sep 8 2020, 5:01 PM
Change 625942 had a related patch set uploaded (by Hnowlan; owner: Hnowlan):

[operations/deployment-charts@master] api-proxy: Set password for ratelimit



https://gerrit.wikimedia.org/r/625942
gerritbot added a comment.Sep 9 2020, 9:56 AM
Change 625942 merged by jenkins-bot:

[operations/deployment-charts@master] api-proxy: Set password for ratelimit



https://gerrit.wikimedia.org/r/625942
 Pchelolo closed subtask T261428: Add support for iss claim in OAuth2 access tokens as Resolved.Sep 9 2020, 7:33 PM
 eprodromou added a comment.Sep 10 2020, 12:54 AM
I'm still seeing an error here. If I check my token on jwt.io, it shows the "iss" property, but I still get {"httpCode":401,"httpReason":"Jwt issuer is not configured"}
gerritbot added a comment.Sep 10 2020, 9:28 AM
Change 626342 had a related patch set uploaded (by Hnowlan; owner: Hnowlan):

[operations/deployment-charts@master] api-gateway: Fix isser to match one used by meta



https://gerrit.wikimedia.org/r/626342
gerritbot added a comment.Sep 10 2020, 9:31 AM
Change 626342 merged by jenkins-bot:

[operations/deployment-charts@master] api-gateway: Fix isser to match one used by meta



https://gerrit.wikimedia.org/r/626342
 Pchelolo moved this task from Blocked to PM Sign-off on the Platform Team Workboards (Green) board.Sep 10 2020, 7:27 PM
 eprodromou moved this task from PM Sign-off to User Story Review on the Platform Team Workboards (Green) board.Sep 14 2020, 2:14 PM
 eprodromou moved this task from User Story Review to Documentation on the Platform Team Workboards (Green) board.Sep 16 2020, 1:45 PM
apaskulin moved this task from Documentation to Ready to Deploy on the Platform Team Workboards (Green) board.Sep 16 2020, 3:38 PM
gerritbot added a comment.Sep 18 2020, 4:32 PM
Change 622799 abandoned by Hnowlan:

[operations/deployment-charts@master] api-gateway: Make JWT issuer configurable.



Reason:



https://gerrit.wikimedia.org/r/622799
hnowlan added a comment.Sep 21 2020, 3:31 PM
Can this ticket be closed? JWTs from meta are now valid for use with the gateway.
 WDoranWMF moved this task from Ready to Deploy to PM Sign-off on the Platform Team Workboards (Green) board.Sep 22 2020, 5:15 PM
 eprodromou closed this task as Resolved.Sep 22 2020, 5:16 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits