Errors from the SessionProvider are thrown very early in the process of initializing MediaWiki, before things like the Action API are ready to catch those exceptions and present them to the user in a standard manner.
For the Action API, MWOAuthSessionProvider returns a dummy "success" and uses the 'ApiBeforeMain' hook to throw the exception once api.php is ready to catch it. This works well to report OAuth errors to clients in the manner that they expect.
When support for the REST API was added in rEOAUb64cecda8588: Make OAuth work with the REST API, this was overlooked. The REST API winds up going ahead with the dummy "success" session because the exception never gets thrown.
Fixing this will likely require changes in both core (to add a hook or some equivalent mechanism) and to OAuth (to use it).
Alternatively, we could just have OAuth throw the exception when encountered during Setup.php via rest.php, but that will lead to the REST API serving MediaWiki's standard "uncaught exception" HTML page rather than a REST-API-formatted error response.
Steps to reproduce
- Have MediaWiki-extensions-OAuth set up on your wiki.
- Supply an invalid OAuth Authorization header for a request to the REST API.
Expected results
An error message indicating the OAuth authorization failed, in the style of other REST API errors from uncaught exceptions.
Actual results
The handler runs as it normally would for a request from an IP user with no user rights.