MW OAuth2 doesn't seem to work
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Mpaa
	Feb 3 2020, 11:21 PM

Description

Following docs as in:

https://www.mediawiki.org/wiki/OAuth/For_Developers#OAuth_2

for this consumer:

https://meta.wikimedia.org/wiki/Special:OAuthListConsumers/view/75e6d99d5fbb98606b81150f948cf695

I am sending:

https://meta.wikimedia.org/w/rest.php/oauth2/authorize?response_type=code&client_id=75e6d99d5fbb98606b81150f948cf695

and I am getting the following answer:

The authorization server encountered an unexpected condition that prevented it from fulfilling the request.

I have tested my code (based on python requests_oauthlib) vs. other OAuth2 sites and it works.

Comment:
Discussing on IRC, some doubts were raised on this part:
https://github.com/wikimedia/mediawiki-extensions-OAuth/blob/39182b03b05df4814e544516805c6382f651018d/includes/frontend/specialpages/SpecialMWOAuth.php#L104
https://github.com/wikimedia/mediawiki-extensions-OAuth/blob/39182b03b05df4814e544516805c6382f651018d/includes/frontend/specialpages/SpecialMWOAuth.php#L85

Details

	Project	Branch	Lines +/-	Subject
	mediawiki/extensions/OAuth	master	+78 -3	Fix 'infinity' expiry for OAuth 2 tokens

Customize query in gerrit

Event Timeline

Mpaa created this task.Feb 3 2020, 11:21 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 3 2020, 11:21 PM

Reedy added a project: Platform Engineering.Feb 3 2020, 11:22 PM

Mpaa added a subscriber: Chicocvenancio.Feb 3 2020, 11:23 PM

Chicocvenancio awarded a token.Feb 3 2020, 11:23 PM

Reedy updated the task description. (Show Details)Feb 3 2020, 11:36 PM

Looking at logstash for 75e6d99d5fbb98606b81150f948cf695 I only really see stuff hitting the special page, not the rest interface...

/srv/mediawiki/php-1.35.0-wmf.16/extensions/OAuth/includes/frontend/specialpages/SpecialMWOAuth.php:729
This endpoint is not allowed for OAuth version 1
#0 /srv/mediawiki/php-1.35.0-wmf.16/extensions/OAuth/includes/frontend/specialpages/SpecialMWOAuth.php(85): MediaWiki\Extensions\OAuth\SpecialMWOAuth->assertOAuthVersion(integer)
#1 /srv/mediawiki/php-1.35.0-wmf.16/includes/specialpage/SpecialPage.php(575): MediaWiki\Extensions\OAuth\SpecialMWOAuth->execute(string)
#2 /srv/mediawiki/php-1.35.0-wmf.16/includes/specialpage/SpecialPageFactory.php(611): SpecialPage->run(string)
#3 /srv/mediawiki/php-1.35.0-wmf.16/includes/MediaWiki.php(298): MediaWiki\Special\SpecialPageFactory->executePath(Title, RequestContext)
#4 /srv/mediawiki/php-1.35.0-wmf.16/includes/MediaWiki.php(967): MediaWiki->performRequest()
#5 /srv/mediawiki/php-1.35.0-wmf.16/includes/MediaWiki.php(530): MediaWiki->main()
#6 /srv/mediawiki/php-1.35.0-wmf.16/index.php(46): MediaWiki->run()
#7 /srv/mediawiki/w/index.php(3): require(string)
#8 {main}

and

/srv/mediawiki/php-1.35.0-wmf.16/extensions/OAuth/includes/frontend/specialpages/SpecialMWOAuth.php:369
Sorry, something went wrong connecting this application.

<span class="plainlinks mw-mwoautherror-details">Unknown OAuth key, <a class="external" href="https://www.mediawiki.org/wiki/Help:OAuth/Errors#E006">E006</a></span>
#0 /srv/mediawiki/php-1.35.0-wmf.16/extensions/OAuth/includes/frontend/specialpages/SpecialMWOAuth.php(135): MediaWiki\Extensions\OAuth\SpecialMWOAuth->handleAuthorizationForm(NULL, boolean, boolean)
#1 /srv/mediawiki/php-1.35.0-wmf.16/includes/specialpage/SpecialPage.php(575): MediaWiki\Extensions\OAuth\SpecialMWOAuth->execute(string)
#2 /srv/mediawiki/php-1.35.0-wmf.16/includes/specialpage/SpecialPageFactory.php(611): SpecialPage->run(string)
#3 /srv/mediawiki/php-1.35.0-wmf.16/includes/MediaWiki.php(298): MediaWiki\Special\SpecialPageFactory->executePath(Title, RequestContext)
#4 /srv/mediawiki/php-1.35.0-wmf.16/includes/MediaWiki.php(967): MediaWiki->performRequest()
#5 /srv/mediawiki/php-1.35.0-wmf.16/includes/MediaWiki.php(530): MediaWiki->main()
#6 /srv/mediawiki/php-1.35.0-wmf.16/index.php(46): MediaWiki->run()
#7 /srv/mediawiki/w/index.php(3): require(string)
#8 {main}

I suppose one issue here is that AuthenticationHandler::errorResponse should have some facility for differentiating user and server errors, and log the latter to the exception channel. Currently e.g. Rest\Handler\Authorize::execute has a catch block which just swallows any throwable without logging.

Change 570076 had a related patch set uploaded (by Anomie; owner: Anomie):
[mediawiki/extensions/OAuth@master] Fix 'infinity' expiry for OAuth 2 tokens

https://gerrit.wikimedia.org/r/570076

gerritbot added a project: Patch-For-Review.Feb 4 2020, 3:42 PM

Anomie claimed this task.Feb 4 2020, 3:42 PM

Anomie edited projects, added Platform Team Workboards (Clinic Duty Team); removed Platform Engineering.

Anomie moved this task from Inbox to Waiting for Review on the Platform Team Workboards (Clinic Duty Team) board.

In T244187#5846883, @Tgr wrote:

I suppose one issue here is that AuthenticationHandler::errorResponse should have some facility for differentiating user and server errors, and log the latter to the exception channel. Currently e.g. Rest\Handler\Authorize::execute has a catch block which just swallows any throwable without logging.

Submitted https://gerrit.wikimedia.org/r/#/c/mediawiki/extensions/OAuth/+/570080 to add some logging there.

apaskulin added a subscriber: apaskulin.Feb 4 2020, 10:23 PM

Change 570076 merged by jenkins-bot:
[mediawiki/extensions/OAuth@master] Fix 'infinity' expiry for OAuth 2 tokens

https://gerrit.wikimedia.org/r/570076

ReleaseTaggerBot added a project: MW-1.35-notes (1.35.0-wmf.19; 2020-02-11).Feb 8 2020, 12:01 AM

Fix should be deployed to Wikimedia sites with 1.35.0-wmf.19

It works, thanks.

@AMooney, I understand that this ticket is resolved. Should it be in the Done or Waiting for Deployment column instead of the Waiting for Review one?