Page MenuHomePhabricator

Can't use access token generated with owner-only consumer key with OAuth 2.0
Closed, ResolvedPublic


I'm unable to get the access token that I got when registering a new owner-only consumer key. Here are the steps I went through:

  1. Went to
  2. Added a name, set version to 1.0, set OAuth protocol version to 2.0
  3. Added a description
  4. Checked the box to make it a owner-only key.
  5. Left the contact email address as my email address
  6. Applicable project = *
  7. Add all grants
  8. Leave IP ranges at default
  9. No public RSA key
  10. Check the submission button
  11. On the following screen, copy application key, application secret, access token
  12. In a terminal, run "export TOKEN=<the access token from the screen>"
  13. In the same terminal, run "curl -v -H "Authorization: Bearer $TOKEN" ""

This resulted in an error. I can see that the correct token is being sent in the Authorization header. The response has a "Mediawiki-API-Error" with the value "mwoauth-invalid-authorization".

I tried it with another url,, and also had an authorization error.

When I pass the access token I received through the validator at, it parses the token correctly, but shows an "invalid date" error for the "exp" claim.

This is very likely user error, but I haven't yet made a successful OAuth 2.0-authenticated call to any of our APIs, so I thought I'd check that at least one other person can, first.

Event Timeline

@Anomie this is the ticket I created. Thanks for your help on IRC!

Change 570440 had a related patch set uploaded (by Anomie; owner: Anomie):
[mediawiki/extensions/OAuth@master] MWOAuthUtils: User master DB after writes

When the new owner-only consumer is created, oauth2_access_tokens.oaat_acceptance_id is being set to 0 instead of to the acceptance for the newly-created consumer. This seems to be due to replication.

As a workaround, if you go to Special:OAuthConsumerRegistration, manage the consumer in question, and check the "Reset the secret key to a new value" checkbox, the new token should function.

Change 570440 merged by jenkins-bot:
[mediawiki/extensions/OAuth@master] MWOAuthUtils: User master DB after writes

Anomie claimed this task.

The fix should be deployed to Wikimedia wikis with 1.35.0-wmf.19. Note that the fix applies to OAuth 2 consumer creation; the workaround in T244415#5854244 will need to be used for any consumers created before the fix is deployed.

@AMooney, I understand that this ticket is resolved. Should it be in the Done or Waiting for Deployment column instead of the Waiting for Review one?