Page MenuHomePhabricator
Create Task
Maniphest T245475

OAuth 2.0 consumer form is not consistent with implementation
Closed, ResolvedPublicBUG REPORT
Actions

Description

Steps to Reproduce:
Propose a new OAuth 2.0 consumer at https://meta.wikimedia.org/wiki/Special:OAuthConsumerRegistration/propose. A checkbox is visible: "Allow consumer to specify a callback in requests and use "callback" URL above as a required prefix."

Actual Results:
The checkbox has no effect. The callback URL must match exactly.

Expected Results:
The form should offer options consistent with what OAuth 2.0 consumers can actually do. Either the prefix functionality should be implemented, or the checkbox should be removed for cases where it doesn't apply.

Note that apparently the author of oauth2-server has rejected callback URL prefixes as being inconsistent with the OAuth 2.0 spec: https://github.com/thephpleague/oauth2-server/issues/1085. If WMF wants to override this behavior and support prefixes, the behavior of AbstractGrant::validateRedirectUri needs to be changed. Otherwise, the form needs to be fixed.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Hide "callback as prefix" checkbox for OAuth 2.0 consumersmediawiki/extensions/OAuthmaster+4 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

kamholz created this task.Feb 18 2020, 12:33 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 18 2020, 12:33 AM
Tgr mentioned this in T245232: can't use new OAuth2 consumer archiveleaf-test.Feb 18 2020, 1:01 AM
Tgr added a comment.Feb 18 2020, 4:28 AM

The RFC says

3.1.2.2.  Registration Requirements
   ...

   The authorization server SHOULD require the client to provide the
   complete redirection URI (the client MAY use the "state" request
   parameter to achieve per-request customization).  If requiring the
   registration of the complete redirection URI is not possible, the
   authorization server SHOULD require the registration of the URI
   scheme, authority, and path (allowing the client to dynamically vary
   only the query component of the redirection URI when requesting
   authorization).

   The authorization server MAY allow the client to register multiple
   redirection endpoints.

so it's a SHALL requirement. (See also the full 3.1.2 which is about the redirect URI.) Elsewhere the RFC mentions that these requirements are to prevent attacks taking advantage of unintentional open redirectors on the target site.

One option would be to split the callback URL into a domain part and a path part, and allow the developer to update the path part as needed. See also T241867: Better support for callback URL updates.

kamholz added a comment.Feb 18 2020, 4:34 AM

The easily fixable issue I had was that I had registered the callback URI as http://localhost:3000 but the library I was using was passing it to the server as http://localhost:3000/, which was enough to cause a mismatch. I registered a new consumer with the slash on the callback URI and it works now.

The more interesting question is how to save application state on the return from the authorization page. Assuming the state was part of a query string on http://localhost:3000/, I initially was going to pass in the whole URI with query string in redirect_uri, but that isn't possible with a strict match. It turns out you're supposed to use the state parameter to handle that, which I'm now doing.

kamholz added a comment.Feb 18 2020, 11:10 PM

Based on recent comments in the above-referenced GitHub issue for oauth2-server, it looks like current best practice is not to allow callback prefixes of any kind. That means it's just the OAuth consumer proposal form that needs to be updated.

CCicalese_WMF added a parent task: T234665: Add OAuth 2.0 support to MediaWiki REST API.Mar 18 2020, 10:09 PM
CCicalese_WMF edited projects, added Core Platform Team Initiatives (MW REST API in PHP); removed Core Platform Team Initiatives (OAuth 2.0).
Tgr mentioned this in T258854: Support multiple Callback URLs or regex pattern matching.Jul 25 2020, 11:32 AM
bd808 subscribed.Jan 26 2021, 6:41 PM

T264516: Documentation does not mention that OAuth2 does NOT support "use as prefix" option for callback URL

gerritbot added a comment.Aug 9 2021, 1:14 AM

Change 710701 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/extensions/OAuth@master] Hide \"callback as prefix\" checkbox for OAuth 2.0 consumers

https://gerrit.wikimedia.org/r/710701

gerritbot added a project: Patch-For-Review.Aug 9 2021, 1:14 AM
Zache mentioned this in T288453: Approve Oauth2 consumer registration.Aug 9 2021, 1:12 PM
gerritbot added a comment.Aug 18 2021, 8:12 PM

Change 710701 merged by jenkins-bot:

[mediawiki/extensions/OAuth@master] Hide \"callback as prefix\" checkbox for OAuth 2.0 consumers

https://gerrit.wikimedia.org/r/710701

ReleaseTaggerBot added a project: MW-1.37-notes (1.37.0-wmf.20; 2021-08-23).Aug 18 2021, 10:00 PM
Maintenance_bot removed a project: Patch-For-Review.Aug 18 2021, 10:10 PM
Base subscribed.Aug 20 2021, 9:14 PM
Tgr mentioned this in T299737: Warn users during OAuth 2 app creation when they provide a callback URL that's just the domain.Jan 21 2022, 2:29 AM
Tgr closed this task as Resolved.Jul 12 2022, 7:38 PM
Tgr claimed this task.

I don't think there's anything else to do here.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits