Page MenuHomePhabricator
Create Task
Maniphest T245477

OAuth server should provide clear and useful feedback about client errors
Open, Needs TriagePublic
Actions

Description

Whenever client code does something wrong, we should strive towards providing feedback that makes identifying and fixing that error as easy as possible. That means 1) obtaining as much information about the error as possible, 2) returning that error in a form useful to the client, 3) logging the error (helpful for debugging legacy unmaintained clients).

Related:

Related Objects
Search...

Event Timeline

Tgr created this task.Feb 18 2020, 1:12 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 18 2020, 1:12 AM
Tgr added a subtask: T106066: Don't show "Nonce already used" error on memcache failure.Feb 18 2020, 1:13 AM
Tgr moved this task from Backlog to Consumer wants on the MediaWiki-extensions-OAuth board.
Tgr added subtasks: T156187: Do not require oob when "callback is prefix" checkbox is unset, T59501: Special:OAuth: Output error message of OAuthException in JSON output, T245050: OAuth extension should display clear error messages when the wrong protocol version is used.
Tgr added a project: Platform Team Initiatives (OAuth 2.0).EditedFeb 18 2020, 1:37 AM

The OAuth 1 and 2 libraries are especially pain points in this regard because they don't really return useful information. E.g. when OAuth 2 request verification fails, we show Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method) but of course those should all be different errors, and those examples aren't exhaustive (the same error is shown for an incorrect redirect URI, for example).

At least the OAuth 2 library uses exceptions, so internally we can log the stack trace which should tell which of the three happened.

CCicalese_WMF added a parent task: T234665: Add OAuth 2.0 support to MediaWiki REST API.Mar 18 2020, 10:07 PM
CCicalese_WMF edited projects, added Platform Team Initiatives (MW REST API in PHP); removed Platform Team Initiatives (OAuth 2.0).
Tgr updated the task description. (Show Details)Jul 21 2020, 6:05 AM
Tgr mentioned this in T286769: OAuth extension reporting "Error: An error occurred in the OAuth protocol: Invalid consumer key" even if the consumer key is valid.Jul 28 2021, 4:00 PM
Tgr mentioned this in T264516: Documentation does not mention that OAuth2 does NOT support "use as prefix" option for callback URL.Aug 9 2021, 1:03 AM
Tgr mentioned this in T297888: OAuth v2 client request form ignores default grant type values.Dec 16 2021, 6:49 PM
Ed6767 mentioned this in T298478: Make OAuth2 errors less ambiguous.Jan 3 2022, 2:16 PM
Ed6767 subscribed.
Krinkle closed subtask T106066: Don't show "Nonce already used" error on memcache failure as Resolved.Aug 23 2022, 1:56 PM
Aklapper added a project: MediaWiki-REST-API.Oct 17 2023, 8:02 AM

Adding missing MediaWiki-REST-API code project tag as Platform Team Initiatives (MW REST API in PHP) team tag is archived and its parent Platform Engineering team does not exist anymore

Tgr mentioned this in T348206: Improve logging, monitoring and test coverage for MediaWiki Platform team authentication extensions.Oct 23 2023, 3:09 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL