Page MenuHomePhabricator

OAuth server should provide clear and useful feedback about client errors
Open, Needs TriagePublic


Whenever client code does something wrong, we should strive towards providing feedback that makes identifying and fixing that error as easy as possible. That means 1) obtaining as much information about the error as possible, 2) returning that error in a form useful to the client, 3) logging the error (helpful for debugging legacy unmaintained clients).


Event Timeline

The OAuth 1 and 2 libraries are especially pain points in this regard because they don't really return useful information. E.g. when OAuth 2 request verification fails, we show Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method) but of course those should all be different errors, and those examples aren't exhaustive (the same error is shown for an incorrect redirect URI, for example).

At least the OAuth 2 library uses exceptions, so internally we can log the stack trace which should tell which of the three happened.

Adding missing MediaWiki-REST-API code project tag as Core Platform Team Initiatives (MW REST API in PHP) team tag is archived and its parent Platform Engineering team does not exist anymore