Page MenuHomePhabricator
Create Task
Maniphest T253447

OAuth2 docs seem confused/incomplete
Open, LowPublic
Actions

Description

From https://www.mediawiki.org/wiki/Topic:Vmwiwu073xo33eh5 (and a request on IRC)

Looking at https://www.mediawiki.org/wiki/OAuth/For_Developers#Authorization_2

When registering the application, you receive two pieces of credentials: the consumer token (a public ID for the application) and the secret token (sort of like a password).

Ask the user to authorize the application by sending them to oauth2/authorize under the wiki's REST endpoint (usually rest.php), with response_type=code and the client token (as client_id), and ideally also a request_url and state.

Where does the client token come from? Is it the "consumer token" mentioned above? If not, why is "client token" the only mention of "client token" in the documents?

Related Objects

Event Timeline

Reedy created this task.May 23 2020, 1:11 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 23 2020, 1:11 PM
Reedy updated the task description. (Show Details)May 23 2020, 1:12 PM
Reedy added a comment.May 23 2020, 1:19 PM

Looking at https://meta.wikimedia.org/wiki/Special:OAuthManageConsumers/approved "Consumer key" is then used...

"client token" isn't mentioned in i18n/en.json

Iwan.Aucamp subscribed.May 23 2020, 1:20 PM

I asked a question relating to this here: https://meta.wikimedia.org/wiki/Tech#What_to_use_as_client_id_for_OAuth2

Tgr subscribed.May 25 2020, 3:03 PM

I filed T253568: Make the terminology of OAuth UI and documentation easy to understand although in hindsight I should have probably edited this task.

RhinosF1 subscribed.May 25 2020, 3:05 PM
eprodromou added a project: Platform Team Workboards (Green).May 26 2020, 8:13 PM
eprodromou added subscribers: apaskulin, eprodromou.

@apaskulin I know that we've been working on harmonising these terms. Do you mind looking this over and changing to the right terminology?

eprodromou triaged this task as Low priority.May 26 2020, 8:13 PM
eprodromou removed a project: Platform Engineering.
apaskulin added a comment.Jul 2 2020, 6:28 PM

I've made some quick updates to the page to help clarify things in relation to the terms used on Meta, and I've responded to the comment on the talk page. But I'd like to keep this task open considering that these inconsistencies need to be addressed across the docs and the interfaces in Meta. I'm hoping to get to work on this this year, but I'll hold off from assigning myself in case someone gets to it before I do.

taavi subscribed.Jul 2 2020, 6:30 PM
Hqrshguptq subscribed.EditedJul 10 2020, 10:45 AM

Hey @apaskulin,
Please assign me this task, I would like to contribute to it under you mentorship.
Also let me know how to get this started and put this on-track.
Regards
Harsh

Aklapper added a comment.Jul 27 2020, 4:24 AM

@Hqrshguptq: Thanks for your interest. There is no need to ask for task assignment; please see https://www.mediawiki.org/wiki/How_to_become_a_MediaWiki_hacker#Communicate_that_you_work_on_a_task - thanks.

Hqrshguptq added a comment.Jul 27 2020, 10:07 PM

Cool, will look over it.

apaskulin removed a project: Platform Team Workboards (Green).Jul 29 2020, 6:18 PM
Reedy mentioned this in T271078: Need help configuring an already-registered Wikimedia OAuth consumer.Jan 4 2021, 2:19 AM
LucasWerkmeister subscribed.Nov 13 2022, 1:52 PM

Ask the user to authorize the application by sending them to oauth2/authorize under the wiki's REST endpoint (usually rest.php), with response_type=code and the client token (as client_id), and ideally also a request_url and state.

I’ll just quickly mention here that I’ve now removed the request_url from the docs, since I assume it was a mistake. The parameter you can specify is redirect_uri; however, MediaWiki requires it to be exactly the same URL as what you already specified in the consumer request (where AFAICT it’s not optional either), so I don’t really see the point in including the redirect_uri to be honest. (It’s part of the standard, and on some other sites it makes more sense, but if you’re specifically targeting MediaWiki then I think you can just ignore the redirect_url in both authorization steps.)

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL