Page MenuHomePhabricator
Create Task
Maniphest T256766

Disallow public access to OAuth client ID management API
Closed, ResolvedPublic
Actions

Description

To support the API Portal, the OAuth extension will include a set of REST endpoint that allow the Portal to create, list, and reset secrets for OAuth clients. The purpose of this task is to address the issue of access to these endpoint from the public internet.

To do:

  • Discuss whether it is an issue that these endpoints are exposed to the public internet
  • Investigate ways to address this issue
  • Prioritize the implementation effort in relation to the API Portal implementation plan
  • Implement the solution

Background:

The OAuth extension, as configured on meta.wikimedia.org, requires that a user be logged in with a valid Wikimedia account to use the endpoints.

Related Objects
Search...

Event Timeline

eprodromou created this task.Jun 30 2020, 3:15 PM
Restricted Application removed a project: Patch-For-Review. · View Herald TranscriptJun 30 2020, 3:15 PM
apaskulin reassigned this task from apaskulin to BPirkle.Jun 30 2020, 3:37 PM
apaskulin updated the task description. (Show Details)
apaskulin subscribed.
apaskulin updated the task description. (Show Details)Jun 30 2020, 3:48 PM
BPirkle added a comment.Jun 30 2020, 6:38 PM

I do not believe this an actual security concern from a technical/code perspective. However, it may be a concern from a policy/legal perspective.

The endpoints do appropriate session checks, so exposing them publicly doesn't allow anyone to do things they would not otherwise be allowed to do. However, it does potentially allow someone to create a client without viewing/acknowledging the Application Policy (which says, among other things, that we can turn off your client if we feel like it). I don't know how strongly we feel about that.

eprodromou added subscribers: CCicalese_WMF, Pchelolo.Sep 4 2020, 9:14 PM

So, I heard from @Pchelolo that the API Portal key management interface calls the API directly from the browser? @BPirkle @CCicalese_WMF can you confirm?

If that's the case, then we can close this; we can't make the API private if it's called from the public.

I think it's probably necessary to be more careful about the API if it's public, though.

BPirkle added a comment.Sep 7 2020, 5:50 PM
In T256766#6437281, @eprodromou wrote:

So, I heard from @Pchelolo that the API Portal key management interface calls the API directly from the browser? @BPirkle @CCicalese_WMF can you confirm?

Confirmed, with the caveat that I'm not sure about current status, so I'm not sure whether to say "calls" or "will call".

My understanding as of a couple of weeks ago was that the initial implementation did not call the API directly from the browser, but this led to various significant unhappiness in the implementation. So we are planning to refactor such that the browser will make these calls directly. This will require some javascript development. I'm not sure who has been/will be tasked with that, or if any of that work has been started/completed.

Pchelolo added a comment.Sep 8 2020, 12:13 AM

Yes, it will be called directly from the browser.

The initial implementation exposed a proxy on api.wikimedia.org with the exact same interface as on meta.wikimedia.org which just forwarded the calls to meta on the backend. That was done to avoid CORS and made absolutely no sense from any perspective, so the proxy has been removed. I'm working on supporting authenticated CORS for the API on meta.

eprodromou closed this task as Resolved.Oct 8 2020, 10:31 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL