Page MenuHomePhabricator

Security Readiness Review For Adding Private Claims To OAuth Extension
Closed, ResolvedPublic


Project Information

Description of the tool/project:
The new changes to the OAuth extension implement support for adding private claims to a JSON Web Token (JWT).

The implementation is based on enhancements to the oauth2-server library that we're using.

Description of how the tool will be used at WMF:
The new changes will be used by the OAuthRateLimiter extension to add rate limit claims to the JWT.


Working test environment
Test environment instructions from T257930 can be used to test these changes

Platform Engineering will own these new changes

Event Timeline

Clarakosi moved this task from Backlog to Blocked on the Platform Team Workboards (Green) board.
sbassett moved this task from Incoming to Back Orders on the secscrum board.Aug 20 2020, 4:10 PM
sbassett triaged this task as Medium priority.Aug 20 2020, 4:14 PM
Jcross moved this task from Back Orders to In Progress on the secscrum board.Aug 27 2020, 4:49 PM
Jcross assigned this task to Reedy.Aug 27 2020, 4:54 PM
Reedy closed this task as Resolved.Aug 27 2020, 9:34 PM
Reedy moved this task from In Progress to Our Part Is Done on the secscrum board.

Like T260587: Security Readiness Review For Wikimedia/oauth2-server this is good to go.

And obviously when the vendor related followup is done for the oath fork (going back to the canonical), changes may be required to this patch (and/or MediaWiki-extensions-OAuth generally) and should be made in a timely fashion to allow us to follow upstream again for maintenance and security fixes.