Security Readiness Review For Adding Private Claims To OAuth Extension
Closed, ResolvedPublic
Actions

Description

Project Information

Name of tool/project: OAuth extension
Project home page: https://www.mediawiki.org/wiki/Extension:OAuth
Name of team requesting review: Platform Engineering
Primary contact: @Pchelolo @Clarakosi
Target date for deployment: August 31st
Link to code repository / patchset: https://gerrit.wikimedia.org/r/c/mediawiki/extensions/OAuth/+/610335

Description of the tool/project:
The new changes to the OAuth extension implement support for adding private claims to a JSON Web Token (JWT).

The implementation is based on enhancements to the oauth2-server library that we're using.

Description of how the tool will be used at WMF:
The new changes will be used by the OAuthRateLimiter extension to add rate limit claims to the JWT.

Dependencies

Wikimedia/oauth2-server

Working test environment
Test environment instructions from T257930 can be used to test these changes

Post-deployment
Platform Engineering will own these new changes

Related Objects
Search...

Status	Assigned	Task
Resolved	• eprodromou	T235270 Wikimedia API Gateway
Resolved	• eprodromou	T255030 Wikimedia API Gateway MVP
Resolved	• Pchelolo	T246271 Administrator defines rate limit classes
Resolved	None	T257607 Develop OAuthRateLimiter extension
Resolved	Reedy	T257930 Security Readiness Review For OAuthRateLimiter
Resolved	Reedy	T260588 Security Readiness Review For Adding Private Claims To OAuth Extension

Event Timeline

• Clarakosi created this task.Aug 17 2020, 6:12 PM

• Clarakosi moved this task from Backlog to Blocked on the Platform Team Workboards (Green) board.

sbassett moved this task from Incoming to Back Orders on the secscrum board.Aug 20 2020, 4:10 PM

sbassett triaged this task as Medium priority.Aug 20 2020, 4:14 PM

Naike edited projects, added Platform Team Sprints Board (Sprint 2); removed Platform Team Sprints Board (Sprint 1).Aug 21 2020, 1:17 PM

• Jcross moved this task from Back Orders to In Progress on the secscrum board.Aug 27 2020, 4:49 PM

• Jcross assigned this task to Reedy.Aug 27 2020, 4:54 PM

Like T260587: Security Readiness Review For Wikimedia/oauth2-server this is good to go.

And obviously when the vendor related followup is done for the oath fork (going back to the canonical), changes may be required to this patch (and/or MediaWiki-extensions-OAuth generally) and should be made in a timely fashion to allow us to follow upstream again for maintenance and security fixes.

Security Readiness Review For Adding Private Claims To OAuth ExtensionClosed, ResolvedPublicActions

Description

Related ObjectsSearch...

Event Timeline

Security Readiness Review For Adding Private Claims To OAuth Extension
Closed, ResolvedPublic
Actions

Related Objects
Search...