Page MenuHomePhabricator

Add support for iss claim in OAuth2 access tokens
Closed, ResolvedPublic

Description

MediaWiki should be setting an issuer claim on the access token JWT it emits - this is generally useful, conforms the protocol and is generally good. Unfortunately, the oauth2-server library we are using does not support it.

Plan:

Event Timeline

Pchelolo created this task.Aug 27 2020, 4:19 PM
Pchelolo moved this task from Backlog to Doing on the Platform Team Workboards (Green) board.
Pchelolo renamed this task from Add support for its claim in OAuth2 access tokens to Add support for iss claim in OAuth2 access tokens.Aug 27 2020, 4:26 PM

Strawman implementation of the library support https://github.com/wikimedia/oauth2-server/pull/1

Pchelolo claimed this task.Aug 31 2020, 2:56 PM
Pchelolo added a subscriber: Clarakosi.

I guess I'll do the whole thing myself and will ask @Clarakosi to test my code

Change 623430 had a related patch set uploaded (by Ppchelko; owner: Ppchelko):
[mediawiki/vendor@master] Update oauth2-server dependency

https://gerrit.wikimedia.org/r/623430

Change 623434 had a related patch set uploaded (by Ppchelko; owner: Ppchelko):
[mediawiki/extensions/OAuth@master] Emit iss claims for oauth2 access token.

https://gerrit.wikimedia.org/r/623434

Change 623430 merged by jenkins-bot:
[mediawiki/vendor@master] Update oauth2-server dependency

https://gerrit.wikimedia.org/r/623430

Change 623434 merged by jenkins-bot:
[mediawiki/extensions/OAuth@master] Emit iss claims for oauth2 access token.

https://gerrit.wikimedia.org/r/623434

Pchelolo updated the task description. (Show Details)Sep 3 2020, 1:43 PM
Pchelolo closed this task as Resolved.Sep 9 2020, 7:33 PM
Pchelolo moved this task from Ready to Deploy to Done on the Platform Team Workboards (Green) board.

Ok, fixes were deployed on meta. I have made a consumer, got a token, decoded a token and tadadadam:

"iss": "https://meta.wikimedia.org",