Page MenuHomePhabricator
Create Task
Maniphest T261428

Add support for iss claim in OAuth2 access tokens
Closed, ResolvedPublic
Actions

Description

MediaWiki should be setting an issuer claim on the access token JWT it emits - this is generally useful, conforms the protocol and is generally good. Unfortunately, the oauth2-server library we are using does not support it.

Plan:

Details

SubjectRepoBranchLines +/-
Emit `iss` claims for oauth2 access token.mediawiki/extensions/OAuthmaster+60 -12
Update oauth2-server dependencymediawiki/vendormaster+52 -4
Customize query in gerrit

Related Objects
Search...

Event Timeline

Pchelolo created this task.Aug 27 2020, 4:19 PM
Pchelolo moved this task from Backlog to Doing on the Platform Team Workboards (Green) board.
Pchelolo renamed this task from Add support for its claim in OAuth2 access tokens to Add support for iss claim in OAuth2 access tokens.Aug 27 2020, 4:26 PM
Pchelolo removed projects: Platform Team Sprints Board (Sprint 1), Story.
Pchelolo added a comment.Aug 27 2020, 6:20 PM

Strawman implementation of the library support https://github.com/wikimedia/oauth2-server/pull/1

Pchelolo claimed this task.Aug 31 2020, 2:56 PM
Pchelolo added a subscriber: Clarakosi.

I guess I'll do the whole thing myself and will ask @Clarakosi to test my code

gerritbot added a comment.Aug 31 2020, 5:24 PM

Change 623430 had a related patch set uploaded (by Ppchelko; owner: Ppchelko):
[mediawiki/vendor@master] Update oauth2-server dependency

https://gerrit.wikimedia.org/r/623430

gerritbot added a project: Patch-For-Review.Aug 31 2020, 5:24 PM
gerritbot added a comment.Aug 31 2020, 6:01 PM

Change 623434 had a related patch set uploaded (by Ppchelko; owner: Ppchelko):
[mediawiki/extensions/OAuth@master] Emit iss claims for oauth2 access token.

https://gerrit.wikimedia.org/r/623434

Pchelolo updated the task description. (Show Details)Aug 31 2020, 8:45 PM
Pchelolo moved this task from Doing to Waiting for Review on the Platform Team Workboards (Green) board.
Pchelolo mentioned this in T261462: Migrate OAuth extension back from wikimedia/oauth2-server fork to upstream.
Pchelolo moved this task from Waiting for Review to Ready to Deploy on the Platform Team Workboards (Green) board.Sep 2 2020, 3:48 PM
gerritbot added a comment.Sep 2 2020, 4:07 PM

Change 623430 merged by jenkins-bot:
[mediawiki/vendor@master] Update oauth2-server dependency

https://gerrit.wikimedia.org/r/623430

gerritbot added a comment.Sep 2 2020, 4:07 PM

Change 623434 merged by jenkins-bot:
[mediawiki/extensions/OAuth@master] Emit iss claims for oauth2 access token.

https://gerrit.wikimedia.org/r/623434

ReleaseTaggerBot added a project: MW-1.36-notes (1.36.0-wmf.8; 2020-09-08).Sep 2 2020, 5:01 PM
Pchelolo updated the task description. (Show Details)Sep 3 2020, 1:43 PM
WDoranWMF removed a subtask: T261986: Upload WMF fork of oauth2-server to packagist and vendor it.Sep 4 2020, 2:09 PM
WDoranWMF added a subtask: T261986: Upload WMF fork of oauth2-server to packagist and vendor it.
Pchelolo closed subtask T261986: Upload WMF fork of oauth2-server to packagist and vendor it as Resolved.Sep 9 2020, 2:09 PM
Pchelolo closed this task as Resolved.Sep 9 2020, 7:33 PM
Pchelolo moved this task from Ready to Deploy to Done on the Platform Team Workboards (Green) board.

Ok, fixes were deployed on meta. I have made a consumer, got a token, decoded a token and tadadadam:

"iss": "https://meta.wikimedia.org",
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL