Page MenuHomePhabricator
Create Task
Maniphest T261462

Migrate OAuth extension back from wikimedia/oauth2-server fork to upstream
Open, Stalled, Needs TriagePublic
Actions

Description

In 2020, we in the Core Platform Team forked the thephpleague/oauth2-server package as wikimedia/oauth2-server to incorporate changes while waiting for upstream. They don't seem likely to necessarily include these changes (and one has been declined already), so we need to decide on a longer term solution.

Relevant PR:

See also: T255034: Wikimedia API Gateway Long-term Use

Related Objects

Event Timeline

Pchelolo created this task.Aug 27 2020, 9:28 PM
Restricted Application added a project: Upstream. · View Herald TranscriptAug 27 2020, 9:28 PM
Pchelolo changed the task status from Open to Stalled.Aug 27 2020, 9:29 PM
Pchelolo added a project: Platform Team Workboards (Green).
Pchelolo moved this task from Backlog to Blocked on the Platform Team Workboards (Green) board.
Pchelolo moved this task from Backlog to Patch proposed upstream on the Upstream board.
Pchelolo removed a project: Phabricator (Upstream).
Pchelolo removed a project: Epic.
Pchelolo mentioned this in T260587: Security Readiness Review For Wikimedia/oauth2-server.
Pchelolo merged a task: T257604: Upstream private claims support to oauth2-server.Aug 27 2020, 10:46 PM
Pchelolo added a comment.Aug 31 2020, 8:47 PM

WE would now require https://github.com/thephpleague/oauth2-server/pull/1138 as well. See T261428 for details.

WDoranWMF edited parent tasks, added: T255032: Wikimedia API Gateway Public Launch; removed: T255030: Wikimedia API Gateway MVP.Sep 2 2020, 9:01 PM
WDoranWMF moved this task from Blocked to Backlog on the Platform Team Workboards (Green) board.
eprodromou edited parent tasks, added: T255034: Wikimedia API Gateway Long-term Use; removed: T255032: Wikimedia API Gateway Public Launch.Oct 8 2020, 10:27 PM
Reedy subscribed.Dec 5 2020, 11:39 PM
In T261462#6425151, @Pchelolo wrote:

WE would now require https://github.com/thephpleague/oauth2-server/pull/1138 as well. See T261428 for details.

Which got declined.

https://github.com/thephpleague/oauth2-server/pull/1122 has had no movement...

Then there's also been some more releases, which our fork doesn't (currently) implement)
https://github.com/thephpleague/oauth2-server/releases/tag/8.2.0
https://github.com/thephpleague/oauth2-server/releases/tag/8.2.1
https://github.com/thephpleague/oauth2-server/releases/tag/8.2.2
https://github.com/thephpleague/oauth2-server/releases/tag/8.2.3

Reedy added a comment.Dec 20 2020, 6:59 PM

See also T270595: Update league/oauth2-server fork, and update in MW Vendor...

https://github.com/thephpleague/oauth2-server/releases/tag/8.2.4 is out now too

Still no apparent progress on the upstream... This is going to become a maintenance burden, and at some point the risk assigned may need to be increased

Aklapper added a project: Technical-Debt.Jun 17 2021, 9:27 AM
Aklapper removed a subscriber: eprodromou.

wWhile https://github.com/thephpleague/oauth2-server/releases continues to progress and divert from our fork...

Reedy mentioned this in T288268: Update league/oauth2-server fork (>= 8.3.2), and update in MW Vendor.Aug 5 2021, 4:49 PM
Reedy added a comment.Aug 5 2021, 5:46 PM

As they're not going to accept our patches... Is there any way we can use OOPS-y type practices to create a sub library (or similar) and do our changes, overrides etc in there, rather than having to patch the code itself?

Or similar, if they won't add our features, see if they can add hooks/similar for us (if they don't exist already?) to do ours

Reedy updated the task description. (Show Details)Aug 5 2021, 5:50 PM
Reedy updated the task description. (Show Details)
Reedy added a comment.Aug 5 2021, 5:53 PM

https://github.com/thephpleague/oauth2-server/pull/1122 still looks like it could still get accepted, eventually... And is the more complex work.

https://github.com/thephpleague/oauth2-server/pull/1138 is not going to be

Reedy mentioned this in T314344: PHP Fatal error: Trait "League\OAuth2\Server\Entities\Traits\ClaimEntityTrait" not found in ClaimEntity.php on line 8.Aug 2 2022, 10:26 AM
Reedy mentioned this in T318480: OAuth test failure on REL1_39.Sep 25 2022, 12:14 AM
Reedy mentioned this in T319685: Work out if we can use non forked league/oauth2-server in REL1_XX branches.Oct 6 2022, 4:15 PM
tstarling subscribed.Oct 18 2022, 5:42 AM

The other option is to fully fork it. Change the name, update the readme, register it in packagist.

Tgr mentioned this in T321160: Lcobucci\JWT\Signer\InvalidKeyProvided: Key cannot be empty.Jan 26 2023, 7:21 PM
Tgr subscribed.EditedMar 18 2023, 5:28 AM
In T261462#8323690, @tstarling wrote:

The other option is to fully fork it. Change the name, update the readme, register it in packagist.

+1, even as a temporary solution that would be an improvement IMO. The current situation is confusing, this is the only mediawiki/vendor package that uses commit pinning, the syntax for which isn't really intuitive - that just caused an outage (T321160).

In T261462#7264366, @Reedy wrote:

https://github.com/thephpleague/oauth2-server/pull/1138 is not going to be

There is apparently an OAuth-specific JWT spec now, which matches envoy's expectations. I left a comment in #1137.

(Also, as pointed out in that discussion, we could just override the behavior in a subclass.)

Aklapper renamed this task from Migrate away from wikimedia/oauth2-server fork to upstream to [API Gateway] Migrate away from wikimedia/oauth2-server fork to upstream.Apr 1 2024, 8:10 AM
Aklapper removed a subscriber: Pchelolo.
Aklapper added a project: serviceops.Apr 1 2024, 8:14 AM

As API Gateway is nowadays owned by serviceops, adding the serviceops project tag to open API Gateway tasks tagged with the deprecated/archived "Platform Team Initiatives (API Gateway)" tag at https://phabricator.wikimedia.org/project/profile/4321/, as part of Phabricator Housekeeping.

Tgr added a project: MediaWiki-extensions-OAuth.Apr 1 2024, 6:02 PM
Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptApr 1 2024, 6:02 PM
larissagaulia moved this task from Inbox, needs triage to Within 2 Qs on the MediaWiki-Platform-Team board.Apr 15 2024, 3:20 PM
Krinkle renamed this task from [API Gateway] Migrate away from wikimedia/oauth2-server fork to upstream to Migrate OAuth extension back from wikimedia/oauth2-server fork to upstream.Apr 15 2024, 3:24 PM
Krinkle removed projects: Platform Team Workboards (Green), Core Platform Team Initiatives (API Gateway).
Krinkle updated the task description. (Show Details)
Krinkle removed a parent task: T255034: Wikimedia API Gateway Long-term Use.
Krinkle updated the task description. (Show Details)
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits