Page MenuHomePhabricator

API Portal login doesn't automatically log in to Meta
Open, HighPublic

Description

Expected behavior

Navigating to https://api.wikimedia.beta.wmflabs.org/wiki/Special:AppManagement always shows existing clients and allows you to create clients

Observed behavior

If you are not already logged in to Beta-Meta, the Beta API Portal app management page appears blank, not showing existing clients, and gives an error when trying to create clients. If you go to Beta-Meta and log in, then come back to the Beta Portal, the app management page works as expected,

Background

For the cross-wiki functionality to operate, you need to be logged in on both API portal and on metawiki, but because it's not in auto-login list, you can end up being logged out of meta and logged in on API portal. In an attempt to address this, we've added API Portal to $wgCentralAuthAutoLoginWikis and allowed read of CentralAuth special pages on api portal, neither resolved the issue.

Steps to reproduce

  1. Make sure you are logged out of https://meta.wikimedia.beta.wmflabs.org/wiki/Main_Page
  2. Visit https://api.wikimedia.beta.wmflabs.org/wiki/Special:AppManagement
  3. See that no existing clients are visible and that you are unable to create a new client (requires permissions)
  4. Go and log in to https://meta.wikimedia.beta.wmflabs.org/wiki/Main_Page
  5. Return to https://api.wikimedia.beta.wmflabs.org/wiki/Special:AppManagement and see that the page now works as expected

Console warning

"Access to XMLHttpRequest at 'https://meta.wikimedia.beta.wmflabs.org/w/rest.php/oauth2/client?limit=5&oauth_version=2&sort=%7B%22property%22%3A%22registration%22%2C%22direction%22%3A%22DESC%22%7D' from origin 'https://api.wikimedia.beta.wmflabs.org' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute."

To do

  • Determine whether this issue is specific to the API Portal or not. (Based on some testing with production Meta and Wikipedia, my guess is that it's not.)
  • Determine if a fix is possible and how to implement

Event Timeline

apaskulin created this task.Mon, Oct 5, 4:06 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMon, Oct 5, 4:06 PM

I've noticed that if I go to beta meta, which logs me in to beta meta, and then revisit beta API Portal, I then see my clients.

Cindy and I are thinking that this is likely as issue with Central Auth and cookies. @Pchelolo would you be willing to help troubleshoot?

As far as I can tell, the steps to reproduce are:

  1. Create an OAuth 2.0 client on the beta API Portal or on beta meta
  2. Make sure you are logged out of beta meta
  3. Log in to API Portal beta and go to Special:AppManagement
  4. See that your client isn't displayed
  5. Go back to beta meta and log in
  6. Go back to the beta portal and see that your client is now displayed

It would be helpful if when this happens you could open a browser developer console and see what's going on with requests and if there's any errors. And post it here

Need to add the portal to $wgCentralAuthAutoLoginWikis

apaskulin renamed this task from Clients don't always load to Add API Portal to $wgCentralAuthAutoLoginWikis.Mon, Oct 5, 7:26 PM
apaskulin assigned this task to CCicalese_WMF.
apaskulin triaged this task as High priority.
apaskulin updated the task description. (Show Details)

Change 632322 had a related patch set uploaded (by Cicalese; owner: Cicalese):
[operations/mediawiki-config@master] Add API Portal to $wgCentralAuthAutoLoginWikis - beta

https://gerrit.wikimedia.org/r/632322

Change 632323 had a related patch set uploaded (by Cicalese; owner: Cicalese):
[operations/mediawiki-config@master] Add API Portal to $wgCentralAuthAutoLoginWikis - prod

https://gerrit.wikimedia.org/r/632323

Change 632322 merged by jenkins-bot:
[operations/mediawiki-config@master] Add API Portal to $wgCentralAuthAutoLoginWikis - beta

https://gerrit.wikimedia.org/r/632322

Additionally, we need to unblock subpages of Special:CentralAutoLogin/, in particular Special:CentralAutoLogin/start

Change 632484 had a related patch set uploaded (by Ppchelko; owner: Ppchelko):
[operations/mediawiki-config@master] Allow read of CentralAuth special pages on api portal

https://gerrit.wikimedia.org/r/632484

Change 632484 merged by jenkins-bot:
[operations/mediawiki-config@master] Allow read of CentralAuth special pages on api portal

https://gerrit.wikimedia.org/r/632484

Mentioned in SAL (#wikimedia-operations) [2020-10-06T18:12:28Z] <ppchelko@deploy1001> Synchronized wmf-config/InitialiseSettings.php: gerrit:632484 T264637 (duration: 00m 58s)

Change 632323 merged by jenkins-bot:
[operations/mediawiki-config@master] Add API Portal to $wgCentralAuthAutoLoginWikis - prod

https://gerrit.wikimedia.org/r/632323

Mentioned in SAL (#wikimedia-operations) [2020-10-06T18:15:44Z] <ppchelko@deploy1001> Synchronized wmf-config/InitialiseSettings.php: gerrit:632323 T264637 (duration: 00m 58s)

apaskulin renamed this task from Add API Portal to $wgCentralAuthAutoLoginWikis to API Portal login doesn't automatically log in to Meta.Wed, Oct 7, 4:29 PM
Pchelolo removed Pchelolo as the assignee of this task.Sun, Oct 18, 11:41 PM
apaskulin updated the task description. (Show Details)Tue, Oct 20, 3:03 PM