Page MenuHomePhabricator

OAuth 2.0 refresh tokens expire after 1 minute
Closed, ResolvedPublic1 Estimated Story Points

Description

To do: Set $wgOAuth2RefreshTokenTTL in the OAuth extension on production Meta-Wiki to 365 days

Background

By default, the $wgOAuth2RefreshTokenTTL is only one minute. This hasn't been a problem previously, because our access tokens were effectively infinite (see T265075).

Since we've brought the access token expiry down to human scale (hours, not billions of years), we need the refresh token to work, too.

When the refresh token expires, the user will have to go through authorisation again. So, we should choose a refresh time to be how long we want a user to go without logging in again.

Our Web interface lets you set a "remember me" cookie "for up to 365 days", so that is probably a good default here. We can adjust as needed in the future.

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 1 2020, 6:02 PM
apaskulin triaged this task as High priority.Dec 3 2020, 9:51 PM
apaskulin updated the task description. (Show Details)

Change 645308 had a related patch set uploaded (by Vlad.shapik; owner: Vlad.shapik):
[operations/mediawiki-config@master] CommonSettings: OAuth 2.0 refresh tokens expire after 1 minute

https://gerrit.wikimedia.org/r/645308

Change 646682 had a related patch set uploaded (by Vlad.shapik; owner: Vlad.shapik):
[operations/mediawiki-config@master] Merge branch 'master' of ssh://gerrit.wikimedia.org:29418/operations/mediawiki-config into T269152-oauth-2-0-refresh-tokens-expire-after-1-minute Change-Id: I5b09898062babb919245973f7a77b2e51b76e684

https://gerrit.wikimedia.org/r/646682

Change 646682 abandoned by Vlad.shapik:
[operations/mediawiki-config@master] Merge branch 'master' of ssh://gerrit.wikimedia.org:29418/operations/mediawiki-config into T269152-oauth-2-0-refresh-tokens-expire-after-1-minute Change-Id: I5b09898062babb919245973f7a77b2e51b76e684

Reason:

https://gerrit.wikimedia.org/r/646682

Vlad.shapik set the point value for this task to 1.Dec 9 2020, 6:35 PM

Change 645308 merged by jenkins-bot:
[operations/mediawiki-config@master] CommonSettings: OAuth 2.0 refresh tokens expire after 1 minute

https://gerrit.wikimedia.org/r/645308

apaskulin closed this task as Resolved.Dec 10 2020, 4:39 PM

The refresh token's expiration period isn't explicitly returned by the OAuth API, but I've verified that the refresh token is valid after >1 minute. Thanks, Vlad and Cindy!