Page MenuHomePhabricator
Create Task
Maniphest T269152

OAuth 2.0 refresh tokens expire after 1 minute
Closed, ResolvedPublic1 Estimated Story Points
Actions

Description

To do: Set $wgOAuth2RefreshTokenTTL in the OAuth extension on production Meta-Wiki to 365 days

Background

By default, the $wgOAuth2RefreshTokenTTL is only one minute. This hasn't been a problem previously, because our access tokens were effectively infinite (see T265075).

Since we've brought the access token expiry down to human scale (hours, not billions of years), we need the refresh token to work, too.

When the refresh token expires, the user will have to go through authorisation again. So, we should choose a refresh time to be how long we want a user to go without logging in again.

Our Web interface lets you set a "remember me" cookie "for up to 365 days", so that is probably a good default here. We can adjust as needed in the future.

Details

ProjectBranchLines +/-Subject
operations/mediawiki-configmaster+1 -0CommonSettings: OAuth 2.0 refresh tokens expire after 1 minute
Customize query in gerrit

Related Objects

Event Timeline

eprodromou created this task.Dec 1 2020, 6:02 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 1 2020, 6:02 PM
eprodromou added a project: MediaWiki-extensions-OAuth.Dec 1 2020, 6:02 PM
apaskulin triaged this task as High priority.Dec 3 2020, 9:51 PM
apaskulin added a project: Platform Team Workboards (S&F Workboard).
apaskulin moved this task from Backlog to Current sprint Backlog on the Platform Team Workboards (S&F Workboard) board.
apaskulin updated the task description. (Show Details)
Vlad.shapik claimed this task.Dec 4 2020, 9:28 AM
Vlad.shapik moved this task from Current sprint Backlog to In Progress/Doing on the Platform Team Workboards (S&F Workboard) board.
gerritbot added a comment.Dec 4 2020, 10:06 AM

Change 645308 had a related patch set uploaded (by Vlad.shapik; owner: Vlad.shapik):
[operations/mediawiki-config@master] CommonSettings: OAuth 2.0 refresh tokens expire after 1 minute

https://gerrit.wikimedia.org/r/645308

gerritbot added a project: Patch-For-Review.Dec 4 2020, 10:06 AM
Vlad.shapik moved this task from In Progress/Doing to In Progress/In Review on the Platform Team Workboards (S&F Workboard) board.Dec 4 2020, 10:14 AM
gerritbot added a comment.Dec 7 2020, 2:23 PM

Change 646682 had a related patch set uploaded (by Vlad.shapik; owner: Vlad.shapik):
[operations/mediawiki-config@master] Merge branch 'master' of ssh://gerrit.wikimedia.org:29418/operations/mediawiki-config into T269152-oauth-2-0-refresh-tokens-expire-after-1-minute Change-Id: I5b09898062babb919245973f7a77b2e51b76e684

https://gerrit.wikimedia.org/r/646682

gerritbot added a comment.Dec 7 2020, 2:24 PM

Change 646682 abandoned by Vlad.shapik:
[operations/mediawiki-config@master] Merge branch 'master' of ssh://gerrit.wikimedia.org:29418/operations/mediawiki-config into T269152-oauth-2-0-refresh-tokens-expire-after-1-minute Change-Id: I5b09898062babb919245973f7a77b2e51b76e684

Reason:

https://gerrit.wikimedia.org/r/646682

Vlad.shapik set the point value for this task to 1.Dec 9 2020, 6:35 PM
gerritbot added a comment.Dec 10 2020, 3:51 PM

Change 645308 merged by jenkins-bot:
[operations/mediawiki-config@master] CommonSettings: OAuth 2.0 refresh tokens expire after 1 minute

https://gerrit.wikimedia.org/r/645308

Vlad.shapik moved this task from In Progress/In Review to PM Sign Off on the Platform Team Workboards (S&F Workboard) board.Dec 10 2020, 3:51 PM
apaskulin closed this task as Resolved.Dec 10 2020, 4:39 PM
apaskulin moved this task from PM Sign Off to Done on the Platform Team Workboards (S&F Workboard) board.

The refresh token's expiration period isn't explicitly returned by the OAuth API, but I've verified that the refresh token is valid after >1 minute. Thanks, Vlad and Cindy!

Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL