Page MenuHomePhabricator
Create Task
Maniphest T272665

REST API returns invalid access tokens
Closed, ResolvedPublic
Actions

Description

Observed behavior

When creating an owner-only client via the API Portal, the resulting access token is invalid. In addition to the error, these tokens are clearly not in JWT format. This also happens when resetting an access token via the API Portal. When doing the same operation via Meta, the token is a standard JWT and works correctly. This leads me to believe that this is an issue with the OAuth extension /oauth2/client and /oauth2/client/{client_key}/reset_secret endpoints. This is not an issue with client secrets, just with access tokens for owner-only clients. Access tokens obtained via other OAuth flows work as expected.

$ curl -H "Authorization: Bearer 80_character_access_token" https://api.wikimedia.org/core/v1/wikipedia/en/page/Earth/bare

{"httpCode":401,"httpReason":"Jwt is not in the form of Header.Payload.Signature with two dots and 3 sections"}

Expected behavior

Access tokens are valid JWTs and are accepted by the API Gateway.

$ curl -H "Authorization: Bearer 1000_character_access_token" https://api.wikimedia.org/core/v1/wikipedia/en/page/Earth/bare

{"id":9228,"key":"Earth","title":"Earth","latest":{"id":989047607,"timestamp":"2020-11-16T19:26:33Z"},"content_model":"wikitext","license":{"url":"//creativecommons.org/licenses/by-sa/3.0/","title":"Creative Commons Attribution-Share Alike 3.0"},"html_url":"https://en.wikipedia.org/w/rest.php/v1/page/Earth/html"}

Details

SubjectRepoBranchLines +/-
Return a JWT rather than an identifiermediawiki/extensions/OAuthmaster+100 -2
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
 StalledNoneT268288 Launch API Portal
 ResolvedBPirkleT272665 REST API returns invalid access tokens

Event Timeline

apaskulin created this task.Jan 22 2021, 2:44 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 22 2021, 2:44 AM
apaskulin triaged this task as High priority.Jan 22 2021, 2:45 AM
apaskulin moved this task from Backlog to Tech debt on the API-Portal board.
apaskulin updated the task description. (Show Details)
apaskulin mentioned this in T268257: End-to-end testing for API Gateway, API Portal, and OAuth.Jan 22 2021, 2:51 AM
apaskulin renamed this task from Access tokens for owner-only clients failing to REST API returns invalid access tokens.Jan 22 2021, 3:03 AM
apaskulin edited projects, added MediaWiki-extensions-OAuth; removed MediaWiki-extensions-WikimediaApiPortalOAuth.
apaskulin updated the task description. (Show Details)
apaskulin updated the task description. (Show Details)Jan 22 2021, 3:23 AM
apaskulin added a comment.Jan 22 2021, 4:44 PM
This comment was removed by apaskulin.
apaskulin mentioned this in T268288: Launch API Portal.Jan 22 2021, 5:26 PM
Aklapper added a subtask: T268288: Launch API Portal.Jan 22 2021, 9:59 PM
Aklapper removed a subtask: T268288: Launch API Portal.
Aklapper added a parent task: T268288: Launch API Portal.
apaskulin added a project: Platform Team Workboards (Clinic Duty Team).Jan 22 2021, 10:25 PM

Hi Clinic Duty friends, would it be possible for you to take a look at this? This issue is currently blocking the API Portal.

BPirkle claimed this task.Jan 25 2021, 5:29 PM
apaskulin updated the task description. (Show Details)Jan 25 2021, 5:32 PM
BPirkle added a comment.Jan 25 2021, 9:24 PM

Behavior confirmed locally. Created an owner-only client via the special page in my local wiki gives a JWT. Creating one via the endpoint gives the shorter token.

For reference, here's the curl command I used to invoke the create endpoint locally:

curl -H "Accept: application/json" --cookie "<my local cookie values>" -X POST -F name=T272665-309 -F description=foo -F email=<my email address> -F is_confidential=1 -F grant_types=client_credentials -F scopes=basic -F callback_url=http://default.web.mw.localhost:8080/mediawiki/ -F owner_only=true http://default.web.mw.localhost:8080/mediawiki/rest.php/oauth2/client
gerritbot added a comment.Jan 26 2021, 1:27 AM

Change 658472 had a related patch set uploaded (by BPirkle; owner: BPirkle):
[mediawiki/extensions/OAuth@master] Return a JWT rather than an identifier

https://gerrit.wikimedia.org/r/658472

gerritbot added a project: Patch-For-Review.Jan 26 2021, 1:27 AM
AMooney moved this task from Inbox to Doing(WIP:5) on the Platform Team Workboards (Clinic Duty Team) board.Jan 26 2021, 6:16 PM
gerritbot added a comment.Jan 27 2021, 2:48 AM

Change 658472 merged by jenkins-bot:
[mediawiki/extensions/OAuth@master] Return a JWT rather than an identifier

https://gerrit.wikimedia.org/r/658472

ReleaseTaggerBot added a project: MW-1.36-notes (1.36.0-wmf.29; 2021-02-02).Jan 27 2021, 3:00 AM
Maintenance_bot removed a project: Patch-For-Review.Jan 27 2021, 3:10 AM
BPirkle closed this task as Resolved.Jan 27 2021, 2:18 PM
BPirkle moved this task from Doing(WIP:5) to Done on the Platform Team Workboards (Clinic Duty Team) board.
apaskulin added a comment.Jan 27 2021, 8:05 PM

Verified on beta. Thanks, Bill!

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits