Page MenuHomePhabricator

REST API returns invalid access tokens
Closed, ResolvedPublic


Observed behavior

When creating an owner-only client via the API Portal, the resulting access token is invalid. In addition to the error, these tokens are clearly not in JWT format. This also happens when resetting an access token via the API Portal. When doing the same operation via Meta, the token is a standard JWT and works correctly. This leads me to believe that this is an issue with the OAuth extension /oauth2/client and /oauth2/client/{client_key}/reset_secret endpoints. This is not an issue with client secrets, just with access tokens for owner-only clients. Access tokens obtained via other OAuth flows work as expected.

$ curl -H "Authorization: Bearer 80_character_access_token"

{"httpCode":401,"httpReason":"Jwt is not in the form of Header.Payload.Signature with two dots and 3 sections"}

Expected behavior

Access tokens are valid JWTs and are accepted by the API Gateway.

$ curl -H "Authorization: Bearer 1000_character_access_token"

{"id":9228,"key":"Earth","title":"Earth","latest":{"id":989047607,"timestamp":"2020-11-16T19:26:33Z"},"content_model":"wikitext","license":{"url":"//","title":"Creative Commons Attribution-Share Alike 3.0"},"html_url":""}

Event Timeline

apaskulin moved this task from Backlog to Tech debt on the API-Portal board.
apaskulin updated the task description. (Show Details)
apaskulin renamed this task from Access tokens for owner-only clients failing to REST API returns invalid access tokens.Jan 22 2021, 3:03 AM
apaskulin updated the task description. (Show Details)
This comment was removed by apaskulin.

Hi Clinic Duty friends, would it be possible for you to take a look at this? This issue is currently blocking the API Portal.

Behavior confirmed locally. Created an owner-only client via the special page in my local wiki gives a JWT. Creating one via the endpoint gives the shorter token.

For reference, here's the curl command I used to invoke the create endpoint locally:

curl -H "Accept: application/json" --cookie "<my local cookie values>" -X POST -F name=T272665-309 -F description=foo -F email=<my email address> -F is_confidential=1 -F grant_types=client_credentials -F scopes=basic -F callback_url= -F owner_only=true

Change 658472 had a related patch set uploaded (by BPirkle; owner: BPirkle):
[mediawiki/extensions/OAuth@master] Return a JWT rather than an identifier

Change 658472 merged by jenkins-bot:
[mediawiki/extensions/OAuth@master] Return a JWT rather than an identifier

Verified on beta. Thanks, Bill!