Page MenuHomePhabricator

Warn users during OAuth 2 app creation when they provide a callback URL that's just the domain
Closed, ResolvedPublic

Description

OAuth 2.0 requires an exact callback URL to be registered. Users sometimes put in something like https://mysite.com and we tend to reject those with a message like "OAuth 2.0 grants only work with exact callback URLs. This grant is unlikely to work." That's not a great use of everyone's time (and in some rare cases maybe the user did want that to be an exact URL); it would be better to show a warning up ahead.

Whenever the "OAuth callback URL" field of the OAuth consumer creation form is filled with an URL that has no path, query or fragment component, and the protocol is OAuth 2.0, we should show a warning saying something like "OAuth 2.0 grants only work with exact callback URLs. Are you sure you want to use this URL?" The "Redirect URI" field in WikimediaApiPortalOAuth should have similar treatment.

See also:

Event Timeline

Unrelated, but also a good place to tell people they must use https for (non-test) OAuth 2 apps.

It would also be nice to catch obviously wrong callback URLs. E.g. sometimes people use a wikimedia.org URL (confuse the callback URL with the OAuth endpoint).

Another frequent validation problem is people e.g. doing Outreachy tasks who are probably trying to set up the tool locally, but register it with the live URL instead (e.g.). We should probably warn if the domain is not localhost or a list of known "mirror" domains like wmftest.net, it matches an existing consumer URL, but the consumer name does not match.

Change 910805 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/extensions/OAuth@master] Check callback URL for common mistakes

https://gerrit.wikimedia.org/r/910805

Change 910805 merged by jenkins-bot:

[mediawiki/extensions/OAuth@master] Check callback URL for common mistakes

https://gerrit.wikimedia.org/r/910805

Unrelated, but also a good place to tell people they must use https for (non-test) OAuth 2 apps.

The “non-test” part seems to have gotten lost between planning and implementation, because now it’s no longer possible to register http://localhost:somePort/ OAuth 2 clients at all, as far as I can tell.

I had hoped to create a non-confidential client that I could use for several examples for my API library, demonstrating how to use OAuth in a simple web app, which users could try out locally. With http://localhost callback URLs prohibited, I don’t see how I can achieve that. (Using https://localhost or https://example.com or anything else, and requiring users to manually edit the URL back to http://localhost, would theoretically work, but be extremely user-unfriendly.)

It's not just useful for testing purposes. For applications like OpenRefine, which normally run on the user's machine directly and are not meant to be hosted, it is important that the callback can be a localhost URL, therefore using HTTP. OpenRefine itself runs as a locally hosted web app (typically at http://localhost:3333/).

Although we don't have immediate plans to migrate out of password login to OAuth 2 soon, this problem would be a blocker for us if we were to do it (which we likely should!)

There are a couple of variants of localhost which should likely be accepted without HTTPS (addresses in the 127.0.0.0/8 range, the IPv6 variant ::1, maybe others I am not aware of? Worth checking!)

I uploaded a Gerrit change to allow localhost URLs here: https://gerrit.wikimedia.org/r/c/mediawiki/extensions/OAuth/+/919035 – not sure if it should be attached to this task or a separate one.

Since this task hasn’t been closed yet, I guess we might as well attach the change here.

Change 919035 had a related patch set uploaded (by Lucas Werkmeister; author: Lucas Werkmeister):

[mediawiki/extensions/OAuth@master] Allow http://localhost callback URL

https://gerrit.wikimedia.org/r/919035

Change 919035 merged by jenkins-bot:

[mediawiki/extensions/OAuth@master] Allow http://localhost callback URL

https://gerrit.wikimedia.org/r/919035

Change 919168 had a related patch set uploaded (by BryanDavis; author: Lucas Werkmeister):

[mediawiki/extensions/OAuth@wmf/1.41.0-wmf.8] Allow http://localhost callback URL

https://gerrit.wikimedia.org/r/919168

Change 919168 merged by jenkins-bot:

[mediawiki/extensions/OAuth@wmf/1.41.0-wmf.8] Allow http://localhost callback URL

https://gerrit.wikimedia.org/r/919168

Mentioned in SAL (#wikimedia-operations) [2023-05-11T20:12:48Z] <thcipriani@deploy1002> Started scap: Backport for [[gerrit:919168|Allow http://localhost callback URL (T299737)]]

Mentioned in SAL (#wikimedia-operations) [2023-05-11T20:14:23Z] <thcipriani@deploy1002> bd808 and thcipriani: Backport for [[gerrit:919168|Allow http://localhost callback URL (T299737)]] synced to the testservers: mwdebug1001.eqiad.wmnet, mwdebug2002.codfw.wmnet, mwdebug2001.codfw.wmnet, mwdebug1002.eqiad.wmnet

Mentioned in SAL (#wikimedia-operations) [2023-05-11T20:22:25Z] <thcipriani@deploy1002> Finished scap: Backport for [[gerrit:919168|Allow http://localhost callback URL (T299737)]] (duration: 09m 37s)