Page MenuHomePhabricator
Create Task
Maniphest T319685

Work out if we can use non forked league/oauth2-server in REL1_XX branches
Open, Needs TriagePublic
Actions

Description

It's a source of problems and pain points...

Can we use the non forked version of league/oauth2-server in release branches, or have we got code inside the OAuth extension that depends on it?

https://doc.wikimedia.org/cover-extensions/OAuth/ is very low, so I wouldn't like to just use "do the tests pass" as the benchmark...

See also:

Details

SubjectRepoBranchLines +/-
Don't use fork of league/oauth2-servermediawiki/extensions/OAuthREL1_39+1 -7
Customize query in gerrit

Related Objects

Event Timeline

Reedy created this task.Oct 6 2022, 4:15 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 6 2022, 4:15 PM
sbassett subscribed.Oct 6 2022, 4:16 PM
Reedy added a comment.Oct 6 2022, 4:31 PM

I don't think the changes to the OAuth extensions were too big, so shouldn't be too hard to dig out the commits...

Reedy added projects: MW-1.38-release, MW-1.39-release.Oct 6 2022, 4:35 PM
Reedy added a comment.Oct 6 2022, 4:47 PM
In T319685#8292153, @Reedy wrote:

I don't think the changes to the OAuth extensions were too big, so shouldn't be too hard to dig out the commits...

rEOAU5cae17e0f8ca: Add private claims via new OAuthClaimStoreGetClaims hook and rEOAU0425da62f86f: Emit `iss` claims for oauth2 access token. are the two commits..

And they seem to have tests...

gerritbot added a comment.Oct 6 2022, 4:47 PM

Change 839570 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/OAuth@REL1_39] Don't use fork of league/oauth2-server

https://gerrit.wikimedia.org/r/839570

gerritbot added a project: Patch-For-Review.Oct 6 2022, 4:47 PM
Reedy added a comment.Oct 6 2022, 4:54 PM

17:50:01 Error: Interface 'League\OAuth2\Server\Repositories\ClaimRepositoryInterface' not found

Not going to be easy :/

tstarling subscribed.Oct 7 2022, 4:27 PM
Reedy moved this task from Blocker to Not a blocker on the MW-1.39-release board.Oct 10 2022, 11:37 PM
tstarling added a comment.EditedOct 11 2022, 6:32 AM
In T319685#8292221, @Reedy wrote:

17:50:01 Error: Interface 'League\OAuth2\Server\Repositories\ClaimRepositoryInterface' not found

That's upstream PR #1122, which has been stalled since October 2020.

The other one, #1138, was rejected upstream as you noted on T261462.

HouseBlaster moved this task from Unsorted to Needs research on the Technical-Debt board.Dec 3 2022, 7:46 PM
Tgr mentioned this in T321160: Lcobucci\JWT\Signer\InvalidKeyProvided: Key cannot be empty.Jan 26 2023, 7:21 PM
Tgr subscribed.Mar 19 2023, 7:07 AM

I would decline this. I don't think the release branches are better served by running a different version of the library than the one in production. That will just make it harder to diagnose issues and easier to accidentally break them.

Pppery edited projects, added Patch-Needs-Improvement; removed Patch-For-Review.Apr 9 2023, 7:52 PM
Reedy moved this task from Blocker to Not a blocker on the MW-1.38-release board.Jun 20 2023, 4:26 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL