Page MenuHomePhabricator
Create Task
Maniphest T321591

Configure OAuth 2.0 token expiry to something reasonable
Closed, DeclinedPublic
Actions

Description

Currently we set expiry for new JWT tokens with an expiry field of 1000 years from date of creation. We should probably have a conversation about having this as something lower and setting this as a configuration option. This came up in T244423 around questions of validity of tokens themselves - this is no longer a concern as we set a valid expiry, but it is still a somewhat unreasonable and potentially dangerous value.

Related Objects

Event Timeline

hnowlan created this task.Oct 25 2022, 4:07 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 25 2022, 4:07 PM
VirginiaPoundstone moved this task from Incoming to Backlog on the API Platform board.Nov 14 2022, 9:24 AM
VirginiaPoundstone moved this task from Backlog to Incoming on the API Platform board.
VirginiaPoundstone moved this task from Incoming to Must do now on the API Platform board.Nov 29 2022, 8:17 PM
VirginiaPoundstone moved this task from Must do now to Needs Grooming on the API Platform board.Feb 16 2023, 11:15 PM
JArguello-WMF moved this task from Needs Grooming to Incoming on the API Platform board.Feb 21 2023, 7:06 PM
JArguello-WMF moved this task from Incoming to Needs Grooming on the API Platform board.Apr 18 2023, 4:17 PM
JArguello-WMF moved this task from Needs Grooming to Incoming on the API Platform board.
VirginiaPoundstone moved this task from Incoming to API Gateway Roadmap on the API Platform board.Apr 26 2023, 1:19 PM
VirginiaPoundstone edited projects, added API Platform (API Gateway Roadmap); removed API Platform.
VirginiaPoundstone added a project: Platform Team Workboards (Platform Engineering Reliability).
acooper subscribed.Jun 20 2023, 12:37 PM
Tgr subscribed.Jul 2 2023, 5:27 AM

This is about owner-only tokens, right? (And about access tokens?) Non-owner-only access tokens expire after $wgOAuth2GrantExpirationInterval which is 1 hour by default and 4 hours on Wikimedia servers.

mykhal subscribed.May 6 2024, 6:40 PM
mykhal added a comment.May 6 2024, 7:08 PM

(Right, when i dug into my test token generated at Special:OAuthConsumerRegistration/propose/oauth2, I was surprised it contains an exp value corresponding to today's date in year 3024, instead of value nearer to claimed 30 days from now. It would be good if the value was meaningful.)

Tgr closed this task as Declined.Dec 18 2025, 10:47 AM

I'll close this in favor of T412214: Ensure a good experience for apps which want to use OAuth credentials for a long time (refresh token grace period) as we don't want to break the use case of running an app for a very long time without requiring the user going through the authorization dialog, and ATM we don't really have a mechanism for that other than forever-valid access tokens.

Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptDec 18 2025, 10:47 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits