Page MenuHomePhabricator
Create Task
Maniphest T323855

OAuth 2.0 non-confidential clients cannot use refresh tokens without client secret
Open, Needs TriagePublic
Actions

Description

MediaWiki-extensions-OAuth supports non-confidential clients, which can get an access token based on only their client ID. However, those clients can’t refresh the access tokens with only their client ID – they get a refresh token, but trying to use it will yield an authentication error. Since the access token has the same TTL as for confidential clients (14400 seconds), non-confidential clients only have two options to make authenticated requests beyond that TTL: ship the client secret together with the client ID (making it not secret), or repeat the authorization flow every four hours.

This is a limitation inherited from the underlying league/oauth2-server package, where you can see the difference between auth code and refresh token handlers:

AuthCodeGrant.php
// Only validate the client if it is confidential
if ($client->isConfidential()) {
    $this->validateClient($request);
}
RefreshTokenGrant.php
// Validate request
$client = $this->validateClient($request);

It’s tracked upstream as issue #1073, but I thought it would be useful to have a task on Phabricator too. (Note that Extension:OAuth and mediawiki/vendor.git currently use a custom “9.0.0-alpha” version of the library, so even if the library implements this feature, switching to that release version might not be trivial depending on how much it diverges from the version we currently use.)

Related Objects

Event Timeline

LucasWerkmeister created this task.Nov 26 2022, 9:43 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 26 2022, 9:43 PM
LucasWerkmeister added a comment.Nov 26 2022, 9:55 PM

Although MediaWiki still generates a secret key for non-confidential OAuth 2.0 consumers (idk why), and if you use that secret key, you can still successfully use the refresh token.

On the one hand, that means you’re using the non-confidential client exactly like a confidential one, which seems kind of pointless.

But on the other hand… I guess you could just treat the client secret of a non-confidential client as another piece of public information, and publish it together with the client ID?

Reedy moved this task from Backlog to Reported Upstream on the Upstream board.Nov 26 2022, 10:29 PM
LucasWerkmeister mentioned this in T323867: Clarify use of non-confidential OAuth 2.0 clients.Nov 27 2022, 12:38 PM
LucasWerkmeister mentioned this in T234677: Support Free and Open Source software API clients with OAuth 2.0.Nov 27 2022, 12:43 PM
Tgr subscribed.Jul 2 2023, 8:54 PM

There's some discussion here - the behavior of using refresh tokens with public clients is not super well-defined in the spec, but it's reasonable to expect the refresh_token grant to work without the (known to be insecure) client authentication in the case of public clients. But it's not something we'd want to fork upstream over, since clients can just use the client secret and everything will work fine, so this seems like a non-issue to me (other than maybe clarifying the documentation).

Iluvatar subscribed.Oct 21 2024, 6:46 PM
LucasWerkmeister added a comment.Feb 20 2025, 11:33 PM

It’s tracked upstream as issue #1073

Apparently this was fixed upstream in #1420, which is included in the 9.2.0 release that was published last Saturday, so at some point we’ll hopefully get that fix pulled into mediawiki/vendor. (Though we’ll need to test it first, of course, which I haven’t done in the slightest so far.)

Addshore subscribed.Feb 20 2025, 11:35 PM
LucasWerkmeister renamed this task from OAuth 2.0 non-confidential clients cannot use refresh tokens to OAuth 2.0 non-confidential clients cannot use refresh tokens without client secret.Feb 28 2025, 12:46 PM
LucasWerkmeister updated the task description. (Show Details)
LucasWerkmeister moved this task from Reported Upstream to Patch released upstream on the Upstream board.
Abbe98 subscribed.May 3 2025, 11:47 PM
Dbrant subscribed.Jul 18 2025, 6:43 PM

We're working towards enabling the native apps (Android and iOS) to use OAuth 2, and it looks like we might be blocked on this issue, since apps must necessarily be non-confidential clients, and also must be able to use refresh tokens.
Since it looks like the issue was fixed upstream, are there plans to pull in the latest upstream dependency?
(Or would you recommend we ship the client secret along with the client ID?)

Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptJul 18 2025, 6:43 PM
LucasWerkmeister added a comment.Jul 18 2025, 8:10 PM
In T323855#11017718, @Dbrant wrote:

(Or would you recommend we ship the client secret along with the client ID?)

As far as I understand, there’s basically no reason not to ship the client secret. You shouldn’t have to, but also it shouldn’t hurt, so you might as well do it to work around this task. (See also T323867.)

OWresch-WMF moved this task from Inbox, needs triage to Next (DO NOT USE) on the MediaWiki-Platform-Team board.Jul 21 2025, 1:11 PM
Tgr added a comment.Jul 23 2025, 5:01 PM

It would be nice to fix this by the time apps need production OAuth client credentials, but my impression is also that there's no harm in shipping the secret. In theory, you could require some more sensitive things to go through the server and use the secret as a proof, and publishing the secret makes that impossible; but in practice, we don't support that kind of thing anyway.

In T323855#10569694, @LucasWerkmeister wrote:

Apparently this was fixed upstream in #1420, which is included in the 9.2.0 release

We use a fork of 9.0.0.
https://github.com/thephpleague/oauth2-server/compare/9.0.0...9.2.0

Tgr added a comment.Jul 25 2025, 11:45 AM

So it sounds like the proper fix for this is blocked on either fixing T261462: Migrate OAuth extension back from wikimedia/oauth2-server fork to upstream or at least upgrading our fork. Which seems messy, I left some notes at T261462#11034161.

OWresch-WMF edited projects, added MediaWiki-Platform-Team (Q3 Kanban Board); removed MediaWiki-Platform-Team.Nov 21 2025, 11:39 AM
Tgr mentioned this in T407987: Define best practice for single-user apps which need a high MediaWiki API rate limit.Dec 3 2025, 9:18 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits