Page MenuHomePhabricator
Create Task
Maniphest T328336

OAuth1 and OAuth2 not working for private wiki
Closed, InvalidPublicBUG REPORT
Actions

Description

Steps to replicate the issue (include links if applicable):

  • make a wiki private by using $wgGroupPermissions['*']['read'] = false. By private I mean visitors can not view or edit any page, but logged in user can, so will need to make sure $wgGroupPermissions['user']['read'] = true
  • create an OAuth1 or OAuth2 consumer registration record as the administrator, check the checkbox "This consumer is for use only by XXX", record down the
  • try make a GET call to end point "https://<wiki domain>/api.php?action=query&format=json&titles=TestPage" using either OAuth1 or OAuth2 method.

What happens?:
both OAuth1 and OAuth2 are getting following error:

{
    "error": {
        "code": "readapidenied",
        "info": "You need read permission to use this module.",
        "*": "See https://www.xxxx.live//api.php for API usage. Subscribe to the mediawiki-api-announce mailing list at &lt;https://lists.wikimedia.org/postorius/lists/mediawiki-api-announce.lists.wikimedia.org/&gt; for notice of API deprecations and breaking changes."
    }
}

What should have happened instead?:
expecting something like this:

{
    "batchcomplete": "",
    "query": {
        "pages": {
            "245": {
                "pageid": 245,
                "ns": 0,
                "title": "TestPage"
            }
        }
    }
}

I did some basic troubleshooting based on the suggestions from the IRC channel, I turned on detailed logging using $wgDebugLogFile, it looks like the Authorization header value is always empty, but I am expecting the token to be passed in the header lie this: "Authorization: Bearer eyJ0eXAiOiJKV1QiLC....", for e.g. I tried postman, python, curl, but no matter what I try, it seems the wiki refuse to recognize the "Authorization" header value for some reason... below is the wiki logs when using curl to make a GET call to /api.php?action=query&format=json&titles=TestPage

Start request GET /api.php?action=query&format=json&titles=TestPage
IP: 71.249.xx.xx
HTTP HEADERS:
ACCEPT: */*
HOST: www.xxxxx.com
USER-AGENT: curl/7.64.1
(end headers)

The log looks like this when using Postman:

Start request GET /api.php?action=query&format=json&titles=TestPage
IP: 71.249.xx.xx
HTTP HEADERS:
ACCEPT: */*
ACCEPT-ENCODING: gzip, deflate, br
CONNECTION: keep-alive
HOST: www.xxxxx.com
POSTMAN-TOKEN: e04f0555-c36e-4ec2-b40c-b78d927c4a63
USER-AGENT: PostmanRuntime/7.29.2
(end headers)

Software version (skip for WMF-hosted wikis like Wikipedia):
Product Version
MediaWiki 1.39.1
PHP 7.4.33 (cgi-fcgi)
MySQL 5.7.41
ICU 69.1
Lua 5.1.5

Other information (browser name/version, screenshots, etc.):

Related Objects

Event Timeline

Paulxu20 created this task.Jan 30 2023, 4:50 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 30 2023, 4:50 PM
Paulxu20 added a comment.Jan 30 2023, 4:59 PM

Sorry I forgot to mention, the wiki was recently upgraded from 1.35.0 to 1.39.1

Reedy updated the task description. (Show Details)Jan 30 2023, 5:13 PM
Aklapper added a comment.Jan 30 2023, 5:33 PM

create an OAuth1 or OAuth2 consumer registration record as the administrator

Can you elaborate, with full page names, step by step?

Which exact branch and version of the extension is being used (see Special:Version)?

Paulxu20 added a comment.Jan 30 2023, 6:00 PM
In T328336#8571052, @Aklapper wrote:

create an OAuth1 or OAuth2 consumer registration record as the administrator

Can you elaborate, with full page names, step by step?

Which exact branch and version of the extension is being used (see Special:Version)?

They can be created under page Special:OAuthConsumerRegistration, once open the page, there are two options:

  • Request a token for a new OAuth 1.0a consumer.
  • Request a token for a new OAuth 2.0 client.

Choose one of them and can follow the information on the page to create the record. Feel free to let me know if you need more information.

The OAuth exact info here: 1.1.0 (3188593) 01:15, 24 January 2023

Paulxu20 updated the task description. (Show Details)Jan 30 2023, 6:10 PM

BTW I just added some of the basic troubleshooting steps taken based on the suggestions from the IRC channel yesterday, hope it helps.

Tgr subscribed.Jul 2 2023, 6:03 AM

What's curl's own log of the request? What grants are you using?

Aklapper closed this task as Invalid.Aug 20 2023, 2:44 PM

Unfortunately closing this Phabricator task as no further information has been provided.

@Paulxu20: After you have provided the information asked for and if this still happens, please set the status of this task back to "Open" via the Add Action...Change Status dropdown. Thanks!

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL