Steps to replicate the issue (include links if applicable):
- Set $wgPHPSessionHandling = 'disable'; in LocalSettings.php
- Enable the OAuth extension
- Create a new OAuth (2.0) consumer, not owner-only, not confidential, and approve it
- Proceed through the OAuth authorization_code flow and obtain an access token
- Make a request to api.php?action=query&meta=tokens&type=csrf with an Authorization: Bearer <access_token> header to obtain a CSRF token
- Make a request to api.php?action=edit with the same Authorization header, and the CSRF token passed in the body as token
What happens?:
An error is returned which states "Invalid CSRF token" and the edit doesn't occur.
What should have happened instead?:
The edit should be successfully made.
Software version (skip for WMF-hosted wikis like Wikipedia): 1.39.5
Other information (browser name/version, screenshots, etc.):
The problem also occurs on the api.php?action=checktoken&type=csrf route (which simply returns "invalid"), and presumably any other authenticated route which requires a CSRF token.