Page MenuHomePhabricator
Create Task
Maniphest T374562

Make OAuth 2.0 access token timeout configurable
Closed, DeclinedPublicFeature
Actions

Description

Feature summary (what you would like to be able to do and where):
As a developer working on a library to let other developers use MediaWiki with OAuth 2.0, I would like to be able to get an access token with a much shorter TTL than usual, so that I can test automatic token refresh behavior without having to wait as long for the token to expire.

Use case(s) (list the steps that you performed to discover that problem, and describe the actual underlying problem which you want to solve. Do not describe only a solution):
My m3api-oauth2 library supports automatically refreshing the access token upon encountering an mwoauth-invalid-authorization error. The integration test for this feature currently sleeps for four hours to let the access token expire naturally ($wgOAuth2GrantExpirationInterval is PT4H in production). This rather slows down development, so I’d love to have some way to get a token with a much shorter expiration time.

Benefits (why should this be implemented?):
It would make my life, and potentially the life of other developers working on OAuth 2.0 libraries, easier :)

Other notes:
I’m pretty sure we want to keep $wgOAuth2GrantExpirationInterval as an upper limit on the expiration interval, and only allow clients to optionally lower it, not to give themselves tokens that are valid for years and years.

As far as I’m concerned, the shorter expiration could be a property of a specific OAuth consumer or be specified when requesting a particular access token. I was hoping that the latter would be relatively easy to implement (just add something like x_mediawiki_expiration_interval to the form data being posted to the access_token endpoint), but looking at where the expiration is currently set (in src/AuthorizationProvider/AuthorizationProvider.php, nowhere near src/Rest/Handler/AccessToken.php AFAICT) I’m not so optimistic anymore :/

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
createOAuthConsumer: Add --oauthVersion optionmediawiki/extensions/OAuthmaster+42 -6
Customize query in gerrit

Related Objects

Event Timeline

LucasWerkmeister created this task.Sep 11 2024, 6:04 PM
Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptSep 11 2024, 6:04 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
LucasWerkmeister added a comment.Sep 11 2024, 6:05 PM

If this sounds reasonable to the OAuth maintainers, I can try to implement it, but I would love to hear first whether people think it stands a chance of being merged or not ^^

Tgr subscribed.Sep 19 2024, 1:35 PM

You'd have to add a new parameter to the AccessToken REST handler, somehow make it available to the parent class, inject it into the grant object in AuthenticationHandler::getAuthorizationProvider(), and make AuthorizationProvider use that instead of the config value. Not that complicated but IMO not worth the added complexity. The more flexible way to do integration testing would be to spin up a MediaWiki instance and then you have full control over the configuration.

Tgr closed this task as Declined.Oct 14 2024, 7:02 PM

Per above, IMO client tests shouldn't be implemented via server features; mocking server responses or setting up a test version of the server is both more robust and requires less coordination. If you have strong feelings about it, let's reopen and discuss, but I think there will be easier ways of testing expiry than that.

gerritbot added a comment.Jan 5 2025, 3:21 PM

Change #1108189 had a related patch set uploaded (by Lucas Werkmeister; author: Lucas Werkmeister):

[mediawiki/extensions/OAuth@master] createOAuthConsumer: Add --oauthVersion option

https://gerrit.wikimedia.org/r/1108189

gerritbot added a project: Patch-For-Review.Jan 5 2025, 3:21 PM
LucasWerkmeister added a comment.Jan 5 2025, 3:23 PM

Well, after a while of trial-and-error I’ve managed to get the tests running against MediaWiki in GitHub Actions, but it also requires a change to the maintenance script so I can actually create an OAuth 2.0 client programmatically – I’d be much obliged if you could review it :)

gerritbot added a comment.Jan 8 2025, 6:05 PM

Change #1108189 merged by jenkins-bot:

[mediawiki/extensions/OAuth@master] createOAuthConsumer: Add --oauthVersion option

https://gerrit.wikimedia.org/r/1108189

Maintenance_bot removed a project: Patch-For-Review.Jan 8 2025, 6:31 PM
ReleaseTaggerBot added a project: MW-1.44-notes (1.44.0-wmf.12; 2025-01-14).Jan 8 2025, 7:00 PM
LucasWerkmeister added a comment.Jan 8 2025, 10:03 PM

Done in https://github.com/lucaswerkmeister/m3api-oauth2/commit/e3f825fc6c45ab245e444a1609d4e1446443583f using lucaswerkmeister/setup-mediawiki.

LucasWerkmeister mentioned this in T392290: Migrate m3api hosting from GitHub to Wikimedia GitLab.Apr 18 2025, 11:05 AM
LucasWerkmeister mentioned this in T402700: Migrate m3api CI from GitHub Actions to GitLab CI.Aug 22 2025, 9:20 PM
LucasWerkmeister mentioned this in T409637: OAuth appears to have become more resource-hungry of late (m3api-oauth2 CI broken).Nov 8 2025, 4:46 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits