We are hoping to implement SUL integration this year on eventyay, our open source virtual event platform for Wikimania (eventyay.com). We would love the help of the MW Platform Team to advise/work with the eventyay developers on the process.
We are expecting to sign our contract with eventyay for 2025 soon, and have this as an initial development item in our statement of work.
Thank you!
As I'm guessing eventyay is going to continue to be a third party hosted app... I'm guessing this is really talking about something like using MediaWiki-extensions-OAuth ?
In which case, https://www.mediawiki.org/wiki/OAuth/For_Developers is probably the more relevant documentation.
our open source virtual event platform for Wikimania (eventyay.com)
this is great, thanks.
AIUI this is something the eventyay developers will work on and just needs support from us. @elappen-WMF is that correct?
It doesn't look like there are any immediate asks from the Security-Team for this? If there are, please let us know.
That's right @Tgr. I've shared this task with eventyay and asked them to make any support requests or ask any questions here. They'll be following up here soon as we'd like to get the work underway.
Hi @elappen-WMF, thanks for putting this on our radar. It's really great to see this integration happening. We're happy to answer any questions that the team at Eventyay have and provide our support where needed.
Hi everyone, I'm a developer from Eventyay and I'm working on this integration.
I'm testing the OAuth flow on my local machine using registered apps (proposed, not approved yet) from MediaWiki OAuth but I couldn't make it to work.
Could you please review and approve my registered app? Here are the consumer keys: bda47950f950d60cb79bf52286dbf249, 4804ff705a315c33cadcdb6434ed94b5
I tried to use owner-only consumers but it didn't work and return application connect error.
I'm using Python Social Auth package for OAuth1 and Django Allauth for OAuth2.
Thanks @Tgr , @JTweed-WMF
They have been approved, but note that unapproved apps should still work for the owner (ie. if you try them with the same user account that you used to register them) so if that didn't work, there is probably a problem with the application.
Owner-only applications can't do an OAuth handshake (it would be pointless since the user's identity is already pre-determined), they can only make API requests with the pre-generated access token.
Thanks @Tgr for the information, it's very helpful. I have figured out the error on my side.
Hello, I created
Please approve it as well. Thank you.
@MarioB if they are still not approved, can you provide the app IDs? It's hard to find apps by name.
Thank you!
eventyay: Consumer key 7880964f2091ab7a5fa67587e9cfe7c0
Mario Test: Consumer key 092739923195cbd7ce75bf45fd03cd6f
It seems they are approved in the system, but I could not get it to work with our app yet. It worked for the developer before. I wonder if I filled in something wrong.
Getting:
Application Connection
Error Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)
ok, I see. The callback URL is wrong. It should be https://app.eventyay.com/tickets/accounts/mediawiki/login/callback
I created a new consumer key and token for eventyay.com and another app eventyay app with the correct callback, but still authentication error. It should be working with my own account as far as I understand the documentation. Will check in the morning with the dev.
Ok, I got it working. @Tgr I have figured it out. It works now. Please approve client application key of 6f9a3403804e375fbd3496850a8da133
Thank you.
Are these keys a credential or access token of some sort? If so, they'll likely need to be rotated, as this is a public task.
We have now deployed eventyay on a dedicated domain for Wikimedia. In order for the login to work we had to create a new key.
Please approve the new application key 59da5b0345fb19d748d545f84fd5efb8.
Thank you
We're experiencing an infinite SUL loop on eventyay. From my end, I experience it here https://wikimedia.eventyay.com/tickets/control/login when I use the MediaWiki option it goes to the screen where I click "Allow" and then it send me back to the same page. Others are experiencing this when clicking https://wikimedia.eventyay.com/talk/wikimania2025/me/submissions/ and going to log in. I am currently logged in on this talk component so not having an issue there.
Users have reported that when they use Forgot Password, they can reset a password via email and are then able to access eventyay, bypassing SUL even though they used SUL to create their account.
I'm investigating. Saw this in our server log:
ERROR 2025-07-17 14:23:43,945 pretix.plugins.socialauth.adapter adapter Error while authorizing with MediaWiki: unknown - Error retrieving access token: b'<!DOCTYPE html>\n<html lang="en">\n<meta charset="utf-8">\n<title>Wikimedia Error</title>\n<style>\n* { margin: 0; padding: 0; }\nbody { background: #fff; font: 15px/1.6 sans-serif; color: #333; }\n.content { margin: 7% auto 0; padding: 2em 1em 1em; max-width: 640px; }\n.footer { clear: both; margin-top: 14%; border-top: 1px solid #e5e5e5; background: #f9f9f9; padding: 2em 0; font-size: 0.8em; text-align: center; }\nimg { float: left; margin: 0 2em 2em 0; }\na img { border: 0; }\nh1 { margin-top: 1em; font-size: 1.2em; }\n.content-text { overflow: hidden; overflow-wrap: break-word; word-wrap: break-word; -webkit-hyphens: auto; -moz-hyphens: auto; -ms-hyphens: auto; hyphens: auto; }\np { margin: 0.7em 0 1em 0; }\na { color: #0645ad; text-decoration: none; }\na:hover { text-decoration: underline; }\ncode { font-family: sans-serif; }\nsummary { font-weight: bold; cursor: pointer; }\ndetails[open] { background: #970302; color: #dfdedd; }\n.text-muted { color: #777; }\n@media (prefers-color-scheme: dark) {\n a { color: #9e9eff; }\n body { background: transparent; color: #ddd; }\n .footer { border-top: 1px solid #444; background: #060606; }\n #logo { filter: invert(1) hue-rotate(180deg); }\n .text-muted { color: #888; }\n}\n</style>\n<meta name="color-scheme" content="light dark">\n<div class="content" role="main">\n<a href="https://www.wikimedia.org"><img id="logo" src="https://www.wikimedia.org/static/images/wmf-logo.png" srcset="https://www.wikimedia.org/static/images/wmf-logo-2x.png 2x" alt="Wikimedia" width="135" height="101">\n</a>\n<h1>Error</h1>\n<div class="content-text">\n\n<p>4914820</p>\n</div>\n</div>\n<div class="footer"><p>If you report this error to the Wikimedia System Administrators, please include the details below.</p><p class="text-muted"><code>Request served via cp3068 cp3068, Varnish XID 163951242<br>Upstream caches: cp3068 int<br>Error: 429, 4914820 at Thu, 17 Jul 2025 14:23:43 GMT<br><details><summary>Sensitive client information</summary>IP address: 157.90.171.136</details></code></p>\n</div>\n</html>\n'It looks like the problem is from wikimedia.org side (it didn't respond with access token).
Hey @Tgr and @Dzahn - it looks like the infinite loop with SUL on eventyay is back. When logged out users attempt to log in using SUL they are asked to authorize access and then taken back to the log in screen (for example here https://wikimedia.eventyay.com/talk/wikimania2025/ or here https://wikimedia.eventyay.com/tickets/common/). I've checked with eventyay who says nothing has changed on their end so wondering if you might be able to help diagnose the problem.
Mostly people aren't attempting to log in anymore to the 2025 event, but our team still is to make final updates. Thanks so much!
Hi @elappen-WMF can you ask them to post an error message here like the last one back in July at T378157#11013630 ? Thanks!
The above was the previous error. The new error is below. I'm checking with the team if anything has changed on our side recently.
WARNING 2025-09-13 03:49:26,892 event SSO token expired: Signature has expired
Traceback (most recent call last):
File "/pretalx/src/pretalx/common/middleware/event.py", line 75, in _handle_login
payload = jwt.decode(
^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/jwt/api_jwt.py", line 210, in decode
decoded = self.decode_complete(
^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/jwt/api_jwt.py", line 162, in decode_complete
self._validate_claims(
File "/usr/local/lib/python3.11/site-packages/jwt/api_jwt.py", line 248, in _validate_claims
self._validate_exp(payload, now, leeway)
File "/usr/local/lib/python3.11/site-packages/jwt/api_jwt.py", line 306, in _validate_exp
raise ExpiredSignatureError("Signature has expired")jwt.exceptions.ExpiredSignatureError: Signature has expired
ERROR 2025-09-13 04:16:08,968 adapter Error while authorizing with MediaWiki: unknown - Error retrieving access token: b'Please set a user-agent and respect our robot policy https://w.wiki/4wJS. See also T400119.\n'
Are you still having issues despite setting a user-agent as described by https://foundation.wikimedia.org/wiki/Policy:Wikimedia_Foundation_User-Agent_Policy ?
@Bawolff We were able to provide logins for Wikimedians for several months and have not changed anything in our configuration. Has there been an update on the policy from the side of Wikimedia? It suddenly stopped working.
Yes, there has been as of a few weeks ago. The user-agent policy is being enforced much more strictly due to AI-crawlers overloading everything.
I'm not sure, but i expect the 429 might also be related to user-agent.
Those are two very different errors. The first means that the JWT returned by Special:OAuth/identify is incorrect (or maybe your clock is wrong? the tokens have a short expiry, 100 seconds from when you made the request). The second means you are not sending the correct user agent.
Like @Tgr mentioned, jwt.exceptions.ExpiredSignatureError: Signature has expired and Please set a user-agent and respect our robot policy https://w.wiki/4wJS are different errors. For the latter, a correct user-agent needs to be set, as per the message. Let us know if you need any help with that? But doing so should resolve at least that issue.
Yes, we fixed the user-agent. The login issue has been resolved.
For jwt.exceptions.ExpiredSignatureError, that is our mistake (it is a different error).
So, a number of users confirmed it is working again for them. So, this can be closed. Thanks.
For the further support of Wikimedia logins and increased security and feature extensions we are working on the next version of the integration. To enable our development efforts, please accept the app application at https://meta.wikimedia.org/wiki/Special:OAuthListConsumers/view/bc7029d1b7be8725b13fccc6f3f95db1
Hello, in order to test the new version at a different deployment URL please approve the application at https://meta.wikimedia.org/wiki/Special:OAuthListConsumers/view/47c58045dc413b48166df9f4b579d904 Thank you.
@MarioB applications that require no privileges beyond identity verification require no approval. (The last application needed private data access so that was different.)
@Tgr Thanks for your help. So, I am not doing this often and now I understand why it does not work. We need access to private information. Could you accept this one please?
https://meta.wikimedia.org/wiki/Special:OAuthListConsumers/view/178dc190d905e823970def32ba9d039c
Thanks.
ok, our callback URL has now changed as well. I am trying to get it working. New callback URL is https://wikimedia-new.eventyay.com/accounts/mediawiki/login/callback/
Do I need to submit a new application each time? I dont see options to change a number of things like the callback URL. I also do not see a way to delete unused/erroneous app submissions.
Ok, tried to enter the different info here again. Hope to get it working now.
https://meta.wikimedia.org/wiki/Special:OAuthListConsumers/view/a14601ea71cff074b09aa08af0be8534
Please accept the above.
Yeah, sorry, there's no editing capability whatsoever. I can disable old versions if you want.
We have a few test deployments. Once we consolidate the next version I will provide a list of old versions that can be deleted.
In the meantime could you please activate the following as well?
Please approve the key for the 2026 system with a new callback URL
https://meta.wikimedia.org/wiki/Special:OAuthListConsumers/view/e783b40b19d8965d1252ddb5b09c93ac