Page MenuHomePhabricator
Create Task
Maniphest T382139

"sub" claim of oauth json web token should be a string
Closed, ResolvedPublic
Actions

Description

json web token is used for oauth login but it fails with pyJWT library because the "sub" claim is an integer but a string content is specified via RFC7519 by the Internet Engineering Task Force (IETF) .

See also:

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
UserStatementProvider: Cast 'sub' to be a stringmediawiki/extensions/OAuthREL1_43+3 -2
UserStatementProvider: Cast 'sub' to be a stringmediawiki/extensions/OAuthREL1_42+3 -2
UserStatementProvider: Cast 'sub' to be a stringmediawiki/extensions/OAuthREL1_41+2 -1
UserStatementProvider: Cast 'sub' to be a stringmediawiki/extensions/OAuthREL1_39+2 -1
UserStatementProvider: Cast 'sub' to be a stringmediawiki/extensions/OAuthmaster+3 -2
Customize query in gerrit

Related Objects
Search...

Event Timeline

Xqt created this task.Dec 13 2024, 12:16 PM
Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptDec 13 2024, 12:16 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
gerritbot added a comment.Dec 13 2024, 1:44 PM

Change #1103328 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/OAuth@master] UserStatementProvider: Cast 'sub' to be a string

https://gerrit.wikimedia.org/r/1103328

gerritbot added a project: Patch-For-Review.Dec 13 2024, 1:44 PM
Krinkle assigned this task to Reedy.Dec 16 2024, 3:04 PM
Tgr added a project: User-notice.Dec 19 2024, 10:06 PM
Tgr removed a project: User-notice.
Tgr subscribed.

(We don't have Developer-notice anymore, that would be the appropriate tag here.)

@Reedy do you want to announce the change?

gerritbot added a comment.Dec 21 2024, 9:33 AM

Change #1103328 merged by jenkins-bot:

[mediawiki/extensions/OAuth@master] UserStatementProvider: Cast 'sub' to be a string

https://gerrit.wikimedia.org/r/1103328

ReleaseTaggerBot added a project: MW-1.44-notes (1.44.0-wmf.12; 2025-01-14).Dec 21 2024, 10:00 AM
Maintenance_bot removed a project: Patch-For-Review.Dec 21 2024, 10:30 AM
gerritbot added a comment.Dec 22 2024, 9:13 PM

Change #1106052 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/OAuth@REL1_43] UserStatementProvider: Cast 'sub' to be a string

https://gerrit.wikimedia.org/r/1106052

gerritbot added a project: Patch-For-Review.Dec 22 2024, 9:13 PM

Change #1106053 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/OAuth@REL1_42] UserStatementProvider: Cast 'sub' to be a string

https://gerrit.wikimedia.org/r/1106053

gerritbot added a comment.Dec 22 2024, 9:13 PM

Change #1106054 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/OAuth@REL1_41] UserStatementProvider: Cast 'sub' to be a string

https://gerrit.wikimedia.org/r/1106054

gerritbot added a comment.Dec 22 2024, 9:15 PM

Change #1106055 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/OAuth@REL1_39] UserStatementProvider: Cast 'sub' to be a string

https://gerrit.wikimedia.org/r/1106055

Tgr added a comment.Dec 23 2024, 1:18 PM

@Reedy not sure about the backports... a similar change in T283456: OAuth identfy endpoint should not expose unconfirmed email address broke lots of things. A breaking API change should probably not go into minor releases?

Tgr added a comment.Dec 23 2024, 1:22 PM

I guess the likely fallout from pyJWT is larger. Let's make sure the change is well-announced then.

gerritbot added a comment.Dec 23 2024, 1:29 PM

Change #1106055 merged by jenkins-bot:

[mediawiki/extensions/OAuth@REL1_39] UserStatementProvider: Cast 'sub' to be a string

https://gerrit.wikimedia.org/r/1106055

gerritbot added a comment.Dec 23 2024, 1:29 PM

Change #1106054 merged by jenkins-bot:

[mediawiki/extensions/OAuth@REL1_41] UserStatementProvider: Cast 'sub' to be a string

https://gerrit.wikimedia.org/r/1106054

Tgr added a project: User-notice.Dec 23 2024, 1:29 PM

Suggested Tech News text:

The identity endpoint used for OAuth 1 and OAuth 2 returned a JSON object with an integer in its sub field, which was incorrect (the field must always be a string). This has been fixed; the fix will be deployed to Wikimedia wikis on the week of January 13.

We should also write to mediawiki-announce (about the release backports) and mediawiki-api-announce (about the production API change) as well.

gerritbot added a comment.Dec 23 2024, 1:32 PM

Change #1106053 merged by jenkins-bot:

[mediawiki/extensions/OAuth@REL1_42] UserStatementProvider: Cast 'sub' to be a string

https://gerrit.wikimedia.org/r/1106053

gerritbot added a comment.Dec 23 2024, 1:36 PM

Change #1106052 merged by jenkins-bot:

[mediawiki/extensions/OAuth@REL1_43] UserStatementProvider: Cast 'sub' to be a string

https://gerrit.wikimedia.org/r/1106052

Maintenance_bot removed a project: Patch-For-Review.Dec 23 2024, 2:30 PM
Krinkle closed this task as Resolved.Dec 23 2024, 3:26 PM
Pppery moved this task from To Triage to Announce in next Tech/News on the User-notice board.Dec 23 2024, 11:59 PM
jsn.sherman mentioned this in T383353: The Wikipedia Library error during login due to no session token.Jan 9 2025, 5:28 PM
Quiddity subscribed.Jan 9 2025, 7:09 PM
In T382139#10421685, @Tgr wrote:

Suggested Tech News text:

The identity endpoint used for OAuth 1 and OAuth 2 returned a JSON object with an integer in its sub field, which was incorrect (the field must always be a string). This has been fixed; the fix will be deployed to Wikimedia wikis on the week of January 13.

Thanks for the draft! I'd like to add an intro-sentence, explaining who this entry is relevant for. Please confirm if it is accurate to write this? -- "For tool and extension developers who use the OAuth system: [...]"

We should also write to mediawiki-announce (about the release backports) and mediawiki-api-announce (about the production API change) as well.

Side-note: This might still need doing by someone.

Tgr added a comment.Jan 10 2025, 11:50 AM
In T382139#10445746, @Quiddity wrote:

Please confirm if it is accurate to write this? -- "For tool and extension developers who use the OAuth system: [...]"

Tool and library developers, I'd say. (A few extension developers too, but those won't be reading Tech News.)

We should also write to mediawiki-announce (about the release backports) and mediawiki-api-announce (about the production API change) as well.

Side-note: This might still need doing by someone.

Uhh sorry forgot about that. mediawiki-api-announce mail here. On second thought I think the issue is not that relevant for mediawiki-announce.

Quiddity moved this task from Announce in next Tech/News to In current Tech/News draft on the User-notice board.Jan 10 2025, 10:20 PM
Quiddity moved this task from In current Tech/News draft to Already announced/Archive on the User-notice board.Jan 16 2025, 8:22 PM
Maintenance_bot edited projects, added User-notice-archive; removed User-notice.Jan 30 2025, 5:48 PM
Xqt added a comment.Aug 14 2025, 8:29 AM

@Reedy: I haven't recognized a patch for 1.40 - is this intentional?

Xqt added a parent task: T380270: test_identity of oauth_tests.TestOauthLoginManger fails with Python 3.9+.Aug 14 2025, 8:29 AM
Reedy added a comment.Aug 14 2025, 12:52 PM

Yes, 1.40 was EOL in June 2024 [1], so no backports would have been performed as this was basically 6 months after that.

If someone is still using 1.40, they should upgrade. Since this report (and it being fixed), 1.41 and 1.42 are also EOL...

[1] https://www.mediawiki.org/wiki/Version_lifecycle

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits