Note that the test instance currently has no external providers configured via https://phabricator.wmcloud.org/auth/, only classic username/password.

See also T377061: Phabricator should use IDP for developer account logins, though not directly related.

There is https://idp.wmcloud.org, which is used for other projects (e.g. GitLab).

@Aklapper that's fine, I just need a user to be able to sign in using Phabricator as an OAuth server, like this: https://secure.phabricator.com/book/phabcontrib/article/using_oauthserver/

The scope can be as locked down as possible, I only need the username. I haven't looked up the scopes, but basically just access to the user.whoami functionality.

Perhaps I can just register my own account on phabricator.wmcloud.org and you can grant me the permissions to create the token myself?

@SLyngshede-WMF: Alright, for the start, please create an account on https://phabricator.wmcloud.org/ and then tell me the account name here. Thanks.

(Also, best to follow the docs on https://we.phorge.it/book/contrib/article/using_oauthserver/ instead of old dead upstream - though no real difference.)

@Aklapper I've created the account "slyngshede" but I did not get a confirmation email. Is that expected?

In T406495#11253444, @SLyngshede-WMF wrote:

@Aklapper I've created the account "slyngshede" but I did not get a confirmation email. Is that expected?

Yes and no - Test Phabricator should be sending confirmation emails, but it's a known issue that it currently isn't. xref T388022: Phabricator test project requires email verification but can't send email

@SLyngshede-WMF Ah, please follow the instructions on https://phabricator.wmcloud.org/ to get your account verified (I guess it's a simple run of ./bin/auth verify youremailaddress@wikimedia.org server-side).

The "OAuth Server" prototype application is already installed according to https://phabricator.wmcloud.org/applications/view/PhabricatorOAuthServerApplication/.
You probably want to use https://phabricator.wmcloud.org/oauthserver/ for setup. I gave your account administrator rights.
On https://phabricator.wmcloud.org/applications/edit/PhabricatorOAuthServerApplication/ , please consider setting "Can Use Application" to something more restrictive, maybe "Administrators" or even your specific user. Thanks!

account has been verified

(Also please note that a Phabricator username can be changed on request. Just saying.)

@Aklapper that's a very good point. For SUL accounts we link on the ID returned, and just store the username for reference. I'll see if we can do the same for Phabricator.

Change #1196919 had a related patch set uploaded (by Slyngshede; author: Slyngshede):

[operations/software/bitu@master] Phabricator: Allow users to link Phabricator and developer accounts

https://gerrit.wikimedia.org/r/1196919

Change #1197617 had a related patch set uploaded (by Slyngshede; author: Slyngshede):

[operations/puppet@production] C:openldap extend wikimediaPerson schema for Phabricator

https://gerrit.wikimedia.org/r/1197617

Change #1197617 merged by Slyngshede:

[operations/puppet@production] C:openldap extend wikimediaPerson schema for Phabricator

https://gerrit.wikimedia.org/r/1197617

Change #1196919 merged by jenkins-bot:

[operations/software/bitu@master] Phabricator: Allow users to link Phabricator and developer accounts

https://gerrit.wikimedia.org/r/1196919

The new Phabricator account linking feature that is live on https://idm.wikimedia.org/ldapbackend/properties/ seems to be pointing to https://secure.phabricator.com rather than https://phabricator.wikimedia.org as the OAuth server.

That is the Phabricator backend for Social Auth that's being weird. It default assumes that you mean to authenticate with phabricator.com.