Page MenuHomePhabricator
Create Task
Maniphest T407655

Document how access tokens with an oaac_id of 0 are used
Closed, ResolvedPublic
Actions

Description

There is this code block in the OAuth 2 session handler, with very little explanation ("the access token was issued to a machine and represents no particular user"). We should document how such access tokens are generated and what they are used for.

Related Objects

Event Timeline

Tgr created this task.Oct 17 2025, 6:30 PM
Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptOct 17 2025, 6:30 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
JTweed-WMF moved this task from Inbox, needs triage to Next (DO NOT USE) on the MediaWiki-Platform-Team board.Oct 30 2025, 3:38 PM
OWresch-WMF edited projects, added: MediaWiki-Platform-Team (Kanban Board); removed: MediaWiki-Platform-Team.Nov 21 2025, 11:39 AM
Tgr mentioned this in T417278: Choosing client credentials grant for OAuth 2 results in an access token (JWT) with the 'sub' field empty.Feb 12 2026, 1:56 PM
Tgr claimed this task.Feb 17 2026, 8:22 PM
Tgr moved this task from Essential Work to In Progress on the MediaWiki-Platform-Team (Kanban Board) board.
Tgr added a comment.Feb 17 2026, 8:52 PM

So apparently when access tokens are issued via the client credentials flow (that is, making an API call to /oauth2/access_token with the client ID and secret), the oauth2-server library issues an access token with no user ID (sub is the empty string), and does not create a ConsumerAcceptance record. This logic is to make sure that such access tokens are accepted.

This is broken in several ways: the access token will be anonymous (it will result in an anonymous session), passing an anonymous user breaks the contract of UserInfo::newFromUser(), the missing user ID will be inherited by refresh tokens and cause further problems. But presumably it was good enough for rate limit control via the OAuthRateLimiter extension, for clients which do read-only access and don't care whether they are authenticated.

Fixing it will happen in T417278: Choosing client credentials grant for OAuth 2 results in an access token (JWT) with the 'sub' field empty.

Tgr closed this task as Resolved.Feb 17 2026, 8:52 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits