TypeError: array_keys(): Argument #1 ($array) must be of type array, null given by $resourceServer->getScopes()
Closed, ResolvedPublicPRODUCTION ERROR
Actions

Description

Error

service.version: 1.46.0-wmf.1
timestamp: 2025-11-12T10:20:47.139Z
labels.phpversion: 8.1.33
trace.id: cb5311c8-a719-4cc4-90d3-207ed5c2b3c6
Find trace.id in Logstash

labels.normalized_message

[{reqId}] {exception_url}   TypeError: array_keys(): Argument #1 ($array) must be of type array, null given

Frame	Location	Call
from	/srv/mediawiki/php-1.46.0-wmf.1/extensions/OAuth/src/SessionProvider.php(142)
#0	/srv/mediawiki/php-1.46.0-wmf.1/extensions/OAuth/src/SessionProvider.php(142)	array_keys(null)
#1	/srv/mediawiki/php-1.46.0-wmf.1/includes/session/SessionManager.php(569)	MediaWiki\Extension\OAuth\SessionProvider->provideSessionInfo(MediaWiki\Request\WebRequest)
#2	/srv/mediawiki/php-1.46.0-wmf.1/includes/session/SessionManager.php(136)	MediaWiki\Session\SessionManager->getSessionInfoForRequest(MediaWiki\Request\WebRequest)
#3	/srv/mediawiki/php-1.46.0-wmf.1/includes/Request/WebRequest.php(860)	MediaWiki\Session\SessionManager->getSessionForRequest(MediaWiki\Request\WebRequest)
#4	/srv/mediawiki/php-1.46.0-wmf.1/includes/Setup.php(504)	MediaWiki\Request\WebRequest->getSession()
#5	/srv/mediawiki/php-1.46.0-wmf.1/includes/WebStart.php(72)	require_once(string)
#6	/srv/mediawiki/php-1.46.0-wmf.1/rest.php(18)	require(string)
#7	/srv/mediawiki/w/rest.php(3)	require(string)
#8	{main}

Impact

Notes

This is on old 1.46.0-wmf.1 but as there have been no recent changes in related files I assume this is still unresolved.

Details

MediaWiki Version: 1.46.0-wmf.1
Request URL: https://meta.wikimedia.org/w/rest.php/oauth2/resource/profile

Related Changes in Gerrit:

Subject	Repo	Branch	Lines +/-
Revert debug logging for T409901	mediawiki/extensions/OAuth	master	+3 -25
Control: Handle accepted consumers with "auth-only" grants	mediawiki/extensions/OAuth	wmf/1.46.0-wmf.10	+35 -29
Control: Handle accepted consumers with "auth-only" grants	mediawiki/extensions/OAuth	master	+35 -29
Rest: Add more debug logging for `Resource::getProfile()`	mediawiki/extensions/OAuth	wmf/1.46.0-wmf.7	+14 -1
Rest: Add more debug logging for `Resource::getProfile()`	mediawiki/extensions/OAuth	wmf/1.46.0-wmf.5	+14 -1
Rest: Add more debug logging for `Resource::getProfile()`	mediawiki/extensions/OAuth	master	+14 -1
Add logging when application has no scope to a given user account	mediawiki/extensions/OAuth	master	+13 -2

Customize query in gerrit

Related Objects

Mentioned In: T413997: [UI/UX] Programmatically enforce restrictions on updating grants for auth-only accepted consumers
T413947: Updating grants (via Special:OAuthManageMyGrants) of OAuth accepted consumers overrides its grants with empty array
Mentioned Here: T413947: Updating grants (via Special:OAuthManageMyGrants) of OAuth accepted consumers overrides its grants with empty array

Event Timeline

Aklapper created this task.Nov 12 2025, 10:25 AM

Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptNov 12 2025, 10:26 AM

Yes, still happens on 1.46.0-wmf.2

Oldest case is from Sep 5. Since logs only go back to Aug 15 or so and this error is quite infrequent, possibly has been around for a very long time.

Glancing at the code, it seems this happens either if ResourceServer::setScopes() is called with an empty set of scopes (a request object whose oauth_scopes attribute is empty), or `ResourceServer::verify() (and thus setScopes()) is never called. Neither is supposed to happen; the latter seems impossible (for this specific stack trace at least; maybe the ResourceServer::getScopes() call in MediaWiki\Extension\OAuth\Rest\Handler\Resource is reachable if you somehow manage to call that API with a non-OAuth2 request).

We could make the errors go away by just initializing the scopes to be an empty array rather than null, not sure if that would hide some deeper error though, or cause different kinds of errors down the line. (Probably not; I think an empty scopes array just means all actions will be denied.)

I guess we could at least replace the error with some logging that includes the app ID, which might give a lead to what's happening.

thcipriani moved this task from Untriaged to Oct-Dec 2025 on the Wikimedia-production-error board.Nov 13 2025, 4:26 PM

JTweed-WMF moved this task from Inbox, needs triage to Next (DO NOT USE) on the MediaWiki-Platform-Team board.Nov 17 2025, 3:50 PM

Change #1206662 had a related patch set uploaded (by D3r1ck01; author: Derick Alangi):

[mediawiki/extensions/OAuth@master] Add logging when application has no scope to a given user account

https://gerrit.wikimedia.org/r/1206662

gerritbot added a project: Patch-For-Review.Nov 18 2025, 6:28 AM

DAlangi_WMF changed the task status from Open to In Progress.Nov 18 2025, 6:30 AM

DAlangi_WMF claimed this task.

DAlangi_WMF moved this task from Next (DO NOT USE) to In progress (DO NOT USE) on the MediaWiki-Platform-Team board.

Change #1206662 merged by jenkins-bot:

[mediawiki/extensions/OAuth@master] Add logging when application has no scope to a given user account

https://gerrit.wikimedia.org/r/1206662

Maintenance_bot removed a project: Patch-For-Review.Nov 20 2025, 2:30 PM

ReleaseTaggerBot added a project: MW-1.46-notes (1.46.0-wmf.4; 2025-11-25).Nov 20 2025, 3:00 PM

Thanks @Tgr for merging.

We added some logging to investigate and identify the root cause. Per logstash, this has not happened in a while. Last occurrence is Nov 13.

With the logging code in place, if this happens again, we'll analyze the logs to pinpoint where it's coming from, which will hopefully give us clues on what to do next. I'll keep it assigned to me and keep my eyes on logstash for a couple of weeks and see if this happens again.

OWresch-WMF edited projects, added MediaWiki-Platform-Team (Q3 Kanban Board); removed MediaWiki-Platform-Team.Nov 21 2025, 11:44 AM

OWresch-WMF moved this task from Essential Work to In Progress on the MediaWiki-Platform-Team (Q3 Kanban Board) board.

OWresch-WMF moved this task from In Progress to Essential Work on the MediaWiki-Platform-Team (Q3 Kanban Board) board.Nov 24 2025, 3:53 PM

OWresch-WMF moved this task from Essential Work to To be verified in Prod on the MediaWiki-Platform-Team (Q3 Kanban Board) board.Nov 27 2025, 3:10 PM

This happened again about 2 days ago (December 13), and the stacktrace seems different :[

from /srv/mediawiki/php-1.46.0-wmf.5/extensions/OAuth/src/Rest/Handler/Resource.php(113)
#0 /srv/mediawiki/php-1.46.0-wmf.5/extensions/OAuth/src/Rest/Handler/Resource.php(113): array_keys(null)
#1 /srv/mediawiki/php-1.46.0-wmf.5/extensions/OAuth/src/Rest/Handler/Resource.php(95): MediaWiki\Extension\OAuth\Rest\Handler\Resource->getProfile(MediaWiki\Extension\OAuth\Response)
#2 /srv/mediawiki/php-1.46.0-wmf.5/extensions/OAuth/src/ResourceServer.php(90): MediaWiki\Extension\OAuth\Rest\Handler\Resource->doExecuteProtected(GuzzleHttp\Psr7\ServerRequest, MediaWiki\Extension\OAuth\Response)
#3 /srv/mediawiki/php-1.46.0-wmf.5/vendor/league/oauth2-server/src/Middleware/ResourceServerMiddleware.php(54): MediaWiki\Extension\OAuth\ResourceServer->MediaWiki\Extension\OAuth\{closure}(GuzzleHttp\Psr7\ServerRequest, MediaWiki\Extension\OAuth\Response)
#4 /srv/mediawiki/php-1.46.0-wmf.5/extensions/OAuth/src/ResourceServer.php(85): League\OAuth2\Server\Middleware\ResourceServerMiddleware->__invoke(GuzzleHttp\Psr7\ServerRequest, MediaWiki\Extension\OAuth\Response, Closure)
#5 /srv/mediawiki/php-1.46.0-wmf.5/extensions/OAuth/src/Rest/Handler/Resource.php(80): MediaWiki\Extension\OAuth\ResourceServer->verify(GuzzleHttp\Psr7\ServerRequest, MediaWiki\Extension\OAuth\Response, array)
#6 /srv/mediawiki/php-1.46.0-wmf.5/includes/Rest/Module/Module.php(472): MediaWiki\Extension\OAuth\Rest\Handler\Resource->execute()
#7 /srv/mediawiki/php-1.46.0-wmf.5/includes/Rest/Module/Module.php(301): MediaWiki\Rest\Module\Module->executeHandler(MediaWiki\Extension\OAuth\Rest\Handler\Resource)
#8 /srv/mediawiki/php-1.46.0-wmf.5/includes/Rest/Router.php(485): MediaWiki\Rest\Module\Module->execute(string, MediaWiki\Rest\RequestFromGlobals)
#9 /srv/mediawiki/php-1.46.0-wmf.5/includes/Rest/Router.php(444): MediaWiki\Rest\Router->doExecute(string, MediaWiki\Rest\RequestFromGlobals)
#10 /srv/mediawiki/php-1.46.0-wmf.5/includes/Rest/EntryPoint.php(207): MediaWiki\Rest\Router->execute(MediaWiki\Rest\RequestFromGlobals)
#11 /srv/mediawiki/php-1.46.0-wmf.5/includes/MediaWikiEntryPoint.php(184): MediaWiki\Rest\EntryPoint->execute()
#12 /srv/mediawiki/php-1.46.0-wmf.5/rest.php(25): MediaWiki\MediaWikiEntryPoint->run()
#13 /srv/mediawiki/w/rest.php(3): require(string)
#14 {main}

The spike (14 occurrences) all seem to be coming from metawiki. I've looked at the instances (all originating from the REST API - /w/rest.php/oauth2/resource/profile ), they all look the same as above, and we're not doing any logging here; we just throw a TypeError exception. Since we're not logging anything useful here, we still don't know which application is causing this.

@Tgr, would it make sense to add more logging in places where we retrieve the application scopes? array_keys() doesn't like null and will throw a TypeError if it happens. Note that: ResourceServer::getScopes() is not documented to return null.

Change #1218305 had a related patch set uploaded (by D3r1ck01; author: Derick Alangi):

[mediawiki/extensions/OAuth@master] Rest: Add more debug logging for `Resource::getProfile()`

https://gerrit.wikimedia.org/r/1218305

gerritbot added a project: Patch-For-Review.Dec 15 2025, 3:08 PM

DAlangi_WMF moved this task from To be verified in Prod to In Progress on the MediaWiki-Platform-Team (Q3 Kanban Board) board.Dec 15 2025, 3:19 PM

Change #1218305 merged by jenkins-bot:

[mediawiki/extensions/OAuth@master] Rest: Add more debug logging for `Resource::getProfile()`

https://gerrit.wikimedia.org/r/1218305

Maintenance_bot removed a project: Patch-For-Review.Dec 18 2025, 1:30 AM

Change #1219558 had a related patch set uploaded (by D3r1ck01; author: Derick Alangi):

[mediawiki/extensions/OAuth@wmf/1.46.0-wmf.5] Rest: Add more debug logging for `Resource::getProfile()`

https://gerrit.wikimedia.org/r/1219558

Change #1219559 had a related patch set uploaded (by D3r1ck01; author: Derick Alangi):

[mediawiki/extensions/OAuth@wmf/1.46.0-wmf.7] Rest: Add more debug logging for `Resource::getProfile()`

https://gerrit.wikimedia.org/r/1219559

Change #1219558 merged by jenkins-bot:

[mediawiki/extensions/OAuth@wmf/1.46.0-wmf.5] Rest: Add more debug logging for `Resource::getProfile()`

https://gerrit.wikimedia.org/r/1219558

Change #1219559 merged by jenkins-bot:

[mediawiki/extensions/OAuth@wmf/1.46.0-wmf.7] Rest: Add more debug logging for `Resource::getProfile()`

https://gerrit.wikimedia.org/r/1219559

Mentioned in SAL (#wikimedia-operations) [2025-12-18T14:18:37Z] <derick@deploy2002> Started scap sync-world: Backport for [[gerrit:1219558|Rest: Add more debug logging for Resource::getProfile() (T409901)]], [[gerrit:1219559|Rest: Add more debug logging for Resource::getProfile() (T409901)]]

Mentioned in SAL (#wikimedia-operations) [2025-12-18T14:20:49Z] <derick@deploy2002> d3r1ck01, derick: Backport for [[gerrit:1219558|Rest: Add more debug logging for Resource::getProfile() (T409901)]], [[gerrit:1219559|Rest: Add more debug logging for Resource::getProfile() (T409901)]] synced to the testservers (see https://wikitech.wikimedia.org/wiki/Mwdebug). Changes can now be verified there.

Mentioned in SAL (#wikimedia-operations) [2025-12-18T14:25:31Z] <derick@deploy2002> Finished scap sync-world: Backport for [[gerrit:1219558|Rest: Add more debug logging for Resource::getProfile() (T409901)]], [[gerrit:1219559|Rest: Add more debug logging for Resource::getProfile() (T409901)]] (duration: 06m 54s)

Backports have been deployed today. Will monitor and verify this again to see where this error is coming from.

Maintenance_bot removed a project: Patch-For-Review.Dec 18 2025, 2:30 PM

In T409901#11473116, @DAlangi_WMF wrote:

Backports have been deployed today. Will monitor and verify this again to see where this error is coming from.

This happened again today (Dec 27), and we have more data at: https://logstash.wikimedia.org/goto/07091fc5ab16e563a453adfaed239651.

Seems to be coming from an application doing some kind of testing.

OWresch-WMF moved this task from To be verified in Prod to In Progress on the MediaWiki-Platform-Team (Q3 Kanban Board) board.Jan 5 2026, 3:38 PM

In T409901#11485492, @DAlangi_WMF wrote:

Seems to be coming from an application doing some kind of testing.

Filed as T413947: Updating grants (via Special:OAuthManageMyGrants) of OAuth accepted consumers overrides its grants with empty array, which seems to be the root cause.

Change #1224103 had a related patch set uploaded (by D3r1ck01; author: Derick Alangi):

[mediawiki/extensions/OAuth@master] Control: Handle accepted consumers with "auth-only" grants

https://gerrit.wikimedia.org/r/1224103

gerritbot added a project: Patch-For-Review.Jan 7 2026, 3:21 PM

DAlangi_WMF mentioned this in T413997: [UI/UX] Programmatically enforce restrictions on updating grants for auth-only accepted consumers.Jan 7 2026, 4:04 PM

DAlangi_WMF changed the task status from Open to In Progress.Jan 7 2026, 4:09 PM

It doesn't really make sense to end up with an empty grants / scopes array, but it's also not completely crazy (maybe the user revoked everything, as actually happened here? maybe there's some hook mechanism filtering them?) so IMO we should fix the handling of the empty array (which apparently gets distorted somewhere into null).

Change #1224103 merged by jenkins-bot:

[mediawiki/extensions/OAuth@master] Control: Handle accepted consumers with "auth-only" grants

https://gerrit.wikimedia.org/r/1224103

Maintenance_bot removed a project: Patch-For-Review.Jan 12 2026, 8:31 PM

matmarex subscribed.Jan 13 2026, 12:09 AM

Change #1227280 had a related patch set uploaded (by D3r1ck01; author: Derick Alangi):

[mediawiki/extensions/OAuth@wmf/1.46.0-wmf.10] Control: Handle accepted consumers with "auth-only" grants

https://gerrit.wikimedia.org/r/1227280

gerritbot added a project: Patch-For-Review.Thu, Jan 15, 10:04 AM

Change #1227280 abandoned by D3r1ck01:

[mediawiki/extensions/OAuth@wmf/1.46.0-wmf.10] Control: Handle accepted consumers with "auth-only" grants

Reason:

This is not going to be needed actually. But the others would need to be backported to wmf.11 then deployed in the late window.

https://gerrit.wikimedia.org/r/1227280

Maintenance_bot removed a project: Patch-For-Review.Thu, Jan 15, 10:31 AM

With T413947 now resolved, we can monitor again and hopefully this should no longer happen.

DAlangi_WMF moved this task from In Progress to To be verified in Prod on the MediaWiki-Platform-Team (Q3 Kanban Board) board.Thu, Jan 15, 9:41 PM

In T409901#11526812, @DAlangi_WMF wrote:

With T413947 now resolved, we can monitor again and hopefully this should no longer happen.

Keeping this Logstash link here: https://logstash.wikimedia.org/goto/92b2ce3a4c5af94ec9d111f73a406db1 for monitoring post-deployment.

Hi awesome @Agamyasamuel, invoking you here (per logs) to see if you still see this issue when you run your client?

In T409901#11526868, @DAlangi_WMF wrote:

Keeping this Logstash link here: https://logstash.wikimedia.org/goto/92b2ce3a4c5af94ec9d111f73a406db1 for monitoring post-deployment.

I'll be bold and resolve this. I'm pretty sure the work completed in T413947 has resolved the issue, and we haven't had any log entries about this for about 2 weeks.

In T409901#11526892, @DAlangi_WMF wrote:

Hi awesome @Agamyasamuel, invoking you here (per logs) to see if you still see this issue when you run your client?

Also, I was able to track that this app was disabled per https://meta.wikimedia.org/wiki/Special:OAuthListConsumers/view/d4eaab0c20d465f257736c998c6b3e1c. If this happens again, we can always re-open.

Change #1239249 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/extensions/OAuth@master] Revert debug logging for T409901

https://gerrit.wikimedia.org/r/1239249

gerritbot added a project: Patch-For-Review.Thu, Feb 12, 9:31 PM

TypeError: array_keys(): Argument #1 ($array) must be of type array, null given by $resourceServer->getScopes()Closed, ResolvedPublicPRODUCTION ERRORActions