Page MenuHomePhabricator
Create Task
Maniphest T412214

Ensure a good experience for apps which want to use OAuth credentials for a long time
Open, Needs TriagePublic
Actions

Description

Owner-only access tokens are valid forever, but aren't applicable for multi-user apps nor for apps which need high rate limits (T407987). What should non-owner-only apps do to avoid requiring the user to go through the authorization dialog often.

Refresh tokens are valid for 1 month by default and 1 year on Wikimedia wikis, but are invalidated when they are used. The response includes a new refresh token but in case of e.g. network error that gets lost and the app is left without a valid session. That seems annoying, especially for users on lossy networks.

Amazon handles that by providing a 60-second grace period during refresh token rotation during which the old token remains valid and can be retried. Maybe we should do something like that?

Related Objects
Search...

Event Timeline

Tgr created this task.Dec 10 2025, 12:58 PM
Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptDec 10 2025, 12:58 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Tgr mentioned this in T321591: Configure OAuth 2.0 token expiry to something reasonable.Dec 18 2025, 10:47 AM
Tgr added a parent task: T395459: Use OAuth rather than password-based login for Wikimedia mobile apps.Dec 19 2025, 9:50 PM
Nylki subscribed.Dec 29 2025, 5:19 PM
JTweed-WMF edited projects, added MediaWiki-Platform-Team (Q3 Kanban Board); removed MediaWiki-Platform-Team.Feb 9 2026, 3:57 PM
JTweed-WMF moved this task from Essential Work to OKR Work on the MediaWiki-Platform-Team (Q3 Kanban Board) board.
Tgr mentioned this in T417278: Choosing client credentials grant for OAuth 2 results in an access token (JWT) with the 'sub' field empty.Feb 17 2026, 11:54 PM
Tgr mentioned this in T407987: Define best practice for single-user apps which need a high MediaWiki API rate limit.Feb 19 2026, 9:11 PM
Tgr added a comment.Mar 5 2026, 7:49 PM

Upstream discussion: #735, #1025 (but basically just says this is up to the application using the library to deal with, in its RefreshTokenRepository implementation).

https://www.rfc-editor.org/rfc/rfc9700.html#name-refresh-token-protection has some relevant security recommendations (basically just "don't disable refresh token rotation").

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits