Maniphest T412542

Rethink protocol support for OAuth apps
Open, Needs TriagePublic
Actions

Assigned To

Authored By

	Tgr
	Dec 12 2025, 5:57 PM

Tags

Referenced Files

None

Subscribers

Description

Currently callback URLs for OAuth apps are parsed by UrlUtils which means only protocols present in $wgUrlProtocols are allowed. Which means that to allow an app using a callback URL with a custom protocol (common for mobile apps), we 1) need to make a configuration change, 2) that will also allow it to be used in links in wikitext, which is probably unwanted.

We should find a way to parse URLs without UrlUtils, or make UrlUtils ignore $wgUrlProtocols; and we should emphasize during review that the app is using a custom protocol (so OAuth admins can ensure that the protocol legitimately belongs to the app). That probably also means never doing auto-approval when a custom protocol is used.

Related Objects

Mentioned Here: T410521: Add com.blogspot.wikikamus: to list of allowed OAuth2 URI schemes

Event Timeline

Tgr created this task.Dec 12 2025, 5:57 PM

Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptDec 12 2025, 5:57 PM

Restricted Application added a subscriber: Aklapper. · View Herald Transcript

Motivated by T410521: Add com.blogspot.wikikamus: to list of allowed OAuth2 URI schemes.

Chuiimuii_ofc claimed this task.Dec 13 2025, 2:19 PM

Change #1217825 had a related patch set uploaded (by Chuiimuii_ofc; author: Chuiimuii_ofc):

[mediawiki/extensions/OAuth@master] Allow OAuth callback URLs with custom protocols without modifying \

https://gerrit.wikimedia.org/r/1217825

gerritbot added a project: Patch-For-Review.Dec 13 2025, 2:43 PM

• Krinkle moved this task from Inbox, needs triage to Needs refinement on the MediaWiki-Platform-Team board.Dec 16 2025, 4:11 PM

• Krinkle added a subscriber: JTweed-WMF.

Nylki subscribed.Dec 17 2025, 4:59 PM