Improve test coverage for OAuth2 authorization and token exchange
Open, Needs TriagePublic
Actions

Assigned To

Authored By

	DAlangi_WMF
	Thu, Feb 5, 9:18 AM

Description

This involves writing an integration test to verify the REST API handlers that handle authorization and token exchange for OAuth2 consumers. The corresponding classes are:

Authorize (endpoint: /oauth2/authorize)
AccessToken (endpoint: /oauth2/access_token)
ResetClientSecret (endpoint: /oauth2/client/{client_key}/reset_secret)

We already have a way to write integration tests for REST API handlers in MediaWiki using the HandlerTestTrait trait. Some good examples can be found at: https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/core/+/0aa7ce021b7904ed4f63f941f307f0143a32d0bf/tests/phpunit/integration/includes/Rest/Handler

Impact

Increase coverage of the REST Handler classes: https://doc.wikimedia.org/cover-extensions/OAuth/src/Rest/Handler/index.html
Increase in code coverage: https://doc.wikimedia.org/cover-extensions/OAuth/src/Control/ConsumerAcceptanceAccessControl.php.html (T416761)
Increase in code coverage: https://doc.wikimedia.org/cover-extensions/OAuth/src/Control/ConsumerAccessControl.php.html (T416761)

Related Objects
Search...

		Status	Subtype	Assigned	Task
		Open		None	T415281 [EPIC] OAuth extension critical workflows (for automated tests enhancement)
		Open		Hokwelum	T416557 Improve test coverage for OAuth2 authorization and token exchange

Event Timeline

DAlangi_WMF created this task.Thu, Feb 5, 9:18 AM

DAlangi_WMF edited projects, added Test-Coverage, QS-Test-Automation; removed Epic.Thu, Feb 5, 10:01 AM

DAlangi_WMF moved this task from Essential Work to OKR Work on the MediaWiki-Platform-Team (Q3 Kanban Board) board.

OWresch-WMF moved this task from OKR Work to Next on the MediaWiki-Platform-Team (Q3 Kanban Board) board.Thu, Feb 5, 10:06 AM

OAuth 2 has several flows ("grants").

authorization code flow (with or without a PKCE challange, depending on whether the client is confidential): /oauth2/authorize to show authorization dialog, and then /oauth2/access_token. (Note that /oauth2/authorize is just a redirect to SpecialMWOAuth/approve.)
refresh token flow: call /oauth2/access_token to exchange a refresh token for an access token
client credentials: call /oauth2/access_token with whatever we use as client credentials. TBH I have no idea about the details of this.

ResetClientSecret belongs to T416490: Improve test coverage of SpecialMWOAuthConsumerRegistration (it's the API equivalent of /update).

DAlangi_WMF updated the task description. (Show Details)Sat, Feb 7, 6:09 AM

SLong-WMF moved this task from Backlog to Tracking Only on the QS-Test-Automation board.Tue, Feb 10, 6:18 PM

Hokwelum claimed this task.Tue, Feb 17, 2:59 PM

DAlangi_WMF moved this task from Next to In Progress on the MediaWiki-Platform-Team (Q3 Kanban Board) board.Tue, Feb 17, 3:03 PM