Set a JWT cookie for OAuth 1 requests and OAuth 2 owner-only requests
Closed, ResolvedPublic
Actions

Description

Due to limitations of how much we can control access tokens, we have decided in T394012: Decide how to expose session information outside of MediaWiki not to emit session information for OAuth 1 requests, and to accept emitting stale session information for OAuth 2 owner-only requests. To reduce the impact of this, we can emit a JWT session cookie for such requests. OAuth clients might ignore Set-Cookie headers, but some might not, and there's no harm in trying.

Unfortunately we'll probably not be able to fully reuse the mechanism created in T415007: Login with `action=login` and bot password does not create a JWT session cookie as cookies are normally set during persist(), calling that also saves the session to the session store, OAuth sessions are usually not persisted (the access token includes all necessary information, so the session store is only needed if something in the application needs to store its own session data, and almost nothing needs that), and we want to keep it that way as otherwise we'd do a session write on every request from clients which ignore cookies. We'll need to directly set/unset the cookie instead of using the needRefresh mechanism. We don't have a great place for doing that, currently. Maybe we'll need a callback that tells the session provider that it now owns the session.

One potential concern is cookie conflict - we probably want to use the same cookie name for all session types, to keep the Envoy logic simple. But that means that for a client using multiple session types (e.g. a browser that does normal cookie-based sessions but also OAuth), the various session handlers will write the same cookie. I think that won't be a problem as long as they use the same user, as the JWT contents will be roughly the same. In any case, using OAuth in the browser doesn't really make sense for OAuth 1 nor for owner-only consumers.

Details

Other Assignee: DAlangi_WMF

Related Changes in Gerrit:

Subject	Repo	Branch	Lines +/-
Enable JWTs for OAuth1 consumers and OAuth2 owner-only consumers	operations/mediawiki-config	master	+5 -0
tests: Add test for asserting JWT cookie not set for OAuth2 consumers	mediawiki/extensions/OAuth	wmf/1.46.0-wmf.22	+193 -103
tests: OAuth1 and OAuth2 owner-only JWT support	mediawiki/extensions/OAuth	wmf/1.46.0-wmf.22	+831 -27
Set a JWT cookie for OAuth 1 and OAuth 2 owner-only requests	mediawiki/extensions/OAuth	wmf/1.46.0-wmf.22	+99 -2
Set a JWT cookie for OAuth 1 and OAuth 2 owner-only requests	mediawiki/extensions/OAuth	master	+99 -2
tests: OAuth1 and OAuth2 owner-only JWT support	mediawiki/extensions/OAuth	master	+831 -27
tests: Add test for asserting JWT cookie not set for OAuth2 consumers	mediawiki/extensions/OAuth	master	+193 -103
RateLimit: Do not ignore OAuth2 owner-only consumers	mediawiki/extensions/WikimediaCustomizations	master	+1 -4
session: Add a callback for attaching a SessionInfo to a WebRequest	mediawiki/core	master	+47 -1

Customize query in gerrit

Related Objects
Search...

Status	Assigned	Task
Open	None	T399291 Epic: API Rate Limiting Architecture
Open	None	T412585 Epic: Enforce API rate limits (WE5.1.3c)
Open	None	T417779 rest gateway: enforce rate limits (stage two)
Resolved	• Tgr	T417833 Set a JWT cookie for OAuth 1 requests and OAuth 2 owner-only requests

Event Timeline

• Tgr created this task.Feb 18 2026, 9:49 PM

Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptFeb 18 2026, 9:49 PM

Restricted Application added a subscriber: Aklapper. · View Herald Transcript

daniel mentioned this in T418042: rest gateway: use rlc from sessionJwt cookie even when a bearer token is used.Feb 21 2026, 9:23 AM

Bumping priority to high, since this blocks the rollout of stage two of the REST API rate limits. It's not sufficient to have this by the rollout date, we need it beforehand so we have visibility of how many clients that use OAuth we would hit with rate limits.

matmarex moved this task from Inbox, needs triage to Q3 Kanban Board on the MediaWiki-Platform-Team board.Feb 23 2026, 3:53 PM

matmarex edited projects, added MediaWiki-Platform-Team (Q3 Kanban Board); removed MediaWiki-Platform-Team.

matmarex moved this task from Essential Work to In Progress on the MediaWiki-Platform-Team (Q3 Kanban Board) board.

MShilova_WMF subscribed.Feb 24 2026, 7:13 PM

• Tgr claimed this task.Feb 26 2026, 1:24 PM

• Tgr mentioned this in T415007: Login with `action=login` and bot password does not create a JWT session cookie.Feb 27 2026, 9:38 PM

• Tgr mentioned this in T407987: Define best practice for single-user apps which need a high MediaWiki API rate limit.Mar 4 2026, 4:49 PM

• Tgr updated the task description. (Show Details)Mar 6 2026, 11:34 AM

Change #1252719 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/core@master] session: Add a callback for attaching a SessionInfo to a WebRequest

https://gerrit.wikimedia.org/r/1252719

gerritbot added a project: Patch-For-Review.Sun, Mar 15, 6:35 PM

Change #1252731 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/extensions/OAuth@master] [WIP] Set a JWT cookie for OAuth 1 and OAuth 2 owner-only requests

https://gerrit.wikimedia.org/r/1252731

Change #1252719 merged by jenkins-bot:

[mediawiki/core@master] session: Add a callback for attaching a SessionInfo to a WebRequest

https://gerrit.wikimedia.org/r/1252719

ReleaseTaggerBot added a project: MW-1.46-notes (1.46.0-wmf.21; 2026-03-24).Tue, Mar 24, 1:00 AM

Change #1259059 had a related patch set uploaded (by D3r1ck01; author: Derick Alangi):

[mediawiki/extensions/OAuth@master] tests: OAuth1 and OAuth2 owner-only JWT support

https://gerrit.wikimedia.org/r/1259059

DAlangi_WMF updated Other Assignee, added: DAlangi_WMF.Tue, Mar 24, 12:16 PM

Change #1260005 had a related patch set uploaded (by D3r1ck01; author: Derick Alangi):

[mediawiki/extensions/WikimediaCustomizations@master] RateLimit: Do not ignore OAuth2 owner-only consumers

https://gerrit.wikimedia.org/r/1260005

Change #1260006 had a related patch set uploaded (by D3r1ck01; author: Derick Alangi):

[operations/mediawiki-config@master] Enable JWTs for OAuth1 consumers and OAuth2 owner-only consumers

https://gerrit.wikimedia.org/r/1260006

Change #1260005 abandoned by D3r1ck01:

[mediawiki/extensions/WikimediaCustomizations@master] RateLimit: Do not ignore OAuth2 owner-only consumers

https://gerrit.wikimedia.org/r/1260005

Change #1264663 had a related patch set uploaded (by D3r1ck01; author: Derick Alangi):

[mediawiki/extensions/OAuth@master] tests: Add test for asserting JWT cookie not set for OAuth2 consumers

https://gerrit.wikimedia.org/r/1264663

Change #1252731 merged by jenkins-bot:

[mediawiki/extensions/OAuth@master] Set a JWT cookie for OAuth 1 and OAuth 2 owner-only requests

https://gerrit.wikimedia.org/r/1252731

Change #1259059 merged by jenkins-bot:

[mediawiki/extensions/OAuth@master] tests: OAuth1 and OAuth2 owner-only JWT support

https://gerrit.wikimedia.org/r/1259059

Change #1264663 merged by jenkins-bot:

[mediawiki/extensions/OAuth@master] tests: Add test for asserting JWT cookie not set for OAuth2 consumers

https://gerrit.wikimedia.org/r/1264663

Change #1265367 had a related patch set uploaded (by D3r1ck01; author: Gergő Tisza):

[mediawiki/extensions/OAuth@wmf/1.46.0-wmf.22] Set a JWT cookie for OAuth 1 and OAuth 2 owner-only requests

https://gerrit.wikimedia.org/r/1265367

Change #1265368 had a related patch set uploaded (by D3r1ck01; author: Derick Alangi):

[mediawiki/extensions/OAuth@wmf/1.46.0-wmf.22] tests: OAuth1 and OAuth2 owner-only JWT support

https://gerrit.wikimedia.org/r/1265368

Change #1265369 had a related patch set uploaded (by D3r1ck01; author: Derick Alangi):

[mediawiki/extensions/OAuth@wmf/1.46.0-wmf.22] tests: Add test for asserting JWT cookie not set for OAuth2 consumers

https://gerrit.wikimedia.org/r/1265369

ReleaseTaggerBot edited projects, added MW-1.46-notes (1.46.0-wmf.23; 2026-04-07); removed MW-1.46-notes (1.46.0-wmf.21; 2026-03-24).Tue, Mar 31, 10:00 AM

Change #1265367 merged by jenkins-bot:

[mediawiki/extensions/OAuth@wmf/1.46.0-wmf.22] Set a JWT cookie for OAuth 1 and OAuth 2 owner-only requests

https://gerrit.wikimedia.org/r/1265367

Change #1265368 merged by jenkins-bot:

[mediawiki/extensions/OAuth@wmf/1.46.0-wmf.22] tests: OAuth1 and OAuth2 owner-only JWT support

https://gerrit.wikimedia.org/r/1265368

Change #1265369 merged by jenkins-bot:

[mediawiki/extensions/OAuth@wmf/1.46.0-wmf.22] tests: Add test for asserting JWT cookie not set for OAuth2 consumers

https://gerrit.wikimedia.org/r/1265369

Change #1260006 merged by jenkins-bot:

[operations/mediawiki-config@master] Enable JWTs for OAuth1 consumers and OAuth2 owner-only consumers

https://gerrit.wikimedia.org/r/1260006

Mentioned in SAL (#wikimedia-operations) [2026-03-31T13:10:02Z] <derick@deploy1003> Started scap sync-world: Backport for [[gerrit:1265367|Set a JWT cookie for OAuth 1 and OAuth 2 owner-only requests (T417833)]], [[gerrit:1265368|tests: OAuth1 and OAuth2 owner-only JWT support (T417833 T415281)]], [[gerrit:1265369|tests: Add test for asserting JWT cookie not set for OAuth2 consumers (T417833 T415281)]], [[gerrit:1260006|Enable JWTs for OAuth1 consumers and OAuth2 owner-only consume

Mentioned in SAL (#wikimedia-operations) [2026-03-31T13:28:37Z] <derick@deploy1003> derick, d3r1ck01: Backport for [[gerrit:1265367|Set a JWT cookie for OAuth 1 and OAuth 2 owner-only requests (T417833)]], [[gerrit:1265368|tests: OAuth1 and OAuth2 owner-only JWT support (T417833 T415281)]], [[gerrit:1265369|tests: Add test for asserting JWT cookie not set for OAuth2 consumers (T417833 T415281)]], [[gerrit:1260006|Enable JWTs for OAuth1 consumers and OAuth2 owner-only consumers (T41

Stashbot mentioned this in T41: Set up redirects from RT URLs to Phabricator.Tue, Mar 31, 1:28 PM

Maintenance_bot removed a project: Patch-For-Review.Tue, Mar 31, 1:30 PM

Mentioned in SAL (#wikimedia-operations) [2026-03-31T13:43:43Z] <derick@deploy1003> Finished scap sync-world: Backport for [[gerrit:1265367|Set a JWT cookie for OAuth 1 and OAuth 2 owner-only requests (T417833)]], [[gerrit:1265368|tests: OAuth1 and OAuth2 owner-only JWT support (T417833 T415281)]], [[gerrit:1265369|tests: Add test for asserting JWT cookie not set for OAuth2 consumers (T417833 T415281)]], [[gerrit:1260006|Enable JWTs for OAuth1 consumers and OAuth2 owner-only consum

ReleaseTaggerBot edited projects, added MW-1.46-notes (1.46.0-wmf.22; 2026-03-31); removed MW-1.46-notes (1.46.0-wmf.23; 2026-04-07).Tue, Mar 31, 2:00 PM

In T417833#11638080, @daniel wrote:

Bumping priority to high, since this blocks the rollout of stage two of the REST API rate limits. It's not sufficient to have this by the rollout date, we need it beforehand so we have visibility of how many clients that use OAuth we would hit with rate limits.

[update] We deployed backports for this today and enabled it as the train goes out. By Thursday, if everything goes smoothly, it should be live for all wikis.

DAlangi_WMF moved this task from In Progress to To be verified in Prod on the MediaWiki-Platform-Team (Q3 Kanban Board) board.Tue, Mar 31, 10:21 PM

@daniel, On test wiki + PWB, I got the following response headers with a sessionJwt cookie.

(pyvenv) ☁  pywikibot [master] python pwb.py watchlist

{
  "date": "Wed, 01 Apr 2026 22:47:23 GMT",
  "server": "<redacted>",
  "x-content-type-options": "nosniff",
  "x-experiment-enrollments": "attribution-research-short-baseline-run=treatment;",
  "content-security-policy": "default-src 'self'; script-src 'none'; object-src 'none'",
  "x-frame-options": "DENY",
  "content-disposition": "inline; filename=api-result.json",
  "cache-control": "private, max-age=0, s-maxage=0",
  "set-cookie": "sessionJwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJS<redacted-portion>; expires=Thu, 02 Apr 2026 02:47:23 GMT; Max-Age=14400; path=/; secure; HttpOnly, WMF-Last-Access=01-Apr-2026;Path=/;HttpOnly;secure;Expires=Sun, 03 May 2026 12:00:00 GMT, WMF-Last-Access-Global=01-Apr-2026;Path=/;Domain=.wikipedia.org;HttpOnly;secure;Expires=Sun, 03 May 2026 12:00:00 GMT, GeoIP=<redacted>; Path=/; secure; Domain=.wikipedia.org, NetworkProbeLimit=0.001;Path=/;Secure;SameSite=None;Max-Age=3600, WMF-Uniq=<redacted>;Domain=.wikipedia.org;Path=/;HttpOnly;secure;SameSite=None;Expires=Thu, 01 Apr 2027 00:00:00 GMT",
  "content-type": "application/json; charset=utf-8",
  "content-encoding": "gzip",
  "age": "0",
  "x-cache": "cp6013 pass, cp6012 pass",
  "x-cache-status": "pass",
  "server-timing": "cache;desc=\"pass\", host;desc=\"cp6012\", WMF-Uniq;desc=\"attribution-research-short-baseline-run=treatment;\"",
  "strict-transport-security": "max-age=106384710; includeSubDomains; preload",
  "report-to": {
    "group": "wm_nel",
    "max_age": 604800,
    "endpoints": [
      {
        "url": "<redacted>
      }
    ]
  },
  "nel": {
    "report_to": "wm_nel",
    "max_age": 604800,
    "failure_fraction": 0.05,
    "success_fraction": 0
  },
  "x-client-ip": "<redacted>",
  "vary": "Accept-Encoding,User-Agent",
  "content-length": "624",
  "x-request-id": "c712d656-96da-4f99-8f8e-cb5db3c2c779",
  "x-analytics": ""
}

...

User:DAlangi (WMF)
User talk:DAlangi (WMF)

Execution time: 14 seconds

Consumer: https://meta.wikimedia.org/wiki/Special:OAuthListConsumers/view/11952828eb05af2eaadfd95a734231ec

Everything seems to be fine. I've been monitoring sessions and OAuth-related dashboards and haven't observed anything unusual. OAuth clients also seem to be working as expected after the rollout. Tomorrow, the feature hits group2 wikis.

Don-vip subscribed.Thu, Apr 2, 9:27 PM

Amdrel mentioned this in rTVTC0aa96a73024f: Ignore Set-Cookie header from Commons in worker.Thu, Apr 2, 10:08 PM

Amdrel mentioned this in rTVTC1232482bf26b: Ignore Set-Cookie header from Commons in worker.

Seems to be working, excellent!

Set a JWT cookie for OAuth 1 requests and OAuth 2 owner-only requestsClosed, ResolvedPublicActions

Description

Details

Related ObjectsSearch...

Event Timeline

Set a JWT cookie for OAuth 1 requests and OAuth 2 owner-only requests
Closed, ResolvedPublic
Actions

Related Objects
Search...