I can't reproduce locally (using https://oauth2-hello-world.toolforge.org/ as the client), maybe a problem with our config?

Is this related to T417820: TypeError: MediaWiki\Extension\OAuth\Entity\AccessTokenEntity::setUserIdentifier(): Argument #1 ($identifier) must be of type string, null given, called in AccessTokenEntity.php, the other OAuth-related train-blocker, or are they different?

Is it only broken on 1.46.0-wmf.16, or wmf.15 too? If it's on wmf.15 too, then the fix for T417722 could also be the cause (we did a major version bump of a library in about 30 minutes…).

In T417839#11630289, @Jdforrester-WMF wrote:

Is this related to T417820: TypeError: MediaWiki\Extension\OAuth\Entity\AccessTokenEntity::setUserIdentifier(): Argument #1 ($identifier) must be of type string, null given, called in AccessTokenEntity.php, the other OAuth-related train-blocker, or are they different?

@Reedy suspects this is related to T417820

In T417839#11630299, @matmarex wrote:

Is it only broken on 1.46.0-wmf.16, or wmf.15 too? If it's on wmf.15 too, then the fix for T417722 could also be the cause (we did a major version bump of a library in about 30 minutes…).

No idea, I’ve personally only tested it against test.wikipedia.org. @Arcstur was apparently testing QuickStatements 3.0, so presumably targeting Wikidata (i.e. group1 / wmf.16 as well).

I can't even figure out where does the string "Jwt issuer is not configured" come from.

For simpler reproduction steps (without editing pages), just visit https://oauth2-hello-world.toolforge.org/index.php?action=identify

In T417839#11630325, @matmarex wrote:

I can't even figure out where does the string "Jwt issuer is not configured" come from.

I am pretty sure it comes from Envoy, and not MediaWiki: https://github.com/envoyproxy/envoy/blob/6dc915a34553d1cb959908fd7f185ee73725286c/source/common/jwt/status.cc#L65

(I was pointed there by https://trstringer.com/troubleshooting-Jwt-issuer-is-not-configured/, although our problem is probably different from theirs)

Additional note: OAuth 2.0 using Owner-only consumers works correctly and allows editing without issues.
The problem appears when using standard OAuth 2.0 consumers (non owner-only), where the API returns HTTP 401 with Jwt issuer is not configured.
This suggests the issue may be limited to JWT validation or issuer configuration for non owner-only flows.

In T417839#11630340, @matmarex wrote:

I am pretty sure it comes from Envoy, and not MediaWiki: https://github.com/envoyproxy/envoy/blob/6dc915a34553d1cb959908fd7f185ee73725286c/source/common/jwt/status.cc#L65

Interesting – that would also explain why it’s not formatted like an api.php error, and why it can’t be reproduced locally.

Still debugging locally. The JWTs I am getting for OAuth 2 access tokens do not have an issuer (iss) field at all. This is probably the problem.

Change #1240413 had a related patch set uploaded (by Bartosz Dziewoński; author: Bartosz Dziewoński):

[mediawiki/extensions/OAuth@master] Fix "iss" field missing in OAuth 2 access token JWT

https://gerrit.wikimedia.org/r/1240413

That fixes the problem for me locally.

The bug is caused by https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1222279, which upgraded lcobucci/jwt from "4.1.5" to "5.6.0" (and which looks impossible to revert due to dependency hell). One of the breaking changes in 5.0 is: https://github.com/lcobucci/jwt/releases/tag/5.0.0 "Builder: make it immutable". Basically, many methods that used to be setters now return a clone of the builder object with additional fields. Our code still used them as setters, and unknowingly discarded the clone.

Change #1240413 merged by jenkins-bot:

[mediawiki/extensions/OAuth@master] Fix "iss" field missing in OAuth 2 access token JWT

https://gerrit.wikimedia.org/r/1240413

Change #1240422 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/vendor@master] Upgrading league/oauth2-server (dev-9.3.0-WMF b8b36aa => dev-9.3.0-WMF a5181fb)

https://gerrit.wikimedia.org/r/1240422

Change #1240423 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/OAuth@master] Upgrading league/oauth2-server (dev-9.3.0-WMF b8b36aa => dev-9.3.0-WMF a5181fb)

https://gerrit.wikimedia.org/r/1240423

Change #1240422 merged by jenkins-bot:

[mediawiki/vendor@master] Upgrading league/oauth2-server (dev-9.3.0-WMF b8b36aa => dev-9.3.0-WMF a5181fb)

https://gerrit.wikimedia.org/r/1240422

Change #1240423 merged by jenkins-bot:

[mediawiki/extensions/OAuth@master] Upgrading league/oauth2-server (dev-9.3.0-WMF b8b36aa => dev-9.3.0-WMF a5181fb)

https://gerrit.wikimedia.org/r/1240423

Change #1240430 had a related patch set uploaded (by Reedy; author: Bartosz Dziewoński):

[mediawiki/extensions/OAuth@wmf/1.46.0-wmf.16] Fix "iss" field missing in OAuth 2 access token JWT

https://gerrit.wikimedia.org/r/1240430

Change #1240430 merged by jenkins-bot:

[mediawiki/extensions/OAuth@wmf/1.46.0-wmf.16] Fix "iss" field missing in OAuth 2 access token JWT

https://gerrit.wikimedia.org/r/1240430

Mentioned in SAL (#wikimedia-operations) [2026-02-19T09:14:47Z] <hashar@deploy2002> Started scap sync-world: Backport for [[gerrit:1240418|Do not pass null to AccessTokenEntity::setUserIdentifier() (T417820)]], [[gerrit:1240430|Fix "iss" field missing in OAuth 2 access token JWT (T417839)]]

Mentioned in SAL (#wikimedia-operations) [2026-02-19T09:17:04Z] <hashar@deploy2002> reedy, jforrester, hashar: Backport for [[gerrit:1240418|Do not pass null to AccessTokenEntity::setUserIdentifier() (T417820)]], [[gerrit:1240430|Fix "iss" field missing in OAuth 2 access token JWT (T417839)]] synced to the testservers (see https://wikitech.wikimedia.org/wiki/Mwdebug). Changes can now be verified there.

Mentioned in SAL (#wikimedia-operations) [2026-02-19T09:23:25Z] <hashar@deploy2002> Finished scap sync-world: Backport for [[gerrit:1240418|Do not pass null to AccessTokenEntity::setUserIdentifier() (T417820)]], [[gerrit:1240430|Fix "iss" field missing in OAuth 2 access token JWT (T417839)]] (duration: 08m 37s)

Works for me now at https://oauth2-hello-world.toolforge.org/index.php?action=identify.

Backporting the other patch should not be necessary, as that code path is not reached in production.

@LucasWerkmeister @Gerges @Rtconner I'd appreciate if you could test your applications as well (and thanks for the bug reports!).

The issue is solved for me, thanks a lot @matmarex !

Would have been nice to get a Phan warning for this. The Builder is marked @immutable, and Phan understands that, but it seems that because internally the class does actually set the variables when creating a copy, the error is raised in the library code, not the calling code, and so we don't see it.

lcobucci/jwt uses PHPStan, presumably their handling of @immutable is different?

Since PHP 8.5 the withX() methods can be annotated with #[\NoDiscard], which will cause an exception if the return value is not used. Phan and the others understand this (demo). With a polyfill it can also be used on earlier PHP versions (with no runtime exceptions, but Phan can still analyze it), and we use it in our own code where it already caught bugs.

lcobucci/jwt already uses it as well, but it will only be in the upcoming 6.0.0 release. I guess it's technically a breaking change for wrong code to start throwing exceptions instead of silently returning wrong values. We'll get the benefit of this whenever they release it and we upgrade.

QuickStatements 3.0 login is working again, thank you!!

In T417839#11631101, @matmarex wrote:

@LucasWerkmeister @Gerges @Rtconner I'd appreciate if you could test your applications as well (and thanks for the bug reports!).

Works on my end, thanks for the fix!

Yes mine is working good too thank you.

Was any integration or regression test added for this?

Not for this incident specifically, but we are planning to update tests in the next few weeks (T415281: [EPIC] OAuth extension critical workflows (for automated tests enhancement)).