Page MenuHomePhabricator
Create Task
Maniphest T419921

TypeError: MediaWiki\Extension\OAuth\ResourceServer::getUser(): Return value must be of type MediaWiki\User\User, false returned
Closed, ResolvedPublicPRODUCTION ERROR
Actions

Description

Error
  • service.version: 1.46.0-wmf.19
  • timestamp: 2026-03-12T22:44:33.438Z
  • labels.phpversion: 8.3.30
  • trace.id: f707f90f-ccff-4013-b1e5-943b4282ab8a
  • Find trace.id in Logstash
labels.normalized_message
[{reqId}] {exception_url}   TypeError: MediaWiki\Extension\OAuth\ResourceServer::getUser(): Return value must be of type MediaWiki\User\User, false returned
FrameLocationCall
from/srv/mediawiki/php-1.46.0-wmf.19/extensions/OAuth/src/ResourceServer.php(97)
#0/srv/mediawiki/php-1.46.0-wmf.19/extensions/OAuth/src/SessionProvider.php(125)MediaWiki\Extension\OAuth\ResourceServer->getUser()
#1/srv/mediawiki/php-1.46.0-wmf.19/includes/Session/SessionManager.php(569)MediaWiki\Extension\OAuth\SessionProvider->provideSessionInfo(MediaWiki\Request\WebRequest)
#2/srv/mediawiki/php-1.46.0-wmf.19/includes/Session/SessionManager.php(137)MediaWiki\Session\SessionManager->getSessionInfoForRequest(MediaWiki\Request\WebRequest)
#3/srv/mediawiki/php-1.46.0-wmf.19/includes/Request/WebRequest.php(861)MediaWiki\Session\SessionManager->getSessionForRequest(MediaWiki\Request\WebRequest)
#4/srv/mediawiki/php-1.46.0-wmf.19/includes/Setup.php(504)MediaWiki\Request\WebRequest->getSession()
#5/srv/mediawiki/php-1.46.0-wmf.19/includes/WebStart.php(73)require_once(string)
#6/srv/mediawiki/php-1.46.0-wmf.19/api.php(23)require(string)
#7/srv/mediawiki/w/api.php(3)require(string)
#8{main}
Notes

Just noticed 115 of these in 1.46.0-wmf.19 (T413810), mostly for wikibooks wikis with a handful for larger wikis. Seems new in wmf.19.

Haven't been able to reproduce by spot-checking URLs.

Details

Request URL
https://en.wikipedia.org/w/api.php?action=opensearch&format=*&limit=*&namespace=*&search=*
Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Fix client credentials access tokensmediawiki/extensions/OAuthwmf/1.46.0-wmf.19+3 -6
Fix client credentials access tokensmediawiki/extensions/OAuthmaster+3 -6
Customize query in gerrit

Related Objects

Event Timeline

brennen created this task.Mar 12 2026, 11:42 PM
Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptMar 12 2026, 11:42 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
brennen moved this task from Backlog to Logs/Train on the User-brennen board.Mar 12 2026, 11:42 PM
brennen updated the task description. (Show Details)
brennen added a subscriber: Tgr.Mar 12 2026, 11:45 PM

Just remembered @Tgr deployed some OAuth stuff during the latest backport window - any thoughts?

Tgr added a comment.Mar 13 2026, 8:29 AM

Yeah, probably caused by rEOAUa750632f6b0e: Set 'sub' JWT field in client credentials access tokens.

T417820: TypeError: MediaWiki\Extension\OAuth\Entity\AccessTokenEntity::setUserIdentifier(): Argument #1 ($identifier) must be of type string, null given, called in AccessTokenEntity.php broke client credentials and that caused some 100/m errors; this is more like 1/m so maybe it's only partially broken? Could just be the luck of what bot is active, though.

Tgr added a comment.Mar 13 2026, 10:45 AM

(Also that broke getting an access token with client credentials, and this probably broke using an access token that was obtained with client credentials, so maybe one causes bots to retry more aggressively than the other.)

Tgr added a comment.Mar 13 2026, 12:34 PM

This is the snippet that sets ResourceServer::$user:

$userId = $request->getAttribute( 'oauth_user_id', 0 );
if ( !$userId ) {
	// Set anon user when no user id is present in the AT (machine grant)
	$this->user = User::newFromId( 0 );
	return;
}

$this->user = Utils::getLocalUserFromCentralId( $userId );

so apparently the value in sub is not empty but also not a valid ID. I guess the handling of the mw: prefix fails somehow? In general, we should make sure sub parsing fails in a safe way.

(Also we need to fix T418720: Logstash entries should include the application ID used for the request, it's hard to debug errors without knowing the details of the app that's causing them.)

gerritbot added a comment.Mar 14 2026, 5:36 PM

Change #1251987 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/extensions/OAuth@master] Fix client credentials access tokens

https://gerrit.wikimedia.org/r/1251987

gerritbot added a project: Patch-For-Review.Mar 14 2026, 5:36 PM
gerritbot added a comment.Mar 16 2026, 6:19 PM

Change #1251987 merged by jenkins-bot:

[mediawiki/extensions/OAuth@master] Fix client credentials access tokens

https://gerrit.wikimedia.org/r/1251987

Maintenance_bot removed a project: Patch-For-Review.Mar 16 2026, 6:34 PM
ReleaseTaggerBot added a project: MW-1.46-notes (1.46.0-wmf.20; 2026-03-17).Mar 16 2026, 7:00 PM
matmarex moved this task from Inbox, needs triage to Kanban Board on the MediaWiki-Platform-Team board.Mar 16 2026, 7:16 PM
matmarex edited projects, added: MediaWiki-Platform-Team (Kanban Board); removed: MediaWiki-Platform-Team.
matmarex moved this task from Essential Work to To be verified in Prod on the MediaWiki-Platform-Team (Kanban Board) board.
gerritbot added a comment.Mar 16 2026, 7:17 PM

Change #1253623 had a related patch set uploaded (by Bartosz Dziewoński; author: Gergő Tisza):

[mediawiki/extensions/OAuth@wmf/1.46.0-wmf.19] Fix client credentials access tokens

https://gerrit.wikimedia.org/r/1253623

gerritbot added a project: Patch-For-Review.Mar 16 2026, 7:17 PM
gerritbot added a comment.Mar 16 2026, 8:57 PM

Change #1253623 merged by jenkins-bot:

[mediawiki/extensions/OAuth@wmf/1.46.0-wmf.19] Fix client credentials access tokens

https://gerrit.wikimedia.org/r/1253623

Stashbot mentioned this in T414338: FY25-26 WE5.4.12: Identify the provenance of image requests.Mar 16 2026, 8:57 PM
Stashbot mentioned this in T417278: Choosing client credentials grant for OAuth 2 results in an access token (JWT) with the 'sub' field empty.

Mentioned in SAL (#wikimedia-operations) [2026-03-16T20:57:26Z] <catrope@deploy2002> Started scap sync-world: Backport for [[gerrit:1253623|Fix client credentials access tokens (T417278 T419921)]], [[gerrit:1253625|Enable $wgTrackMediaRequestProvenance on testwikis and beta cluster (T414338)]], [[gerrit:1253626|Configure $wgApiClientErrorSampleRate (T418957)]]

Stashbot mentioned this in T418957: Add client-side logging for non-MediaWiki action API errors (HTTP 429).Mar 16 2026, 8:57 PM

Mentioned in SAL (#wikimedia-operations) [2026-03-16T20:59:17Z] <catrope@deploy2002> matmarex, catrope: Backport for [[gerrit:1253623|Fix client credentials access tokens (T417278 T419921)]], [[gerrit:1253625|Enable $wgTrackMediaRequestProvenance on testwikis and beta cluster (T414338)]], [[gerrit:1253626|Configure $wgApiClientErrorSampleRate (T418957)]] synced to the testservers (see https://wikitech.wikimedia.org/wiki/Mwdebug). Changes can now be verified there.

ReleaseTaggerBot edited projects, added: MW-1.46-notes (1.46.0-wmf.19; 2026-03-10); removed: MW-1.46-notes (1.46.0-wmf.20; 2026-03-17).Mar 16 2026, 9:00 PM
Stashbot added a comment.Mar 16 2026, 9:05 PM

Mentioned in SAL (#wikimedia-operations) [2026-03-16T21:05:37Z] <catrope@deploy2002> Finished scap sync-world: Backport for [[gerrit:1253623|Fix client credentials access tokens (T417278 T419921)]], [[gerrit:1253625|Enable $wgTrackMediaRequestProvenance on testwikis and beta cluster (T414338)]], [[gerrit:1253626|Configure $wgApiClientErrorSampleRate (T418957)]] (duration: 08m 06s)

Maintenance_bot removed a project: Patch-For-Review.Mar 16 2026, 9:31 PM
matmarex closed this task as Resolved.Mar 17 2026, 10:04 PM
matmarex claimed this task.
matmarex subscribed.

Yep, fixed: https://logstash.wikimedia.org/goto/22d723878b5f2b4a82565292191294c5

image.png (1,551×264 px, 26 KB)

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits