Page MenuHomePhabricator
Create Task
Maniphest T420297

Allow OAuth 2 apps using client credentials flow to perform actions as the app's owner (i.e. be logged in)
Open, Needs TriagePublic
Actions

Description

Per the discussion on T417278 and T407987, the OAuth 2 client credentials flow could fulfill a role similar to bot passwords and owner-only apps, and – unlike them – it is a standard thing and allows us to take advantage of JWTs for access control.

However, our current implementation is that all requests authenticated by client credentials are treated as logged-out. We would like to add a new mode where they are treated as logged-in as the app's owner.

Requirements

(roughly in order of importance)

  • Do not change anything for existing client credentials apps (do not make them act as logged in) [T417278#11672588]
  • Add an explanation when choosing client credentials flow during app registration, since the proposed behavior, while allowed, is not typical [T417278#11634423 T407987#11674162]
  • Make client credentials and authorization code mutually exclusive for newly registered apps [T417278#11648812]
  • Relax review for client credentials apps to be more like owner-only apps [T417278#11650829]
  • Allow filtering app listings by whether the app uses client credentials or authorization code flow [someone said this somewhere, maybe in Slack]
  • ...

Related Objects

Event Timeline

matmarex created this task.Mar 17 2026, 1:06 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 17 2026, 1:06 AM
matmarex mentioned this in T417278: Choosing client credentials grant for OAuth 2 results in an access token (JWT) with the 'sub' field empty.Mar 17 2026, 1:07 AM
matmarex mentioned this in T407987: Define best practice for single-user apps which need a high MediaWiki API rate limit.Mar 17 2026, 1:11 AM
Xqt subscribed.Mar 17 2026, 2:02 AM
pmiazga moved this task from Inbox, needs triage to Needs refinement on the MediaWiki-Platform-Team board.Mar 17 2026, 3:48 PM
pmiazga subscribed.

Moving to Needs refinement as this looks like something we're going to work on soon.

Krinkle subscribed.Apr 15 2026, 2:33 PM
Iluvatar subscribed.Apr 21 2026, 5:12 AM
Tgr added subscribers: JTweed-WMF, daniel, Tgr.Tue, Jun 2, 4:17 PM

Per @daniel not having this is a pain point for some Pywikibot users - we do a cookie hack for owner-only consumers to have a gateway-acknowledged JWT on subsequent requests, but that doesn't help bots which move a lot across wikis: on each new domain their first request won't have a cookie and they will eventually get throttled. The current recommendation is for bot owners to add custom code to copy JWT cookies across domains, which is not that great. (We can't set the cookie on parent domains because then it will interfere with private wikis.)

@JTweed-WMF would be great if we could pick this up next quarter.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits