Change Details

The https://github.com/thephpleague/oauth2-server library backing the OAuth2 support in Extension:OAuth follows a strict interpretation of the OAuth2 specification which only supports exact matches of the `redirect_uri` parameter to the callback value given in the consumer registration. Neither the documentation at https://www.mediawiki.org/wiki/OAuth/For_Developers#Registration nor the user interface provided by Special:OAuthConsumerRegistration/propose explain this difference between the OAuth 1.0a and the OAuth 2.0 implementations. The OAuth 2.0 validation behavior is explained pretty well at https://www.oauth.com/oauth2-servers/redirect-uris/redirect-uri-registration/, but I don't think we should assume that everyone can finally track that down to figure out why they keep getting the content free `Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)` error message if they assumed that the "use as prefix" functionality actually works with OAuth 2.0. Arguably there is a software bug here as well in the generic error message. I probably would have figured out the issue faster if a distinct error response was given explaining that problem was a redirect_uri mismatch.

The https://github.com/thephpleague/oauth2-server library backing the OAuth2 support in Extension:OAuth follows a strict interpretation of the OAuth2 specification which only supports exact matches of the `redirect_uri` parameter to the callback value given in the consumer registration. Neither the documentation at https://www.mediawiki.org/wiki/OAuth/For_Developers#Registration nor the user interface provided by Special:OAuthConsumerRegistration/propose explain this difference between the OAuth 1.0a and the OAuth 2.0 implementations. The OAuth 2.0 validation behavior is explained pretty well at https://www.oauth.com/oauth2-servers/redirect-uris/redirect-uri-registration/, but I don't think we should assume that everyone can finally track that down to figure out why they keep getting the content free `Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)` error message if they assumed that the "use as prefix" functionality actually works with OAuth 2.0. Arguably there is a software bug here as well in the generic error message. I probably would have figured out the issue faster if a distinct error response was given explaining that problem was a redirect_uri mismatch. ==== Acceptance Criteria [] Update documentation [] Update error message

The https://github.com/thephpleague/oauth2-server library backing the OAuth2 support in Extension:OAuth follows a strict interpretation of the OAuth2 specification which only supports exact matches of the `redirect_uri` parameter to the callback value given in the consumer registration. Neither the documentation at https://www.mediawiki.org/wiki/OAuth/For_Developers#Registration nor the user interface provided by Special:OAuthConsumerRegistration/propose explain this difference between the OAuth 1.0a and the OAuth 2.0 implementations. The OAuth 2.0 validation behavior is explained pretty well at https://www.oauth.com/oauth2-servers/redirect-uris/redirect-uri-registration/, but I don't think we should assume that everyone can finally track that down to figure out why they keep getting the content free `Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)` error message if they assumed that the "use as prefix" functionality actually works with OAuth 2.0. Arguably there is a software bug here as well in the generic error message. I probably would have figured out the issue faster if a distinct error response was given explaining that problem was a redirect_uri mismatch. ==== Acceptance Criteria [] Update documentation [] Update error message