**Steps to replicate the issue** (include links if applicable):
* make a wiki private by using `$wgGroupPermissions['*']['read'] = false`. By private I mean visitors can not view or edit any page, but logged in user can, so will need to make sure `$wgGroupPermissions['user']['read'] = true`
* create an OAuth1 or OAuth2 consumer registration record as the administrator, check the checkbox "This consumer is for use only by XXX", record down the
* try make a GET call to end point "https://<wiki domain>/api.php?action=query&format=json&titles=TestPage" using either OAuth1 or OAuth2 method.
**What happens?**:
both OAuth1 and OAuth2 are getting following error:
```lang=json
{
"error": {
"code": "readapidenied",
"info": "You need read permission to use this module.",
"*": "See https://www.xxxx.live//api.php for API usage. Subscribe to the mediawiki-api-announce mailing list at <https://lists.wikimedia.org/postorius/lists/mediawiki-api-announce.lists.wikimedia.org/> for notice of API deprecations and breaking changes."
}
}
```
**What should have happened instead?**:
expecting something like this:
```lang=json
{
"batchcomplete": "",
"query": {
"pages": {
"245": {
"pageid": 245,
"ns": 0,
"title": "TestPage"
}
}
}
}
```
I did some basic troubleshooting based on the suggestions from the IRC channel, I turned on detailed logging using `$wgDebugLogFile`, it looks like the `Authorization` header value is always empty, but I am expecting the token to be passed in the header lie this: "Authorization: Bearer eyJ0eXAiOiJKV1QiLC....", for e.g. I tried postman, python, curl, but no matter what I try, it seems the wiki refuse to recognize the "Authorization" header value for some reason... below is the wiki logs when using curl to make a GET call to `/api.php?action=query&format=json&titles=TestPage`
```
Start request GET /api.php?action=query&format=json&titles=TestPage
IP: 71.249.xx.xx
HTTP HEADERS:
ACCEPT: */*
HOST: www.xxxxx.com
USER-AGENT: curl/7.64.1
(end headers)
```
The log looks like this when using Postman:
```
Start request GET /api.php?action=query&format=json&titles=TestPage
IP: 71.249.xx.xx
HTTP HEADERS:
ACCEPT: */*
ACCEPT-ENCODING: gzip, deflate, br
CONNECTION: keep-alive
HOST: www.xxxxx.com
POSTMAN-TOKEN: e04f0555-c36e-4ec2-b40c-b78d927c4a63
USER-AGENT: PostmanRuntime/7.29.2
(end headers)
```
**Software version** (skip for WMF-hosted wikis like Wikipedia):
Product Version
MediaWiki 1.39.1
PHP 7.4.33 (cgi-fcgi)
MySQL 5.7.41
ICU 69.1
Lua 5.1.5
**Other information** (browser name/version, screenshots, etc.):