Extension talk:OAuth

From mediawiki.org
Latest comment: 3 months ago by Tgr (WMF) in topic Logout

Wikimedia-specific help[edit]

This page should not contain information specific to the Wikimedia setup. That information should be moved to the other mediawiki.org page which explains the rationale used for authorisation etc. (written by csteipp some time ago) and perhaps the Meta RfC and policy proposal for "OAuth handover" etc. Nemo 05:58, 20 April 2016 (UTC)Reply

There's also the Meta:OAuth page, which is currently just a redirect to Help:OAuth here. It seems like a reasonable place to have info about OAuth as it pertains to Wikimedia specifically. This page (about the extension) should only have stuff that is applicable to anyone using the extension in any installation. SWilson (WMF) (talk) 00:36, 19 September 2016 (UTC)Reply
In the meanwhile the easiest target is probably OAuth/For Developers, where the Wikimedia-specific information can me moved while we wait for the existing Meta-Wiki draft to become official. As of now, third parties are thoroughly confused. Nemo 14:23, 22 September 2016 (UTC)Reply

REL1_27 - extension.json does not exist[edit]

This missing file in the 1.27 branch is preventing installation. Lsilverman (talk) 16:16, 6 July 2017 (UTC)Reply

1.27 does not use extension registration yet. That does not prevent installation. --Tgr (WMF) (talk) 16:29, 6 July 2017 (UTC)Reply

Some usage examples, please[edit]

It would be great to have some examples, especially for assigning values to configuration variables.

The practise of assigning "false" as default value to variables that also accept non boolean values makes it difficult to guess! Wouldn't it be possible to use "null" instead to indicate disablement? — Preceding unsigned comment added by 105.200.67.1 (talkcontribs)

Wouldn't really help in figuring out the type, would it? I tried to clarify the documentation a bit. --Tgr (WMF) (talk) 15:06, 16 April 2018 (UTC)Reply

There's a huge lack of examples and screenshots on mediawiki site!!

Review of experimental endpoints section[edit]

User:BPirkle_(WMF): The documentation for the experimental REST endpoints is ready for your review. Thanks! --APaskulin (WMF) (talk) 23:34, 8 September 2020 (UTC)Reply

Done. User:BPirkle_(WMF)

1.35 Not found[edit]

404 Not Found nginx/1.13.9

Use as an OAuth client[edit]

Apologies for the potentially stupid question, but would this extension allow my wiki to use an external (non MediaWiki) OAuth to allow users to login to my wiki? Iamacyborg (talk) 17:28, 13 October 2021 (UTC)Reply

Not a stupid question at all. This extension makes MediaWiki behave as an OAuth authorization server. To make MediaWiki behave as an OAuth client you would need an extension like Extension:WSOAuth. -- BDavis (WMF) (talk) 17:37, 13 October 2021 (UTC)Reply
Thank you! Iamacyborg (talk) 17:42, 13 October 2021 (UTC)Reply

Mediawiki/REL1_37: Oauth with postgres: tables not created during installation[edit]

Hello,

I'm trying to install mediawiki/REL1_37 with OAuth extension with a postgres database

I have

- downloaded mediawikiwith different extensions, including OAuth, and launched composer

- ran " php74 maintenance/install.php --dbserver=${dbserver} ..."

- completed the LocalSetting.php with wfLoadExtension( 'OAuth' );

_ ran the update script

When I go to http://mywikiurl/wiki/Special:Version Special/Version , I get an error:

In the log:

Function: MediaWiki\Extensions\OAuth\Backend\Hooks::getUsedConsumerTags

Query: SELECT  oarc_id  FROM "oauth_registered_consumer"    WHERE ((oarc_wiki = '*') OR (oarc_wiki = 'noemiwiki_int1')) AND oarc_deleted = 0 AND ((oarc_stage = 1) OR (oarc_stage = 0))  

]

When I look into the database, I see that the  oauth_registered_consumer table does not exsits.

When go into the code, especially https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/OAuth/+/refs/heads/REL1_37/src/Backend/UpdaterHooks.php

I see this test before creating database tables

if ( $dbType == 'mysql' || $dbType == 'sqlite' ) {

How can I create Oauth tables for oAuth extension ?

I tried to add || $dbType == 'postgres') but the sql is not compatible with postgres (type unsigned undefined) :-(

Or Oauth isn't compatible with postgres? JdupontBnf (talk) 12:28, 30 March 2022 (UTC)Reply

@JdupontBnf Postgres support hasn't been implemented. Will probably happen as part of T268565. --Tgr (WMF) (talk) 19:38, 7 April 2022 (UTC)Reply

REL1_35 "Key cannot be empty"[edit]

When using Postman to attempt an OAuth2 authorization code flow, the Postman console is reporting "Error: server_error, Description: The authorization server encountered an unexpected condition which prevented it from fulfilling the request: Key cannot be empty"

I think this is referring to a potential issue with the public/private key being used, but I can't spot the problem.

I generated the public and private keys using openssl "OpenSSL 1.1.1f 31 Mar 2020".

cd /etc/pki/oauth
openssl genrsa -out private.pem 4096
openssl rsa -pubout -in private.pem -out public.pem

I've also tried with 2048 bit keys.

In LocalSettings.php, I have:

$wgOAuth2PrivateKey = "/etc/pki/oauth/private.key";

$wgOAuth2PublicKey = "/etc/pki/oauth/public.key";


The folder and keys are now accessible by the apache2 process running under user www-data. In fact, there was a permission problem earlier, and that error led me to update the permissions like so:

$ sudo ls -l /etc/pki/oauth/
total 8
-r--r----- 1 www-data www-data 3243 Jan 19 19:44 private.pem
-r--r--r-- 1 www-data www-data  800 Jan 19 19:44 public.pem

The private key is not password protected. I don't see an option for using a password-protected key in the MediaWiki OAuth extension anyway.

Can you think of any other thing I might check here? What am I missing? NotYour007 (talk) 21:15, 19 January 2023 (UTC)Reply

Just caught this stack trace:
023-01-19 21:44:59 ta-mediawiki devmediawiki: [17d87e707f9434b330fcbf0d] /w/rest.php/oauth2/access_token Lcobucci\JWT\Signer\InvalidKeyProvided from line 34 of /var/www/devmediawiki-1.35.7/w/vendor/lcobucci/jwt/src/Signer/InvalidKeyProvided.php: Key cannot be empty
  1. 0 /var/www/devmediawiki-1.35.7/w/vendor/lcobucci/jwt/src/Signer/Key/InMemory.php(25): Lcobucci\JWT\Signer\InvalidKeyProvided::cannotBeEmpty()
  2. 1 /var/www/devmediawiki-1.35.7/w/vendor/lcobucci/jwt/src/Signer/Key/InMemory.php(44): Lcobucci\JWT\Signer\Key\InMemory->__construct()
  3. 2 /var/www/devmediawiki-1.35.7/w/vendor/league/oauth2-server/src/Entities/Traits/AccessTokenTrait.php(50): Lcobucci\JWT\Signer\Key\InMemory::plainText()
  4. 3 /var/www/devmediawiki-1.35.7/w/vendor/league/oauth2-server/src/Entities/Traits/AccessTokenTrait.php(61): MediaWiki\Extensions\OAuth\Entity\AccessTokenEntity->initJwtConfiguration()
  5. 4 /var/www/devmediawiki-1.35.7/w/vendor/league/oauth2-server/src/Entities/Traits/AccessTokenTrait.php(79): MediaWiki\Extensions\OAuth\Entity\AccessTokenEntity->convertToJWT()
  6. 5 /var/www/devmediawiki-1.35.7/w/vendor/league/oauth2-server/src/ResponseTypes/BearerTokenResponse.php(31): MediaWiki\Extensions\OAuth\Entity\AccessTokenEntity->__toString()
  7. 6 /var/www/devmediawiki-1.35.7/w/vendor/league/oauth2-server/src/AuthorizationServer.php(202): League\OAuth2\Server\ResponseTypes\BearerTokenResponse->generateHttpResponse()
  8. 7 /var/www/devmediawiki-1.35.7/w/extensions/OAuth/src/AuthorizationProvider/AccessToken.php(22): League\OAuth2\Server\AuthorizationServer->respondToAccessTokenRequest()
  9. 8 /var/www/devmediawiki-1.35.7/w/extensions/OAuth/src/Rest/Handler/AccessToken.php(40): MediaWiki\Extensions\OAuth\AuthorizationProvider\AccessToken->getAccessTokens()
  10. 9 /var/www/devmediawiki-1.35.7/w/includes/Rest/Router.php(365): MediaWiki\Extensions\OAuth\Rest\Handler\AccessToken->execute()
  11. 10 /var/www/devmediawiki-1.35.7/w/includes/Rest/Router.php(320): MediaWiki\Rest\Router->executeHandler()
  12. 11 /var/www/devmediawiki-1.35.7/w/includes/Rest/EntryPoint.php(144): MediaWiki\Rest\Router->execute()
  13. 12 /var/www/devmediawiki-1.35.7/w/includes/Rest/EntryPoint.php(111): MediaWiki\Rest\EntryPoint->execute()
  14. 13 /var/www/devmediawiki-1.35.7/w/rest.php(31): MediaWiki\Rest\EntryPoint::main()
  15. 14 {main}
NotYour007 (talk) 21:49, 19 January 2023 (UTC)Reply
The stack trace helped me trace it to this function which resides in /vendor/league/oauth2-server/src/Entities/Traits/AccessTokenTrait.php
/**
* Initialise the JWT Configuration.
*/
public function initJwtConfiguration()
{
$this->jwtConfiguration = Configuration::forAsymmetricSigner(
new Sha256(),
LocalFileReference::file($this->privateKey->getKeyPath(), $this->privateKey->getPassPhrase() ?? ),
InMemory::plainText()
);
}
I believe it's the InMemory::plainText('') which is causing the problem.
If I change that to InMemory::plainText('empty','empty') which exists in the latest version of "league/oauth2-server", then authentication works.
Is this secure? NotYour007 (talk) 22:05, 19 January 2023 (UTC)Reply
See T318480 and T321160. Tgr (WMF) (talk) 03:54, 23 January 2023 (UTC)Reply

Can OAuth and rest.php work on a private wiki? (1_35)[edit]

We run 2 wikis on mediawiki. One is world readable by default. The other is a private wiki where $wgGroupPermissions['*']['read'] = false; The private wiki uses SimpleSAMLphp to authenticate users against an Azure Active Directory.

We've added the OAuth extension, registered an app, and, using Postman, can acquire valid tokens. But any attempt to perform even the simplest tasks using the REST API is met with a response of {"error":"rest-read-denied","httpCode":403,"httpReason":"Forbidden"}. We've tried a variety of permissions and grants, but we're not getting anywhere.

The "rest-read-denied" response is the same one we get attempting to fetch a page using rest.php/v1/page/page_name in an unauthenticated, incognito browser.

Here's the stack trace:

[session] Bad OAuth request from {ip}

  1. 0 /var/www/devmediawiki-1.35.7/w/extensions/OAuth/src/SessionProvider.php(99): MediaWiki\Extensions\OAuth\SessionProvider->verifyOAuth2Request()
  2. 1 /var/www/devmediawiki-1.35.7/w/includes/session/SessionManager.php(490): MediaWiki\Extensions\OAuth\SessionProvider->provideSessionInfo()
  3. 2 /var/www/devmediawiki-1.35.7/w/includes/session/SessionManager.php(215): MediaWiki\Session\SessionManager->getSessionInfoForRequest()
  4. 3 /var/www/devmediawiki-1.35.7/w/includes/WebRequest.php(826): MediaWiki\Session\SessionManager->getSessionForRequest()
  5. 4 /var/www/devmediawiki-1.35.7/w/includes/session/SessionManager.php(137): WebRequest->getSession()
  6. 5 /var/www/devmediawiki-1.35.7/w/includes/Setup.php(725): MediaWiki\Session\SessionManager::getGlobalSession()
  7. 6 /var/www/devmediawiki-1.35.7/w/includes/WebStart.php(89): require_once(string)
  8. 7 /var/www/devmediawiki-1.35.7/w/rest.php(29): require(string)
  9. 8 {main}

I tried to trace the code all the way down into the oauth2-server dependency, but ultimately ran out of time.

I would have assumed that once authenticated via OAuth2, a user bearing a valid token would be able to use the REST API.

We are blocked and unsure how to proceed. NotYour007 (talk) 22:18, 20 January 2023 (UTC)Reply

The "Bad OAuth request" error indicates that your client's OAuth2 handshake is not completing correctly. This in turn would make your request unauthenticated. There are a number of things that could be going wrong with the request, but there should be something in your logs. Because of the way that the OAuth extension uses Structured logging you may need to configure $wgMWLoggerDefaultSpi to use MonologSpi.php before you can see the underlying problem. -- BDavis (WMF) (talk) 23:19, 20 January 2023 (UTC)Reply
Also the extension is not great at logging useful details (in part because of the way the responsibility of validating OAuth signatures is split between the extension and third-party libraries) so you might need to use XDebug or such to see what happens.
The API error message is somewhat wrong, that's T252591, but your root problem is some kind of OAuth issue. Tgr (WMF) (talk) 04:10, 23 January 2023 (UTC)Reply

Logout[edit]

Can I use the API:Logout to log out? Gerges (talk) 12:00, 4 December 2023 (UTC)Reply

Logout is not necessarily a meaningful concept when using OAuth. You certainly cannot log out of your OAuth app - the request is authenticated if you add an OAuth header to it and it isn't when you don't. If you are a user of another person's OAuth app, you can revoke the grant you gave the app in Special:OAuthManageMyGrants. If you are the app owner, you can set the list of allowed IPs to an empty list (a weird hack, T254190 is about allowing app owners to properly disable apps).
If you want to use OAuth to terminate your browser sessions, that's not possible today. In core MediaWiki, the logout API only logs you out from the current browser, so you can only log out from the specific device in which you are logged in. (T209579 is the relevant task.) On Wikimedia sites, logout works across all sites and all devices, so conceptually it would make sense to trigger it from OAuth, but with the current implementation it's not possible. Tgr (WMF) (talk) 21:15, 4 December 2023 (UTC)Reply