Talk:OAuth/For Developers

Could help to understand the issue? I am using this endpoint to get an access token https://www.wikidata.org/w/rest.php/oauth2/access_token?client_credentials=client_credentials and providing client id and client secret

{

"error": "access_denied",

"error_description": "The resource owner or authorization server denied the request.",

"hint": "Client 4ab9e80d07a34633cdeab291fd8ead6a is not usable by user with ID 0",

"message": "The resource owner or authorization server denied the request."

}

Подождите, ведь все ваши клиенты являются owner-only. Вы при регистрации клиента получили вечный токен. Больше ничего делать не надо. Просто подставляйте к запросам заголовок {"Authorization": "Bearer [token]"}. Да и в любом случае, никакого client_credentials=client_credentials в руководстве вообще нет.

The section on Registration says:

If you have changed your mind, you can disable the application under Special:OAuthConsumerRegistration/list

I read that to mean "if you don't want an app any more, you can turn it off". I've got a bunch of demos and test apps I created for local development that I want to get rid of, but I can't find that button.

If I click "details" or "manage" on my app in the list of OAuth consumers, I can only see options to change the IP range, reset the secret key, and set a public RSA key. (At https://meta.wikimedia.org/wiki/Special:OAuthConsumerRegistration/update/[client_id]).

Where can I turn off my old apps?

I dislike using the most commonly offered OAuth providers for sign-in to websites, and would like to see a W option more often...

@Sj, it is challenging as not all WMF accounts have emails linked, which many services require

I see; but do we keep a list of sites / services that do use WM OAauth?

I can think of other reasons why WM OAuth might be more useful for assuring someone isn't a spammer than other common options.

Hi, all! I'm developing a tool that edits Wikidata. The client is public (i.e., not confidential), so I will be using PKCE.

Apart from security, one of the reasons why I'm using OAuth is because it sets a tag for the edits made with the tool, as discussed here. This is useful, because it'd let us track changes and identify bugs early.

The tool also allows making anonymous edits. This is possible by using the +\ CSRF token, but in order for these edits to be flagged with the app's tag, I guess I should send an access token in the Authorization header.

Would it be possible to get an access token from the access_token endpoint using grant_type=client_credentials? Given that this is a public client, would it be possible to get it using (PKCE's) code_verifier, instead of client_secret?

Thanks!!

Maybe @Tgr (WMF) can answer this.

OAuth cannot be used for anonymous actions, as the user needs to approve the OAuth app before using it, and anonymous users are identified with their user address and a meaningful approval mechanism cannot be built on that. (There is a chance the handling of anonymous users will be rearchitected in the next year or so and that might affect the ability of the OAuth extension to cover anonymous actions, but not anytime soon.)

I'm trying to make a react based client to be hosted on a static site with [rfc:7636 PKCE flow] (more info here)

When I register an OAuth2 consumer at https://meta.wikimedia.org/wiki/Special:OAuthConsumerRegistration/list I get 3 pieces of info:

• Client application key
• Client application secret
• Access token

The documentation says to use "client token" as "client_id". I have tried all 3 of the values, none work. I navigate to to https://meta.wikimedia.org/w/rest.php/oauth2/authorize?client_id=...&redirect_uri=...&response_type=code&scope=openid&state=,..&code_challenge=...&code_challenge_method=S256&response_mode=query

But this page tells me "Application Connection Error: Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)". So I guess I'm doing something wrong, first step would be to verify that I am indeed using the correct thing for "client_id".

If someone has an example client that does this that I can have a look at it will be great.

Thanks for this feedback, @Iwan.Aucamp! The client_id parameter in the example you've given should be populated with the client application key (called the "consumer key" in the Meta-Wiki consumer list view). I've updated this wiki page to clarify some terminology, but I think that major changes to both the docs and the interfaces in Meta are needed to clarify these workflows.

@Iwan.Aucamp hi, I would like to build a react-based serverless app as well, do you have an example of how you got this solved? Would be a great way to foster simple web-based tools for various Wikipedia tasks. Thx!

@Yurik I gave up, good luck though and I hope it works out.

I'm trying to get OAuth working with django, using the scheme outlined at Help:Toolforge/My first Django OAuth tool. When I get to https://spi-tools-dev.toolforge.org/oath/login/mediawiki/, I get the error:

AuthException at /oath/login/mediawiki/

Error: oauth_callback must be set, and must be set to "oob" (case-sensitive)

which is mentioned at OAuth/For_Developers#Authorization. What's not clear is what I'm supposed to do about it.

I think you missed the part wikitech:Help:Toolforge/My first Django OAuth tool#Adding OAuthin the instructions where you were supposed to check the 'Allow consumer to specify a callback in requests and use "callback" URL above as a required prefix.' checkbox when creating your grant. Using 'oob' for the 'oauth_callback' parameter is done when the grant contains the exact callback to be used. social_django does not work in this mode.

Hmmm. I just made a new key which has that checked, but now I'm getting:

Error: oauth_callback must be set, and must be set to "oob" (case-sensitive), or the configured callback must be a prefix of the supplied callback.

SOCIAL_AUTH_MEDIAWIKI_CALLBACK = 'http://%s.toolforge.org/oauth/complete/mediawiki/' % TOOL_NAME seems to be incorrectly using http protocol.

Ah, that did it. Thanks. I must have gone through the example a half dozen times comparing it to my code and never noticed that. Sometimes a fresh set of eyes is what you need. But, if the MW OAuth setup always requires the "Allow consumer to specify a callback..." option to be checked, why is it even offered as an option? Or, at least have the registration form check it by default? In any case, thanks again for your assistance.

> But, if the MW OAuth setup always requires the "Allow consumer to specify a callback..." option to be checked, why is it even offered as an option?

The "requires" part is about the client (in this case social_django), not anything on the MediaWiki side of this.

I found one more thing I did wrong! When I registered, I ignored the "Applicable project: All is fine" advice. I figured I would do the conservative thing and restrict this to just enwiki. Turns out, that was a bad move. This led to errors of the form:

AuthException at /oauth/complete/mediawiki/

An error occurred while trying to read json content: Not enough segments

Digging through the social-auth code, this comes from the "OOB" code path, where it's trying to dig the credential out of an embedded POST form, instead of parsing them out of the URL query string. This had me banging my head on the wall for a while. Eventually, I poked around and found some other tools that used social-auth, and discovered all of their consumer keys were set up with "*" for the "applicable project".

Anyway, recording all this here for the benefit of the next poor sod who runs into this.

I try to fetch an access token in the OAuth2 authorization code flow.

After receving code from oauth2/authorize I make the following post request:

https://www.mediawiki.org/w/rest.php/oauth2/access_token?grant_type=authorization_code&redirect_uri=https%3A%2F%2Ftools.wmflabs.org%2Fplnode%2F&client_id=0b...&client_secret=3...&code=d...

But as answer I receive: { "error": "invalid_request", "error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed.", "hint": "Check the `grant_type` parameter",  "message": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed."}

Has anybody an idea what I'm doing wrong or can even provide some working example for oauth2?

Is Oauth2 currently enabled for major wikipedia?

No, Extension:OAuth implements OAuth 1.0a and is the only OAuth solution available on the Wikimedia wikis.

I am just curious, why not?

Csteipp, are you out there somewhere?

@Deskana, @BJorsch (WMF), or @Aaron Schulz might remember if there is a Phabricator task (would be an import from Bugzilla) or wiki page somewhere with the design decisions that led to picking 1.0a instead of 2.x. I have vague recollections, but 6 years ago was a long time and I was a n00b to the team and not directly a part of the project.

Lucky coincidence I happened to notice the notification on the staff account I seldom use.

IIRC, it's mainly because OAuth 2 didn't seem to have real advantages over 1.0a for the use cases we anticipated supporting, while being a more complex specification and more or less encouraging incompatible implementations.

https://hueniverse.com/oauth-2-0-and-the-road-to-hell-8eec45921529 may also be a useful read.

On the other hand, there is a task (T229500) to create an OAuth 2 extension. I don't know whether it'll actually go anywhere.

mediawiki as oauth server , phabricator as consumer,

how to add mediawiki oauth provider in phabricator ?