Extension talk:OAuth

Wikimedia-specific help
This page should not contain information specific to the Wikimedia setup. That information should be moved to the other mediawiki.org page which explains the rationale used for authorisation etc. (written by csteipp some time ago) and perhaps the Meta RfC and policy proposal for "OAuth handover" etc. Nemo 05:58, 20 April 2016 (UTC)
 * There's also the OAuth page, which is currently just a redirect to Help:OAuth here. It seems like a reasonable place to have info about OAuth as it pertains to Wikimedia specifically. This page (about the extension) should only have stuff that is applicable to anyone using the extension in any installation. SWilson (WMF) (talk) 00:36, 19 September 2016 (UTC)
 * In the meanwhile the easiest target is probably OAuth/For Developers, where the Wikimedia-specific information can me moved while we wait for the existing Meta-Wiki draft to become official. As of now, third parties are thoroughly confused. Nemo 14:23, 22 September 2016 (UTC)

REL1_27 - extension.json does not exist
This missing file in the 1.27 branch is preventing installation. Lsilverman (talk) 16:16, 6 July 2017 (UTC)

1.27 does not use extension registration yet. That does not prevent installation. --Tgr (WMF) (talk) 16:29, 6 July 2017 (UTC)

Some usage examples, please
It would be great to have some examples, especially for assigning values to configuration variables.

The practise of assigning "false" as default value to variables that also accept non boolean values makes it difficult to guess! Wouldn't it be possible to use "null" instead to indicate disablement?

Wouldn't really help in figuring out the type, would it? I tried to clarify the documentation a bit. --Tgr (WMF) (talk) 15:06, 16 April 2018 (UTC)
 * There's a huge lack of examples and screenshots on mediawiki site!!

Review of experimental endpoints section
User:BPirkle_(WMF): The documentation for the experimental REST endpoints is ready for your review. Thanks! --APaskulin (WMF) (talk) 23:34, 8 September 2020 (UTC)

Done. User:BPirkle_(WMF)

1.35 Not found
404 Not Found nginx/1.13.9

Use as an OAuth client
Apologies for the potentially stupid question, but would this extension allow my wiki to use an external (non MediaWiki) OAuth to allow users to login to my wiki? Iamacyborg (talk) 17:28, 13 October 2021 (UTC)


 * Not a stupid question at all. This extension makes MediaWiki behave as an OAuth authorization server. To make MediaWiki behave as an OAuth client you would need an extension like Extension:WSOAuth. -- BDavis (WMF) (talk) 17:37, 13 October 2021 (UTC)


 * Thank you! Iamacyborg (talk) 17:42, 13 October 2021 (UTC)

Mediawiki/REL1_37: Oauth with postgres: tables not created during installation
Hello,

I'm trying to install mediawiki/REL1_37 with OAuth extension with a postgres database

I have

- downloaded mediawikiwith different extensions, including OAuth, and launched composer

- ran " php74 maintenance/install.php --dbserver=${dbserver} ..."

- completed the LocalSetting.php with wfLoadExtension( 'OAuth' );

_ ran the update script

When I go to http://mywikiurl/wiki/Special:Version Special/Version, I get an error:

In the log:

Function: MediaWiki\Extensions\OAuth\Backend\Hooks::getUsedConsumerTags

When I look into the database, I see that the  oauth_registered_consumer table does not exsits.

When go into the code, especially https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/OAuth/+/refs/heads/REL1_37/src/Backend/UpdaterHooks.php

I see this test before creating database tables

How can I create Oauth tables for oAuth extension ?

I tried to add  but the sql is not compatible with postgres (type unsigned undefined) :-(

Or Oauth isn't compatible with postgres? JdupontBnf (talk) 12:28, 30 March 2022 (UTC)


 * @JdupontBnf Postgres support hasn't been implemented. Will probably happen as part of T268565. --Tgr (WMF) (talk) 19:38, 7 April 2022 (UTC)

REL1_35 "Key cannot be empty"
When using Postman to attempt an OAuth2 authorization code flow, the Postman console is reporting "Error: server_error, Description: The authorization server encountered an unexpected condition which prevented it from fulfilling the request: Key cannot be empty"

I think this is referring to a potential issue with the public/private key being used, but I can't spot the problem.

I generated the public and private keys using openssl "OpenSSL 1.1.1f 31 Mar 2020". I've also tried with 2048 bit keys.

In LocalSettings.php, I have:

The folder and keys are now accessible by the apache2 process running under user. In fact, there was a permission problem earlier, and that error led me to update the permissions like so: The private key is not password protected. I don't see an option for using a password-protected key in the MediaWiki OAuth extension anyway.

Can you think of any other thing I might check here? What am I missing? NotYour007 (talk) 21:15, 19 January 2023 (UTC)


 * Just caught this stack trace:
 * NotYour007 (talk) 21:49, 19 January 2023 (UTC)
 * The stack trace helped me trace it to this function which resides in
 * I believe it's the InMemory::plainText('') which is causing the problem.
 * If I change that to  which exists in the latest version of "league/oauth2-server", then authentication works.
 * Is this secure? NotYour007 (talk) 22:05, 19 January 2023 (UTC)
 * See T318480 and T321160. Tgr (WMF) (talk) 03:54, 23 January 2023 (UTC)
 * See T318480 and T321160. Tgr (WMF) (talk) 03:54, 23 January 2023 (UTC)

Can OAuth and rest.php work on a private wiki? (1_35)
We run 2 wikis on mediawiki. One is world readable by default. The other is a private wiki where   The private wiki uses SimpleSAMLphp to authenticate users against an Azure Active Directory.

We've added the OAuth extension, registered an app, and, using Postman, can acquire valid tokens. But any attempt to perform even the simplest tasks using the REST API is met with a response of    We've tried a variety of permissions and grants, but we're not getting anywhere.

The "rest-read-denied" response is the same one we get attempting to fetch a page using rest.php/v1/page/page_name in an unauthenticated, incognito browser.

Here's the stack trace:

I tried to trace the code all the way down into the oauth2-server dependency, but ultimately ran out of time.

I would have assumed that once authenticated via OAuth2, a user bearing a valid token would be able to use the REST API.

We are blocked and unsure how to proceed. NotYour007 (talk) 22:18, 20 January 2023 (UTC)


 * The "Bad OAuth request" error indicates that your client's OAuth2 handshake is not completing correctly. This in turn would make your request unauthenticated. There are a number of things that could be going wrong with the request, but there should be something in your logs. Because of the way that the OAuth extension uses Structured logging you may need to configure $wgMWLoggerDefaultSpi to use MonologSpi.php before you can see the underlying problem. -- BDavis (WMF) (talk) 23:19, 20 January 2023 (UTC)
 * Also the extension is not great at logging useful details (in part because of the way the responsibility of validating OAuth signatures is split between the extension and third-party libraries) so you might need to use XDebug or such to see what happens.
 * The API error message is somewhat wrong, that's T252591, but your root problem is some kind of OAuth issue. Tgr (WMF) (talk) 04:10, 23 January 2023 (UTC)