Help talk:OAuth

Jump to navigation Jump to search

About this board

KermitLiu (talkcontribs)

I receive consumer key and secret key from wiki.

I have config consumer key and secret key in phabricator.

and callback url in wiki.


but the phabricator give me a exception :

Unhandled Exception (“Exception”)

Expected ‘oauth_callback_confirmed’ to be ‘true’!


could you give some help?

Tgr (WMF) (talkcontribs)

At a wild guess, poor error handling in your client library, which receives an error and tries to verify it as if it would be a valid token (in which case indeed it should have an oauth_callback_confirmed field).

KermitLiu (talkcontribs)

mediawiki as my wiki provider, phabricator as my consumer,

i use my wiki to try, https://github.com/wikimedia/mediawiki-oauthclient-php , demo directory , as my consumer, success.

and i add print commond, then the return parameter : key,secret, oauth_callback_confirmed .

but the phabricator as the cosumer, the phabricator give me a exception.

so, the wiki is wrong, or the phabricator is wrong?


KermitLiu (talkcontribs)
Tgr (WMF) (talkcontribs)

We use the same setup for Wikimedia's Phabritcator so it can't be that wrong. Again, my best guess is that I think you are getting an error (which can be caused by a lot of things, wrong token configuration, out-of-sync clock, cache problems...) and Phabricator does not show the error because it does not recognize it is an error. willProcessTokenRequestResponse seems to do the right thing so maybe your wiki is returning a fatal error. Check your logs to see if that's the case.

@MModell (WMF) might be able to provide more insight.

KermitLiu (talkcontribs)

thank you very much , i will try

Reply to "Expected oauth_callback_confirmed"
AndreaDileva (talkcontribs)

i would like to know how to set my prefrences i looked in my history before and im bloked or i think i am because another ip is sharing my address and i have been thinking someone is using my ip address and email acct to do things i dont even know if this website is going to help me. can anyone give me advice?

AndreaDileva (talkcontribs)

i dont even know how to read your comment im sorry im learning how to use this sight

Tgr (WMF) (talkcontribs)
Reply to "prefrences and oath?"
Simon Villeneuve (talkcontribs)

Hi,

I plan to show how to use mix'n'match to a group of newbies and I want to know if there's restrictions for using OAuth for new accounts (like "only autoconfirmed shall pass").

Iluvatar (talkcontribs)

There are no restrictions to users (see that — new acc, no edits, no flags), but developers of tools might add any restrictions in own source code. Sorry for my English.

Tgr (WMF) (talkcontribs)

There might be unintentional limitations coming from the fact that requests through that tool all use the same IP. So if something has an IP-level rate limit for non-autoconfirmed accounts (and several things do, e.g. 8 edits per minute), that will apply. Although for an IRL presentation with everyone using the same internet connection, such limitations would apply to non-OAuth actions as well.

Simon Villeneuve (talkcontribs)
Reply to "Restrictions for new accounts ?"

User login or registration with Oauth

4
Tribly (talkcontribs)

I would like to use Oauth to help people login or register on my wiki with sites such as Facebook, Twitter, Google, Microsoft etc. How do I go about that?

Markhalsey (talkcontribs)

I am sorry that I don’t know exactly where to locate this information, although I did come across it sometime yesterday, and the ability to utilize Twitter, Facebook and Google, were options that I noticed are indeed available in some form or another.

If you are interested in locating the Help Page which describes the capabilities, I am sure I can locate once again. If so, please send me a message ASAP, via my Talk Page, and I will go through my Bookmarks or History for you.

Markhalsey (talk) 18:30, 13 January 2018 (UTC)Mark Halsey

Tgr (WMF) (talkcontribs)
Markhalsey (talkcontribs)

I am sorry that I don’t know exactly where to locate this information, although I did come across it sometime yesterday, and the ability to utilize Twitter, Facebook and Google, were options that I noticed are indeed available in some form or another.

If you are interested in locating the Help Page which describes the capabilities, I am sure I can locate once again. If so, please send me a message ASAP, via my Talk Page, and I will go through my Bookmarks or History for you.

Markhalsey (talk) 18:29, 13 January 2018 (UTC)Mark Halsey

Reply to "User login or registration with Oauth"
Oalexander (talkcontribs)

Checking my "Manage connected applications" page after having been notified of a failed login attempt under a new device I have found out that a "Library Card [1.6]" (Publisher: Jsn.sherman) is connected to my account by using the OAuth protocol. Could somebody pls. advise me what this means? Thanks. ~~~~

Tgr (WMF) (talkcontribs)

That you have at some point logged into The Wikipedia Library Card Platform, and as part of the process authorized it to read your identity and email address on the Wikimedia sites. It's not related to failed logins in any way.

mwoauth-invalid-authorization

11
Summary by Smartse

The error can mean many things, but in this case it seems to have been caused by the API request, rather than any problem with the headers as the error suggested.

Smartse (talkcontribs)

Hi. I'm trying to use OAuth to be able to connect to the API via python using my en.wiki admin rights, but get a "mwoauth-invalid-authorization" error when using a slightly adapted version of the example code at OAuth/Owner-only consumers#Python. Does anyone have any suggestions as to what might be causing the problem? Should I try getting new tokens? Does it make a difference that I've activated 2FA?

Tgr (WMF) (talkcontribs)

Normally that would mean that the consumer is waiting for admin approval, but there doesn't seem to be any such consumer. Are you using an owner-only consumer? If not, what's the consumer ID?

Smartse (talkcontribs)
Tgr (WMF) (talkcontribs)

Owner-only consumers do not require approval and it should not possible to get that error for an owner-only consumer. Is there any chance you are using a different consumer ID in your bot configuration?

Smartse (talkcontribs)

Sorry - been away for the last week. Hmm well I'm obviously doing something wrong! I've triple checked and am definitely using that key and the other 3 parameters as in the example code. I've tried making a new key and using those but still get the same error. The only slight difference I can see with my code compared to the example is that the example uses "customer_key" whereas I have a "consumer_token" but I assumed that these are synonymous.

Tgr (WMF) (talkcontribs)

customer_key sounds wrong but I don't see it in the example, either. Apparently we do not log the consumer key for OAuth errors :/ so I cannot easily check in the server logs what went wrong - filed phab:T188848 about that.

Can you generate the error and tell the exact time it happened?

Smartse (talkcontribs)

Yes I was a bit confused by that but there are 4 parameters and I entered them in the order that the request page spits out. The time and error are below. I am on UTC:

2018-03-04 22:30:01.808559

{u'servedby': u'mw1223', u'error': {u'info': u'The authorization headers in your request are not valid: Invalid signature', u'*': u'See https://en.wikipedia.org/w/api.php for API usage. Subscribe to the mediawiki-api-announce mailing list at <https://lists.wikimedia.org/mailman/listinfo/mediawiki-api-announce> for notice of API deprecations and breaking changes.', u'code': u'mwoauth-invalid-authorization'}}

As you'll see it also says the authorization header is not valid, but I figured that this wasn't the main problem since the request is served fine if I remove auth=auth. Just in case though my header is {'user-agent': 'Smartse deleted contribs - <my email>'}

Thanks very much for your help with this!

Smartse (talkcontribs)

Hi Tgr. Have you had a chance to take a look at the logs yet?

Tgr (WMF) (talkcontribs)

Sorry, I got distracted. Apparently mwoauth-invalid-authorization is reused for all kinds of errors so forget what I said in my earlier comments :-/ Invalid signature means an error on your side; either the algorithm for building the authorization header is wrong (sounds like you are using the one built into the requests library so that's not very likely), or you are passing in the wrong data, or your computer's clock is off. Unfortunately we don't log any useful information for signature checks :( so the logs wouldn't tell anything interesting.

Smartse (talkcontribs)

No worries. Thanks for trying. I will try and fiddle around more and hope I can get something to work, and failing that try a bot password instead.

Smartse (talkcontribs)

I don't quite understand why, but after trying and failing to get it to work with special:botpasswords instead, I've now got it working :D It seems as if it was a problem with the API query itself as I didn't change any of the other parameters in the request, but as I said above, it worked fine when I removed "auth=auth".

i cant Allow OAuth on my account

4
Summary by Mojackjutaily

its been answered

Mojackjutaily (talkcontribs)

HI, i tried using flickr2commons but its say "You haven't authorized this application yet!" and when i go to here, this message appear "Sorry, something went wrong connecting this application. Go back and try to connect your account again, or contact the application author.

OAuth token not found, E004"

but in Special:OAuthManageMyGrants it show that i have Allowed OAuth Uploader on All projects . what seem to be the problem.? thank you.

Tgr (WMF) (talkcontribs)

You should report this to the flickr2commons author. At a guess the tool is having problems with the cache backend it uses.

Tgr (WMF) (talkcontribs)

FWIW I can sort of reproduce, although in my case the error is Error retrieving token: mwoauthdatastore-request-token-not-found

Mojackjutaily (talkcontribs)

Thank you i dont know what happened but its working now.

Reply to "i cant Allow OAuth on my account"

How can I start to translate this?

5
Drashtikaushik (talkcontribs)
BDavis (WMF) (talkcontribs)
Tgr (WMF) (talkcontribs)

Or if you want to translate this wiki page, just click on the small "Translate this page" link on top.

Drashtikaushik (talkcontribs)
Tgr (WMF) (talkcontribs)

The Gujarati community and/or the proposer of T158564 can probably better answer that.

Reply to "How can I start to translate this?"
Dnaber (talkcontribs)

My application would like to know the usernames of Wikipedia users, so that people don't have to sign up for yet another service. It wouldn't actually run any action on Wikipedia. Does it make sense to use OAuth for that, or is there a better alternative?

Deskana (WMF) (talkcontribs)

Hi Dnaber,

You can retrieve a user's username using the API. The query you can use for this is: https://en.wikipedia.org/w/api.php?format=json&action=query&meta=userinfo

That said, I suspect what you're actually asking me is "Can my website somehow use OAuth as an authentication method, so that users can sign in using their Wikipedia credentials?". The answer to that is that you can, but you shouldn't. If it's being used for authentication, the OAuth protocol is susceptible to man-in-the-middle attacks. The use of HTTPS mitigates that somewhat, but the vulnerability is still theoretically there. We'd highly recommend not using OAuth for authentication.

We're exploring the possibility of making Wikimedia wikis an OpenID provider which would allow you to use Wikimedia credentials for authorisation. We don't know if or when we'll start working on that, though.

Please let me know if you need any more information.

This post was posted by Deskana (WMF), but signed as DGarry (WMF).

This post was hidden by BDavis (WMF) (history)
This post was hidden by Tgr (WMF) (history)
Tgr (WMF) (talkcontribs)

The above answer is now outdated. You can send an OAuth-authorized request to Special:OAuth/identify which will return user identity in a JWT (signed JSON token). As long as you properly validate the signature, this is safe and does not suffer from the vulnerability mentioned above.

Reply to "OAuth with no actions?"
Adam (Wiki Ed) (talkcontribs)

~Is there some clarification on where/why Oauth is disabled for blocked IPs. I'm seeing some failed login attempts for unblocked users operating on schoolblocked IPs and I want to know what the exact check is. thanks.

CSteipp (WMF) (talkcontribs)

Hi Adam, users shouldn't (can't) use OAuth to login-- the login api calls are explicitly disabled. Are you seeing failures when potential users are logging in to authorize the Consumer? Or is the Consumer's api calls failing, because it's running from a blocked IP?

Adam (Wiki Ed) (talkcontribs)

@CSteipp (WMF) thanks for the reply and sorry for not noticing it. I'm talking about the latter, (API calls failing). They're logged in or reported as much.

This post was hidden by BDavis (WMF) (history)
Tgr (WMF) (talkcontribs)

Blocking will work the same way for OAuth requests as normal requests (but keep in mind that the IP will be that of the server hosting the OAuth application, not the real user).

Some plans to make block handling more flexible are in T159889 and T110249.

Reply to "Login from blocked IP"