Talk:OAuth/For Developers

Jump to navigation Jump to search

About this board

What to use as client_id for OAuth2

1
Summary by Iwan.Aucamp

Moved question to here

Iwan.Aucamp (talkcontribs)

I'm trying to make a react based client to be hosted on a static site with [rfc:7636 PKCE flow] (more info here)

When I register an OAuth2 consumer at https://meta.wikimedia.org/wiki/Special:OAuthConsumerRegistration/list I get 3 pieces of info:

  • Client application key
  • Client application secret
  • Access token

The documentation says to use "client token" as "client_id". I have tried all 3 of the values, none work. I navigate to to https://meta.wikimedia.org/w/rest.php/oauth2/authorize?client_id=...&redirect_uri=...&response_type=code&scope=openid&state=,..&code_challenge=...&code_challenge_method=S256&response_mode=query

But this page tells me "Application Connection Error: Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)". So I guess I'm doing something wrong, first step would be to verify that I am indeed using the correct thing for "client_id".

If someone has an example client that does this that I can have a look at it will be great.

Unable to fetch access token

1
Pasleim (talkcontribs)

I try to fetch an access token in the OAuth2 authorization code flow.

After receving code from oauth2/authorize I make the following post request:

https://www.mediawiki.org/w/rest.php/oauth2/access_token?grant_type=authorization_code&redirect_uri=https%3A%2F%2Ftools.wmflabs.org%2Fplnode%2F&client_id=0b...&client_secret=3...&code=d...

But as answer I receive: { "error": "invalid_request", "error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed.", "hint": "Check the `grant_type` parameter",  "message": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed."}

Has anybody an idea what I'm doing wrong or can even provide some working example for oauth2?

Reply to "Unable to fetch access token"

Is Oauth2 currently enabled for major wikipedia?

7
Xinbenlv (talkcontribs)

Is Oauth2 currently enabled for major wikipedia?

BDavis (WMF) (talkcontribs)
Xinbenlv (talkcontribs)

I am just curious, why not?


Halfak (WMF) (talkcontribs)

Csteipp, are you out there somewhere?

BDavis (WMF) (talkcontribs)

@Deskana, @BJorsch (WMF), or @Aaron Schulz might remember if there is a Phabricator task (would be an import from Bugzilla) or wiki page somewhere with the design decisions that led to picking 1.0a instead of 2.x. I have vague recollections, but 6 years ago was a long time and I was a n00b to the team and not directly a part of the project.

Anomie (talkcontribs)

Lucky coincidence I happened to notice the notification on the staff account I seldom use.

IIRC, it's mainly because OAuth 2 didn't seem to have real advantages over 1.0a for the use cases we anticipated supporting, while being a more complex specification and more or less encouraging incompatible implementations.

https://hueniverse.com/oauth-2-0-and-the-road-to-hell-8eec45921529 may also be a useful read.

On the other hand, there is a task (T229500) to create an OAuth 2 extension. I don't know whether it'll actually go anywhere.

Penguinbupt (talkcontribs)

mediawiki as oauth server , phabricator as consumer,


how to add mediawiki oauth provider in phabricator ?

Reply to "Is Oauth2 currently enabled for major wikipedia?"
Johnywhy (talkcontribs)
Reply to "Javascript?"

Registering single copies of desktop or mobile apps

2
Damian Yerrick (talkcontribs)

From OAuth/For Developers:

Intended Users
[...]
  • But not...
    • Desktop applications (the Consumer Secret needs to be secret!). Some alternatives are being considered. See past discussions:

The first discussion recommends the following:

The best workaround now is probably to have each user register their copy of your desktop application as its own consumer.

The second discussion recommends making a generic "desktop application" consumer, which the server administrator never ended up implementing.

Thus each user of a desktop or mobile application will be forced into the flow to register an owner-only consumer. This means that the flow through meta:Special:OAuthConsumerRegistration/propose must be as painless as possible. So is there a way for a desktop or mobile application to tell the user's default web browser to open meta:Special:OAuthConsumerRegistration/propose with prefilled values in the "New OAuth consumer application" fields, to which the user can check the box for acceptance of terms and then activate the "Propose consumer" button to submit the form? Would I need to request this at Phabricator? Or is prefilling a bad idea to start off with? --~~~~

Tgr (WMF) (talkcontribs)
Reply to "Registering single copies of desktop or mobile apps"
There are no older topics