Talk:OAuth/For Developers

About this board

How common is it to use WM OAuth for logging into to off-wiki sites?

Sj (talkcontribs)

I dislike using the most commonly offered OAuth providers for sign-in to websites, and would like to see a W option more often...

Ed6767 (talkcontribs)

@Sj, it is challenging as not all WMF accounts have emails linked, which many services require

Sj (talkcontribs)

I see; but do we keep a list of sites / services that do use WM OAauth?

I can think of other reasons why WM OAuth might be more useful for assuring someone isn't a spammer than other common options.

Reply to "How common is it to use WM OAuth for logging into to off-wiki sites?"

Acess token for anonymous user

Diegodlh (talkcontribs)

Hi, all! I'm developing a tool that edits Wikidata. The client is public (i.e., not confidential), so I will be using PKCE.

Apart from security, one of the reasons why I'm using OAuth is because it sets a tag for the edits made with the tool, as discussed here. This is useful, because it'd let us track changes and identify bugs early.

The tool also allows making anonymous edits. This is possible by using the +\ CSRF token, but in order for these edits to be flagged with the app's tag, I guess I should send an access token in the Authorization header.

Would it be possible to get an access token from the access_token endpoint using grant_type=client_credentials? Given that this is a public client, would it be possible to get it using (PKCE's) code_verifier, instead of client_secret?


Ragesoss (talkcontribs)
Tgr (WMF) (talkcontribs)

OAuth cannot be used for anonymous actions, as the user needs to approve the OAuth app before using it, and anonymous users are identified with their user address and a meaningful approval mechanism cannot be built on that. (There is a chance the handling of anonymous users will be rearchitected in the next year or so and that might affect the ability of the OAuth extension to cover anonymous actions, but not anytime soon.)

Reply to "Acess token for anonymous user"

What to use as client_id for OAuth2

Summary by Iwan.Aucamp

Moved question to here

Iwan.Aucamp (talkcontribs)

I'm trying to make a react based client to be hosted on a static site with [rfc:7636 PKCE flow] (more info here)

When I register an OAuth2 consumer at I get 3 pieces of info:

  • Client application key
  • Client application secret
  • Access token

The documentation says to use "client token" as "client_id". I have tried all 3 of the values, none work. I navigate to to,..&code_challenge=...&code_challenge_method=S256&response_mode=query

But this page tells me "Application Connection Error: Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)". So I guess I'm doing something wrong, first step would be to verify that I am indeed using the correct thing for "client_id".

If someone has an example client that does this that I can have a look at it will be great.

APaskulin (WMF) (talkcontribs)

Thanks for this feedback, @Iwan.Aucamp! The client_id parameter in the example you've given should be populated with the client application key (called the "consumer key" in the Meta-Wiki consumer list view). I've updated this wiki page to clarify some terminology, but I think that major changes to both the docs and the interfaces in Meta are needed to clarify these workflows.

Yurik (talkcontribs)

@Iwan.Aucamp hi, I would like to build a react-based serverless app as well, do you have an example of how you got this solved? Would be a great way to foster simple web-based tools for various Wikipedia tasks. Thx!

Iwan.Aucamp (talkcontribs)

@Yurik I gave up, good luck though and I hope it works out.

Reply to "What to use as client_id for OAuth2"
RoySmith (talkcontribs)
BDavis (WMF) (talkcontribs)

I think you missed the part wikitech:Help:Toolforge/My first Django OAuth tool#Adding OAuthin the instructions where you were supposed to check the 'Allow consumer to specify a callback in requests and use "callback" URL above as a required prefix.' checkbox when creating your grant. Using 'oob' for the 'oauth_callback' parameter is done when the grant contains the exact callback to be used. social_django does not work in this mode.

RoySmith (talkcontribs)

Hmmm. I just made a new key which has that checked, but now I'm getting:

Error: oauth_callback must be set, and must be set to "oob" (case-sensitive), or the configured callback must be a prefix of the supplied callback.

BDavis (WMF) (talkcontribs)
RoySmith (talkcontribs)

Ah, that did it. Thanks. I must have gone through the example a half dozen times comparing it to my code and never noticed that. Sometimes a fresh set of eyes is what you need. But, if the MW OAuth setup always requires the "Allow consumer to specify a callback..." option to be checked, why is it even offered as an option? Or, at least have the registration form check it by default? In any case, thanks again for your assistance.

BDavis (WMF) (talkcontribs)

> But, if the MW OAuth setup always requires the "Allow consumer to specify a callback..." option to be checked, why is it even offered as an option?

The "requires" part is about the client (in this case social_django), not anything on the MediaWiki side of this.

RoySmith (talkcontribs)

I found one more thing I did wrong! When I registered, I ignored the "Applicable project: All is fine" advice. I figured I would do the conservative thing and restrict this to just enwiki. Turns out, that was a bad move. This led to errors of the form:

AuthException at /oauth/complete/mediawiki/

An error occurred while trying to read json content: Not enough segments

Digging through the social-auth code, this comes from the "OOB" code path, where it's trying to dig the credential out of an embedded POST form, instead of parsing them out of the URL query string. This had me banging my head on the wall for a while. Eventually, I poked around and found some other tools that used social-auth, and discovered all of their consumer keys were set up with "*" for the "applicable project".

Anyway, recording all this here for the benefit of the next poor sod who runs into this.

Reply to "oob?"

Unable to fetch access token

Pasleim (talkcontribs)

I try to fetch an access token in the OAuth2 authorization code flow.

After receving code from oauth2/authorize I make the following post request:

But as answer I receive: { "error": "invalid_request", "error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed.", "hint": "Check the `grant_type` parameter",  "message": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed."}

Has anybody an idea what I'm doing wrong or can even provide some working example for oauth2?

Reply to "Unable to fetch access token"

Is Oauth2 currently enabled for major wikipedia?

Xinbenlv (talkcontribs)

Is Oauth2 currently enabled for major wikipedia?

BDavis (WMF) (talkcontribs)
Xinbenlv (talkcontribs)

I am just curious, why not?

Halfak (WMF) (talkcontribs)

Csteipp, are you out there somewhere?

BDavis (WMF) (talkcontribs)

@Deskana, @BJorsch (WMF), or @Aaron Schulz might remember if there is a Phabricator task (would be an import from Bugzilla) or wiki page somewhere with the design decisions that led to picking 1.0a instead of 2.x. I have vague recollections, but 6 years ago was a long time and I was a n00b to the team and not directly a part of the project.

Anomie (talkcontribs)

Lucky coincidence I happened to notice the notification on the staff account I seldom use.

IIRC, it's mainly because OAuth 2 didn't seem to have real advantages over 1.0a for the use cases we anticipated supporting, while being a more complex specification and more or less encouraging incompatible implementations. may also be a useful read.

On the other hand, there is a task (T229500) to create an OAuth 2 extension. I don't know whether it'll actually go anywhere.

Penguinbupt (talkcontribs)

mediawiki as oauth server , phabricator as consumer,

how to add mediawiki oauth provider in phabricator ?

Reply to "Is Oauth2 currently enabled for major wikipedia?"
Johnywhy (talkcontribs)
Reply to "Javascript?"

Registering single copies of desktop or mobile apps

Damian Yerrick (talkcontribs)

From OAuth/For Developers:

Intended Users
  • But not...
    • Desktop applications (the Consumer Secret needs to be secret!). Some alternatives are being considered. See past discussions:

The first discussion recommends the following:

The best workaround now is probably to have each user register their copy of your desktop application as its own consumer.

The second discussion recommends making a generic "desktop application" consumer, which the server administrator never ended up implementing.

Thus each user of a desktop or mobile application will be forced into the flow to register an owner-only consumer. This means that the flow through meta:Special:OAuthConsumerRegistration/propose must be as painless as possible. So is there a way for a desktop or mobile application to tell the user's default web browser to open meta:Special:OAuthConsumerRegistration/propose with prefilled values in the "New OAuth consumer application" fields, to which the user can check the box for acceptance of terms and then activate the "Propose consumer" button to submit the form? Would I need to request this at Phabricator? Or is prefilling a bad idea to start off with? --~~~~

Tgr (WMF) (talkcontribs)
Reply to "Registering single copies of desktop or mobile apps"
There are no older topics