Talk:OAuth/Owner-only consumers

This page used the Structured Discussions extension to give structured discussions. It has since been converted to wikitext, so the content and history here are only an approximation of what was actually displayed at the time these comments were made.

When is "owner-only" needed?

Latest comment: 7 years ago6 comments2 people in discussion

The page says

"The option "owner-only" has to be checked."

It's stated right after 2 or 3 scenarios. Under which scenario? Johnywhy (talk) 05:32, 5 July 2018 (UTC)Reply

Well, this page is about owner-only consumers so all scenarios discussed on the page apply. Tgr (WMF) (talk) 12:16, 5 July 2018 (UTC)Reply

i've edited the page to be clearer.

Since "The option "owner-only" has to be checked" was previously inside parens with the comments about wiki-farms and Wikimedia, that indicated that "The option "owner-only" has to be checked" applies only to wiki-farms and Wikimedia.

But, according to you, it doesn't apply only to wiki-farms and Wikimedia, it applies to any wiki. So, it was misleading as written.

Tho i'm still unclear about exactly which part of the process is done at central wiki of the farm or meta:Special:OAuthConsumerRegistration/propose. Johnywhy (talk) 18:51, 5 July 2018 (UTC)Reply

Special:OAuthConsumerRegistration/propose only exists on the central wiki of the farm (in the case of the Wikimedia wikifarm, that's Meta). I've tried to make that clearer, let me know if it helps. Tgr (WMF) (talk) 23:28, 5 July 2018 (UTC)Reply

The way it's currently written, it sounds like Special:OAuthConsumerRegistration/propose must be used in all cases, even on stand-alone wikis. Is that the intended meaning? Johnywhy (talk) 00:22, 6 July 2018 (UTC)Reply

Yes. A standalone wiki is basically a wikifarm with one wiki :) Tgr (WMF) (talk) 13:59, 6 July 2018 (UTC)Reply

Obtaining RSA Key?

Latest comment: 7 years ago12 comments2 people in discussion

Special:OAuthConsumerRegistration/propose says:

Please provide a public RSA key (in PEM format) if possible; otherwise a (less secure) secret token will have to be used.

Where can i obtain a public RSA key?
Where do i put the private key? Johnywhy (talk) 08:34, 17 July 2018 (UTC)Reply

If you are not familiar with how to use RSA keys, you are probably better off not using them (just leave the box empty); the security advantages are not that large. The description should probably be improved to say so (even better would be to have a radio box for RSA vs. hash and only show the textbox when the first option is selected). Tgr (WMF) (talk) 11:36, 18 July 2018 (UTC)Reply

"If you are not familiar with how to use RSA keys, you are probably better off not using them"

Let's assume for the moment that i'm intelligent enough to understand it.

Can you answer the questions?

I used PuTTYgen to generate a pair-- can i use that pair?

The site i'm building requires the strongest available security, as the site may be targeted by hackers. Johnywhy (talk) 14:22, 18 July 2018 (UTC)Reply

I don't think PuTTY supports PEM but it's been a long time since I last used it. Tgr (WMF) (talk) 22:37, 18 July 2018 (UTC)Reply

Is this output good for OAuth?

puttygen ppkkey.ppk -O private-openssh -o pemkey.pem

https://webkul.com/blog/convert-a-ppk-file-to-a-pem-file/ Johnywhy (talk) 00:10, 19 July 2018 (UTC)Reply

If it's an RSA key in PEM format, it should work. You can generate other kinds of keys with PuTTY so check your settings. Tgr (WMF) (talk) 08:45, 19 July 2018 (UTC)Reply

Ok. Where do i put the private key? In the API call?

Or, in the login? API:Login#The login action Johnywhy (talk) 18:01, 19 July 2018 (UTC)Reply

You need to sign the API requests with it. That's not something you want to do by hand; there are bunch of OAuth 1 libraries around. The doc page has an example (using oauthclient-php); the relevant part is starting at $api_req = OAuthRequest::from_consumer_and_token. Tgr (WMF) (talk) 16:20, 20 July 2018 (UTC)Reply

thx, but that's server-side php.

i want to do the API calls in javascript, from the client. Johnywhy (talk) 20:03, 20 July 2018 (UTC)Reply

Well, the idea is the same, you just need a different library. You could use ddo/oauth-1.0a for example. Tgr (WMF) (talk) 10:29, 21 July 2018 (UTC)Reply

would i use ddo/oauth-1.0a instead of this extension? Johnywhy (talk) 03:04, 22 July 2018 (UTC)Reply

Use it to sign your API requests, as documented there. Tgr (WMF) (talk) 11:28, 22 July 2018 (UTC)Reply

Changed user name from Dlohcierekim to Deepfriedokra. Now when I try to log onto UTRS, I get the following message

Latest comment: 6 years ago3 comments2 people in discussion

Fatal error: Uncaught UTRSValidationException: There were errors processing your unblock appeal: UserID not set from database while attempting to check logged in status. in /usr/utrs/production/public_html/src/unblocklib.php:67 Stack trace: #0 /usr/utrs/production/public_html/loginsplash.php(8): loggedIn() #1 {main} thrown in /usr/utrs/production/public_html/src/unblocklib.php on line 67

What can I do? Deepfriedokra (talk) 08:09, 27 August 2019 (UTC)Reply

You should contact the maintainers of UTRS. Your error appears to have nothing to do with this page, or this extension at all. Anomie (talk) 11:21, 27 August 2019 (UTC)Reply

Thanks. And how do I reach them? Deepfriedokra (talk) 14:01, 27 August 2019 (UTC)Reply

oauthbible.com link rot

Latest comment: 5 years ago2 comments2 people in discussion

The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.

I just want to note that the http://oauthbible.com/ is a link rot now. Valerio Bozzolan (talk) 12:16, 21 September 2020 (UTC)Reply

I guess it's only available on GitHub now. Thanks, updated the link. Tgr (WMF) (talk) 19:46, 21 September 2020 (UTC)Reply

The discussion above is closed. Please do not modify it. No further edits should be made to this discussion.

The path "" does not contain a valid key file

Latest comment: 11 months ago5 comments4 people in discussion

We try to generate a owner-only consumer registration, but it fails with the error attached.

Wasnt able to find any documentation about the key file?

[16597c234d997bb55b95091f] /mediawiki/index.php/Special:OAuthConsumerRegistration/propose Lcobucci\JWT\Signer\Key\FileCouldNotBeRead from line 14 of /var/lib/mediawiki-1.35.4/extensions/OAuth/vendor/lcobucci/jwt/src/Signer/Key/FileCouldNotBeRead.php: The path "" does not contain a valid key file Kofl007 (talk) 10:38, 24 November 2021 (UTC)Reply

Fix:

openssl genrsa -out oauth.key 2048

openssl rsa -in oauth.key -pubout -out outh.cert

$wgOAuth2PrivateKey = "/oauth/oauth.key"

$wgOAuth2PublicKey = "/oauth/outh.cert" Kofl007 (talk) 11:54, 24 November 2021 (UTC)Reply

Hello, I am having the same problem but can not get it work using the fix... It is giving an error saying can not find the key file, what is the absolute path I should use for "oauth.key" and "outh.cert"? I tried to put them under the wiki main folder, or the OAuth folder, or public_html, none of them worked. Could you share more info about how to fix this?

Appreciate it! Thank you! Paulxu20 (talk) 21:28, 29 January 2023 (UTC)Reply

Perhaps this issue and its resolution would assist you. Note that the permissions and owner/group of the file must be such that it can be accessed by the web server user (and some things like SSL require that the secret part be set 600, i.e. only owner-readable, because they are meant to be private - don't know if that applies here). GreenReaper (talk) 09:09, 17 December 2024 (UTC)Reply

Most of the documentation assumes you are using the simpler SHA-1 based secrets, not public keys. Tgr (WMF) (talk) 22:56, 24 November 2021 (UTC)Reply