Extension talk:OAuth
Add topicWikimedia-specific help
[edit]This page should not contain information specific to the Wikimedia setup. That information should be moved to the other mediawiki.org page which explains the rationale used for authorisation etc. (written by csteipp some time ago) and perhaps the Meta RfC and policy proposal for "OAuth handover" etc. Nemo 05:58, 20 April 2016 (UTC)
- There's also the Meta:OAuth page, which is currently just a redirect to Help:OAuth here. It seems like a reasonable place to have info about OAuth as it pertains to Wikimedia specifically. This page (about the extension) should only have stuff that is applicable to anyone using the extension in any installation. SWilson (WMF) (talk) 00:36, 19 September 2016 (UTC)
- In the meanwhile the easiest target is probably OAuth/For Developers, where the Wikimedia-specific information can me moved while we wait for the existing Meta-Wiki draft to become official. As of now, third parties are thoroughly confused. Nemo 14:23, 22 September 2016 (UTC)
REL1_27 - extension.json does not exist
[edit]This missing file in the 1.27 branch is preventing installation. Lsilverman (talk) 16:16, 6 July 2017 (UTC)
1.27 does not use extension registration yet. That does not prevent installation. --Tgr (WMF) (talk) 16:29, 6 July 2017 (UTC)
Some usage examples, please
[edit]It would be great to have some examples, especially for assigning values to configuration variables.
The practise of assigning "false" as default value to variables that also accept non boolean values makes it difficult to guess! Wouldn't it be possible to use "null" instead to indicate disablement? — Preceding unsigned comment added by 105.200.67.1 (talk • contribs)
Wouldn't really help in figuring out the type, would it? I tried to clarify the documentation a bit. --Tgr (WMF) (talk) 15:06, 16 April 2018 (UTC)
- There's a huge lack of examples and screenshots on mediawiki site!!
Review of experimental endpoints section
[edit]User:BPirkle_(WMF): The documentation for the experimental REST endpoints is ready for your review. Thanks! --APaskulin (WMF) (talk) 23:34, 8 September 2020 (UTC)
Done. User:BPirkle_(WMF)
1.35 Not found
[edit]404 Not Found nginx/1.13.9
Use as an OAuth client
[edit]Apologies for the potentially stupid question, but would this extension allow my wiki to use an external (non MediaWiki) OAuth to allow users to login to my wiki? Iamacyborg (talk) 17:28, 13 October 2021 (UTC)
- Not a stupid question at all. This extension makes MediaWiki behave as an OAuth authorization server. To make MediaWiki behave as an OAuth client you would need an extension like Extension:WSOAuth. -- BDavis (WMF) (talk) 17:37, 13 October 2021 (UTC)
- Thank you! Iamacyborg (talk) 17:42, 13 October 2021 (UTC)
Mediawiki/REL1_37: Oauth with postgres: tables not created during installation
[edit]Hello,
I'm trying to install mediawiki/REL1_37 with OAuth extension with a postgres database
I have
- downloaded mediawikiwith different extensions, including OAuth, and launched composer
- ran " php74 maintenance/install.php --dbserver=${dbserver} ..."
- completed the LocalSetting.php with wfLoadExtension( 'OAuth' );
_ ran the update script
When I go to http://mywikiurl/wiki/Special:Version Special/Version , I get an error:
In the log:
Function: MediaWiki\Extensions\OAuth\Backend\Hooks::getUsedConsumerTags
Query: SELECT oarc_id FROM "oauth_registered_consumer" WHERE ((oarc_wiki = '*') OR (oarc_wiki = 'noemiwiki_int1')) AND oarc_deleted = 0 AND ((oarc_stage = 1) OR (oarc_stage = 0))
]
When I look into the database, I see that the oauth_registered_consumer table does not exsits.
When go into the code, especially https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/OAuth/+/refs/heads/REL1_37/src/Backend/UpdaterHooks.php
I see this test before creating database tables
if ( $dbType == 'mysql' || $dbType == 'sqlite' ) {
How can I create Oauth tables for oAuth extension ?
I tried to add || $dbType == 'postgres')
but the sql is not compatible with postgres (type unsigned undefined) :-(
Or Oauth isn't compatible with postgres? JdupontBnf (talk) 12:28, 30 March 2022 (UTC)
- @JdupontBnf Postgres support hasn't been implemented. Will probably happen as part of T268565. --Tgr (WMF) (talk) 19:38, 7 April 2022 (UTC)
REL1_35 "Key cannot be empty"
[edit]When using Postman to attempt an OAuth2 authorization code flow, the Postman console is reporting "Error: server_error, Description: The authorization server encountered an unexpected condition which prevented it from fulfilling the request: Key cannot be empty"
I think this is referring to a potential issue with the public/private key being used, but I can't spot the problem.
I generated the public and private keys using openssl "OpenSSL 1.1.1f 31 Mar 2020".
cd /etc/pki/oauth
openssl genrsa -out private.pem 4096
openssl rsa -pubout -in private.pem -out public.pem
I've also tried with 2048 bit keys.
In LocalSettings.php, I have:
$wgOAuth2PrivateKey = "/etc/pki/oauth/private.key";
$wgOAuth2PublicKey = "/etc/pki/oauth/public.key";
The folder and keys are now accessible by the apache2 process running under user www-data
. In fact, there was a permission problem earlier, and that error led me to update the permissions like so:
$ sudo ls -l /etc/pki/oauth/
total 8
-r--r----- 1 www-data www-data 3243 Jan 19 19:44 private.pem
-r--r--r-- 1 www-data www-data 800 Jan 19 19:44 public.pem
The private key is not password protected. I don't see an option for using a password-protected key in the MediaWiki OAuth extension anyway.
Can you think of any other thing I might check here? What am I missing? NotYour007 (talk) 21:15, 19 January 2023 (UTC)
- Just caught this stack trace:
- 023-01-19 21:44:59 ta-mediawiki devmediawiki: [17d87e707f9434b330fcbf0d] /w/rest.php/oauth2/access_token Lcobucci\JWT\Signer\InvalidKeyProvided from line 34 of /var/www/devmediawiki-1.35.7/w/vendor/lcobucci/jwt/src/Signer/InvalidKeyProvided.php: Key cannot be empty
- 0 /var/www/devmediawiki-1.35.7/w/vendor/lcobucci/jwt/src/Signer/Key/InMemory.php(25): Lcobucci\JWT\Signer\InvalidKeyProvided::cannotBeEmpty()
- 1 /var/www/devmediawiki-1.35.7/w/vendor/lcobucci/jwt/src/Signer/Key/InMemory.php(44): Lcobucci\JWT\Signer\Key\InMemory->__construct()
- 2 /var/www/devmediawiki-1.35.7/w/vendor/league/oauth2-server/src/Entities/Traits/AccessTokenTrait.php(50): Lcobucci\JWT\Signer\Key\InMemory::plainText()
- 3 /var/www/devmediawiki-1.35.7/w/vendor/league/oauth2-server/src/Entities/Traits/AccessTokenTrait.php(61): MediaWiki\Extensions\OAuth\Entity\AccessTokenEntity->initJwtConfiguration()
- 4 /var/www/devmediawiki-1.35.7/w/vendor/league/oauth2-server/src/Entities/Traits/AccessTokenTrait.php(79): MediaWiki\Extensions\OAuth\Entity\AccessTokenEntity->convertToJWT()
- 5 /var/www/devmediawiki-1.35.7/w/vendor/league/oauth2-server/src/ResponseTypes/BearerTokenResponse.php(31): MediaWiki\Extensions\OAuth\Entity\AccessTokenEntity->__toString()
- 6 /var/www/devmediawiki-1.35.7/w/vendor/league/oauth2-server/src/AuthorizationServer.php(202): League\OAuth2\Server\ResponseTypes\BearerTokenResponse->generateHttpResponse()
- 7 /var/www/devmediawiki-1.35.7/w/extensions/OAuth/src/AuthorizationProvider/AccessToken.php(22): League\OAuth2\Server\AuthorizationServer->respondToAccessTokenRequest()
- 8 /var/www/devmediawiki-1.35.7/w/extensions/OAuth/src/Rest/Handler/AccessToken.php(40): MediaWiki\Extensions\OAuth\AuthorizationProvider\AccessToken->getAccessTokens()
- 9 /var/www/devmediawiki-1.35.7/w/includes/Rest/Router.php(365): MediaWiki\Extensions\OAuth\Rest\Handler\AccessToken->execute()
- 10 /var/www/devmediawiki-1.35.7/w/includes/Rest/Router.php(320): MediaWiki\Rest\Router->executeHandler()
- 11 /var/www/devmediawiki-1.35.7/w/includes/Rest/EntryPoint.php(144): MediaWiki\Rest\Router->execute()
- 12 /var/www/devmediawiki-1.35.7/w/includes/Rest/EntryPoint.php(111): MediaWiki\Rest\EntryPoint->execute()
- 13 /var/www/devmediawiki-1.35.7/w/rest.php(31): MediaWiki\Rest\EntryPoint::main()
- 14 {main}
NotYour007 (talk) 21:49, 19 January 2023 (UTC)
- The stack trace helped me trace it to this function which resides in
/vendor/league/oauth2-server/src/Entities/Traits/AccessTokenTrait.php
- /**
- * Initialise the JWT Configuration.
- */
- public function initJwtConfiguration()
- {
- $this->jwtConfiguration = Configuration::forAsymmetricSigner(
- new Sha256(),
- LocalFileReference::file($this->privateKey->getKeyPath(), $this->privateKey->getPassPhrase() ?? ),
- InMemory::plainText()
- );
- }
- I believe it's the InMemory::plainText('') which is causing the problem.
- If I change that to
InMemory::plainText('empty','empty')
which exists in the latest version of "league/oauth2-server", then authentication works. - Is this secure? NotYour007 (talk) 22:05, 19 January 2023 (UTC)
- The stack trace helped me trace it to this function which resides in
- See T318480 and T321160. Tgr (WMF) (talk) 03:54, 23 January 2023 (UTC)
Can OAuth and rest.php work on a private wiki? (1_35)
[edit]We run 2 wikis on mediawiki. One is world readable by default. The other is a private wiki where $wgGroupPermissions['*']['read'] = false;
The private wiki uses SimpleSAMLphp to authenticate users against an Azure Active Directory.
We've added the OAuth extension, registered an app, and, using Postman, can acquire valid tokens. But any attempt to perform even the simplest tasks using the REST API is met with a response of {"error":"rest-read-denied","httpCode":403,"httpReason":"Forbidden"}.
We've tried a variety of permissions and grants, but we're not getting anywhere.
The "rest-read-denied" response is the same one we get attempting to fetch a page using rest.php/v1/page/page_name in an unauthenticated, incognito browser.
Here's the stack trace:
[session] Bad OAuth request from {ip}
- 0 /var/www/devmediawiki-1.35.7/w/extensions/OAuth/src/SessionProvider.php(99): MediaWiki\Extensions\OAuth\SessionProvider->verifyOAuth2Request()
- 1 /var/www/devmediawiki-1.35.7/w/includes/session/SessionManager.php(490): MediaWiki\Extensions\OAuth\SessionProvider->provideSessionInfo()
- 2 /var/www/devmediawiki-1.35.7/w/includes/session/SessionManager.php(215): MediaWiki\Session\SessionManager->getSessionInfoForRequest()
- 3 /var/www/devmediawiki-1.35.7/w/includes/WebRequest.php(826): MediaWiki\Session\SessionManager->getSessionForRequest()
- 4 /var/www/devmediawiki-1.35.7/w/includes/session/SessionManager.php(137): WebRequest->getSession()
- 5 /var/www/devmediawiki-1.35.7/w/includes/Setup.php(725): MediaWiki\Session\SessionManager::getGlobalSession()
- 6 /var/www/devmediawiki-1.35.7/w/includes/WebStart.php(89): require_once(string)
- 7 /var/www/devmediawiki-1.35.7/w/rest.php(29): require(string)
- 8 {main}
I tried to trace the code all the way down into the oauth2-server dependency, but ultimately ran out of time.
I would have assumed that once authenticated via OAuth2, a user bearing a valid token would be able to use the REST API.
We are blocked and unsure how to proceed. NotYour007 (talk) 22:18, 20 January 2023 (UTC)
- The "Bad OAuth request" error indicates that your client's OAuth2 handshake is not completing correctly. This in turn would make your request unauthenticated. There are a number of things that could be going wrong with the request, but there should be something in your logs. Because of the way that the OAuth extension uses Structured logging you may need to configure $wgMWLoggerDefaultSpi to use MonologSpi.php before you can see the underlying problem. -- BDavis (WMF) (talk) 23:19, 20 January 2023 (UTC)
- Also the extension is not great at logging useful details (in part because of the way the responsibility of validating OAuth signatures is split between the extension and third-party libraries) so you might need to use XDebug or such to see what happens.
- The API error message is somewhat wrong, that's T252591, but your root problem is some kind of OAuth issue. Tgr (WMF) (talk) 04:10, 23 January 2023 (UTC)
Logout
[edit]Can I use the API:Logout to log out? Gerges (talk) 12:00, 4 December 2023 (UTC)
- Logout is not necessarily a meaningful concept when using OAuth. You certainly cannot log out of your OAuth app - the request is authenticated if you add an OAuth header to it and it isn't when you don't. If you are a user of another person's OAuth app, you can revoke the grant you gave the app in Special:OAuthManageMyGrants. If you are the app owner, you can set the list of allowed IPs to an empty list (a weird hack, T254190 is about allowing app owners to properly disable apps).
- If you want to use OAuth to terminate your browser sessions, that's not possible today. In core MediaWiki, the logout API only logs you out from the current browser, so you can only log out from the specific device in which you are logged in. (T209579 is the relevant task.) On Wikimedia sites, logout works across all sites and all devices, so conceptually it would make sense to trigger it from OAuth, but with the current implementation it's not possible. Tgr (WMF) (talk) 21:15, 4 December 2023 (UTC)
REL1_41: Cannot update the database after enabling extension
[edit]I recently enabled Extension:OAuth on a self-hosted instance of MediaWiki.
However, when running php maintenance/run.php update
to update the schema, this error code comes up:
Some of your configuration settings caused a warning:
* Invalid MediaWiki configuration parameter "UrlProtocols": Array value
found, but an array is required
Please correct the issue before running update.php again.
If you know what you are doing, you can bypass this check
using --skip-config-validation.
.
A Google search yielded nothing about this issue.
I am self-hosting MediaWiki 1.41.0 and I am using farming via different LocalSettings.php and the environment variable HTTP_HOST.-- Il Gatto Obeso (talk) 13:22, 24 June 2024 (UTC)
Update: disabled Extension:OAuth and still gives me that error on update, it is probably something else in my configuration.--Il Gatto Obeso (talk) 13:25, 24 June 2024 (UTC)
Update 2: OAuth extension is unrelated with my issue! The issue was caused by the line
$wgUrlProtocols = array_diff( $wgUrlProtocols, array('news:') );
in my LocalSettings.php (see Manual:Using_custom_namespaces).--Il Gatto Obeso (talk) 13:32, 24 June 2024 (UTC)