Help talk:OAuth

Latest comment: 3 months ago by GamingTwist in topic E006 - mwoauthserver-bad-consumer-key


Translation

edit

The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.


Is the page sufficiently stable to enable the translation? (poke User:DGarry (WMF))

Could someone review the page (just typo for the last change) before activating translation? ~ Seb35 [^_^] 14:24, 25 November 2013 (UTC)Reply

I don't see the content significantly changing any time soon, so I think the page should be stable enough for translation. Thanks! Dan Garry, Wikimedia Foundation (talk) 15:02, 25 November 2013 (UTC)Reply
The discussion above is closed. Please do not modify it. No further edits should be made to this discussion.

OAuth with no actions?

edit

The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.


My application would like to know the usernames of Wikipedia users, so that people don't have to sign up for yet another service. It wouldn't actually run any action on Wikipedia. Does it make sense to use OAuth for that, or is there a better alternative? Dnaber (talk) 19:58, 29 November 2013 (UTC)Reply
Hi Dnaber,
You can retrieve a user's username using the API. The query you can use for this is: https://en.wikipedia.org/w/api.php?format=json&action=query&meta=userinfo
That said, I suspect what you're actually asking me is "Can my website somehow use OAuth as an authentication method, so that users can sign in using their Wikipedia credentials?". The answer to that is that you can, but you shouldn't. If it's being used for authentication, the OAuth protocol is susceptible to man-in-the-middle attacks. The use of HTTPS mitigates that somewhat, but the vulnerability is still theoretically there. We'd highly recommend not using OAuth for authentication.
We're exploring the possibility of making Wikimedia wikis an OpenID provider which would allow you to use Wikimedia credentials for authorisation. We don't know if or when we'll start working on that, though.
Please let me know if you need any more information. Dan Garry, Wikimedia Foundation (talk) 16:13, 9 December 2013 (UTC)Reply
The above answer is now outdated. You can send an OAuth-authorized request to Special:OAuth/identify which will return user identity in a JWT (signed JSON token). As long as you properly validate the signature, this is safe and does not suffer from the vulnerability mentioned above. Tgr (WMF) (talk) 08:21, 13 May 2017 (UTC)Reply
The discussion above is closed. Please do not modify it. No further edits should be made to this discussion.

Registering my app

edit

The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.


So, how do I register my application? It seems like that's a thing that should be mentioned on the Help page... Magnus Manske (talk) 11:36, 6 December 2013 (UTC)Reply

Never mind, found it, and added to the Help page. Magnus Manske (talk) 12:55, 6 December 2013 (UTC)Reply
Hi Magnus,
Thanks for adding that link. It's possible I might make a help page for OAuth developers in the future which we can put that on, but for now I think it's helpful to have on the main help page.
Your application's already been approved. Let me know if I can help more. Dan Garry, Wikimedia Foundation (talk) 16:04, 9 December 2013 (UTC)Reply
Ok thanx 1.38.27.133 23:21, 7 December 2013 (UTC)Reply
The discussion above is closed. Please do not modify it. No further edits should be made to this discussion.

OAuth applications list

edit

The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.


Where do we find OAuth-compatible applications that people can use? There should be a list of them, and it should be linked-to from here. — SMcCandlish  Talk⇒ ɖכþ Contrib. 05:31, 22 June 2014 (UTC)Reply

There's a list on Special:OAuthListConsumers. Legoktm (talk) 05:44, 22 June 2014 (UTC)Reply
The discussion above is closed. Please do not modify it. No further edits should be made to this discussion.

How can my application yichengtry [1.1] be approved?

edit

The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.


I registered this application on 20 June, is there any thing I need to do to get an approval? Anorange0409 (talk) 08:03, 23 June 2014 (UTC)Reply

You can just use it, but it is currently not useful, since you don't make "Edit existing pages" applicable to consumer. GZWDer (talk) 12:20, 30 October 2014 (UTC)Reply
I would like an answer to this too. I have a consumer for "Video Editing Server" that was proposed 10 days ago, and it is still not approved. In its proposed state, only my user account can use it to let the app get an access token. This is inhibiting other people from developing and testing. Ddennedy (talk) 20:16, 28 November 2014 (UTC)Reply
The discussion above is closed. Please do not modify it. No further edits should be made to this discussion.

Disabling?

edit

The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.


Is it possible to totally disable that ability, so that it will not be enabled for some reason by accident? Xoristzatziki (talk) 20:28, 23 August 2014 (UTC)Reply

Disable which ability? Legoktm (talk) 01:12, 28 August 2014 (UTC)Reply
@Legoktm @Xoristzatziki Thanks Lenna-commons (talk) 00:53, 25 January 2016 (UTC)Reply
The discussion above is closed. Please do not modify it. No further edits should be made to this discussion.

Change callback URL

edit

The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.


How does one change or request a change to the callback URL? The manage page only lets you change the RSA key and IP addresses. Ddennedy (talk) 20:23, 28 November 2014 (UTC)Reply

You have to request a new consumer token, with an incremented version number. Sam Wilson 06:49, 18 September 2016 (UTC)Reply
The discussion above is closed. Please do not modify it. No further edits should be made to this discussion.

Login from blocked IP

edit

The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.


~Is there some clarification on where/why Oauth is disabled for blocked IPs. I'm seeing some failed login attempts for unblocked users operating on schoolblocked IPs and I want to know what the exact check is. thanks. Adam (Wiki Ed) (talk) 21:30, 28 September 2015 (UTC)Reply

Hi Adam, users shouldn't (can't) use OAuth to login-- the login api calls are explicitly disabled. Are you seeing failures when potential users are logging in to authorize the Consumer? Or is the Consumer's api calls failing, because it's running from a blocked IP? Test aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa (talk) 05:04, 10 October 2015 (UTC)Reply
@CSteipp (WMF) thanks for the reply and sorry for not noticing it. I'm talking about the latter, (API calls failing). They're logged in or reported as much. Adam (Wiki Ed) (talk) 19:51, 6 November 2015 (UTC)Reply
Blocking will work the same way for OAuth requests as normal requests (but keep in mind that the IP will be that of the server hosting the OAuth application, not the real user).
Some plans to make block handling more flexible are in T159889 and T110249. Tgr (WMF) (talk) 08:31, 13 May 2017 (UTC)Reply
The discussion above is closed. Please do not modify it. No further edits should be made to this discussion.

How secure it is?

edit

The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.


While this article leaves impression that OAuth is secure, Wikipedia in English claims the opposite for both protocol version 1.0 and 2.0. So, is there a safe way to use it and avoid the risks? DarkoS (talk) 19:19, 10 January 2016 (UTC)Reply

Hi @DarkoS, when implementing OAuth for MediaWiki, we made many deliberate choices to prevent known attacks, and encourage good practices by the developers who will be connecting their tools to the wiki via OAuth.
That said, how "secure" it is depends on what aspect you are looking at, and what threat models your concerned with.
  • From the perspective of your server running the OAuth extension, the extension should not expose your server to any additional risk. The code has been well reviewed, and we haven't had any sql/code injections through the extension yet. The extension is supported by the WMF, so any security updates will be announced and patched.
  • From the perspective of your users, OAuth has the advantage that it allows other tools to edit as them, without requiring the user to give them their password. The OAuth tokens have limited rights, and can be revoked. If your users are going to have tools edit on their behalf, using OAuth is significantly more secure than having the tool login with the user's password.
  • It's entirely possible that another protocol level attack against OAuth 1.0a will be discovered, allowing an attacker to authorize their Consumer without the user's knowledge, or convince the user they are authorizing a different Consumer. Again, this extension is supported with the WMF, so we would patch that as a security issue, if we were ever made aware that that was possible.
  • The claims on enwiki about phising have some merit, but I would say it's just as easy for an attacker to redirect users to a site they control "to login for OAuth" as it is to redirect them to fake copy of any wiki, and encourage the user to login. If you think that is a legitimate risk for you users, and the risk outweighs the benefits, then OAuth is not right for you.
Hope that helps! Test aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa (talk) 00:12, 23 January 2016 (UTC)Reply
The discussion above is closed. Please do not modify it. No further edits should be made to this discussion.

Is it OK to create a development-only consumer?

edit

The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.


While developing an application, it is often the case that one needs the callback URL to be something like http://localhost/myapp/. Is it acceptable to request consumer tokens for this?

I see that some consumers have been approved that do this (for example), so perhaps it's fine.

If it is, maybe it'd be worth adding something to the documentation saying something along the lines of "A separate consumer should be created for each stage of an application's development (e.g. testing, staging, and production)." Sam Wilson 07:00, 18 September 2016 (UTC)Reply

According to tgr on IRC: yep, it's fine to request additional consumers for this purpose. Sam Wilson 07:23, 18 September 2016 (UTC)Reply
The discussion above is closed. Please do not modify it. No further edits should be made to this discussion.

phabricar

edit

The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.


I try sign up phabricar Shavene (talk) 17:27, 2 December 2016 (UTC)Reply

The discussion above is closed. Please do not modify it. No further edits should be made to this discussion.

Rewew Login

edit

The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.


Hi there, I have a question about the OAuth-session. When I close the browser window, the session cookie will be deleted (look at this PHP-example). Is there any possibility, to "renew" the login without passing the whole process (click on grant access)? Thank you very much! FNDE (talk) 17:07, 5 January 2017 (UTC)Reply

If you are using an authentication only grant, yes. See OAuth/For_Developers#Avoid_repetitive_login_prompts BDavis (WMF) (talk) 17:35, 5 January 2017 (UTC)Reply
This is what I'm looking for, thank you! Is there a way to pass the authentication without a redirect? Maybe with CURL? FNDE (talk) 18:19, 5 January 2017 (UTC)Reply
No, the user's browser is needed to interact with the OAuth server and get the request signed. You can however store the tokens that are returned from the handshake callback. They do not expire, but can be revoked by the user via Special:OAuthManageMyGrants. On your app side you will still need some way to re-associate the user and the credentials that you persist. BDavis (WMF) (talk) 19:57, 5 January 2017 (UTC)Reply
The discussion above is closed. Please do not modify it. No further edits should be made to this discussion.

Connecting Facebook to Wikipedia

edit

The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.


How to my mind connecting Facebook to Wikipedia how to add? --White Gold AJ Gaspar (talk) 12:23, 14 January 2017 (UTC)Reply

Try Extension:OAuthAuthentication BDavis (WMF) (talk) 17:48, 24 February 2017 (UTC)Reply
The discussion above is closed. Please do not modify it. No further edits should be made to this discussion.

How do I use Google Authentication with Mediawiki?

edit

The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.


Complete newbie & noob on this type of subject matter.

I'd like to think I'm neither the first or the only one that would like to set up Google Authentication on an Mediawiki instance.

Any help or pointers is appreciated.

Thanks,

Roy Rpammeraal (talk) 17:33, 24 February 2017 (UTC)Reply

You should look into Extension:GoogleLogin. Legoktm (talk) 19:20, 24 February 2017 (UTC)Reply
The discussion above is closed. Please do not modify it. No further edits should be made to this discussion.

User login or registration with Oauth

edit

The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.


I would like to use Oauth to help people login or register on my wiki with sites such as Facebook, Twitter, Google, Microsoft etc. How do I go about that? Tribly (talk) 08:33, 19 April 2017 (UTC)Reply

Look at the existing user identity extensions such as GoogleLogin, Facebook, TwitterLogin, ULogin...
GoogleLogin is well-maintained, the others probably not so much. Tgr (WMF) (talk) 08:17, 13 May 2017 (UTC)Reply
The discussion above is closed. Please do not modify it. No further edits should be made to this discussion.

How can I start to translate this?

edit

The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.


I can see translation need for OAuth project on https://phabricator.wikimedia.org/T158564 How can I translate in gu(Gujarati) language? Drashtikaushik (talk) 12:18, 30 August 2017 (UTC)Reply

Translations are done on translatewiki: https://translatewiki.net/wiki/Special:Translate?action=translate&group=ext-oauth&language=gu&filter=%21translated BDavis (WMF) (talk) 18:09, 30 August 2017 (UTC)Reply
Or if you want to translate this wiki page, just click on the small "Translate this page" link on top. Tgr (WMF) (talk) 19:48, 30 August 2017 (UTC)Reply
thanks @BDavis (WMF) and @Tgr (WMF) What is priority task for this project? I will do accordingly. Drashtikaushik (talk) 08:26, 31 August 2017 (UTC)Reply
The Gujarati community and/or the proposer of T158564 can probably better answer that. Tgr (WMF) (talk) 18:21, 31 August 2017 (UTC)Reply
The discussion above is closed. Please do not modify it. No further edits should be made to this discussion.

i cant Allow OAuth on my account

edit

The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.


HI, i tried using flickr2commons but its say "You haven't authorized this application yet!" and when i go to here, this message appear "Sorry, something went wrong connecting this application. Go back and try to connect your account again, or contact the application author.

OAuth token not found, E004"

but in Special:OAuthManageMyGrants it show that i have Allowed OAuth Uploader on All projects . what seem to be the problem.? thank you. Mojackjutaily (talk) 04:25, 29 September 2017 (UTC)Reply

You should report this to the flickr2commons author. At a guess the tool is having problems with the cache backend it uses. Tgr (WMF) (talk) 18:48, 30 September 2017 (UTC)Reply
FWIW I can sort of reproduce, although in my case the error is Error retrieving token: mwoauthdatastore-request-token-not-found Tgr (WMF) (talk) 18:49, 30 September 2017 (UTC)Reply
Thank you i dont know what happened but its working now. Mojackjutaily (talk) 00:44, 1 October 2017 (UTC)Reply
The discussion above is closed. Please do not modify it. No further edits should be made to this discussion.

mwoauth-invalid-authorization

edit

The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.


Hi. I'm trying to use OAuth to be able to connect to the API via python using my en.wiki admin rights, but get a "mwoauth-invalid-authorization" error when using a slightly adapted version of the example code at OAuth/Owner-only consumers#Python. Does anyone have any suggestions as to what might be causing the problem? Should I try getting new tokens? Does it make a difference that I've activated 2FA? Smartse (talk) 22:24, 23 February 2018 (UTC)Reply

Normally that would mean that the consumer is waiting for admin approval, but there doesn't seem to be any such consumer. Are you using an owner-only consumer? If not, what's the consumer ID? Tgr (WMF) (talk) 22:46, 23 February 2018 (UTC)Reply
Yes I'm trying to use an owner-only consumer. The consumer key is here: [1] Smartse (talk) 21:44, 24 February 2018 (UTC)Reply
Owner-only consumers do not require approval and it should not possible to get that error for an owner-only consumer. Is there any chance you are using a different consumer ID in your bot configuration? Tgr (WMF) (talk) 23:54, 24 February 2018 (UTC)Reply
Sorry - been away for the last week. Hmm well I'm obviously doing something wrong! I've triple checked and am definitely using that key and the other 3 parameters as in the example code. I've tried making a new key and using those but still get the same error. The only slight difference I can see with my code compared to the example is that the example uses "customer_key" whereas I have a "consumer_token" but I assumed that these are synonymous. Smartse (talk) 22:49, 3 March 2018 (UTC)Reply
customer_key sounds wrong but I don't see it in the example, either. Apparently we do not log the consumer key for OAuth errors :/ so I cannot easily check in the server logs what went wrong - filed phab:T188848 about that.
Can you generate the error and tell the exact time it happened? Tgr (WMF) (talk) 03:40, 4 March 2018 (UTC)Reply
Yes I was a bit confused by that but there are 4 parameters and I entered them in the order that the request page spits out. The time and error are below. I am on UTC:
2018-03-04 22:30:01.808559
{u'servedby': u'mw1223', u'error': {u'info': u'The authorization headers in your request are not valid: Invalid signature', u'*': u'See https://en.wikipedia.org/w/api.php for API usage. Subscribe to the mediawiki-api-announce mailing list at <https://lists.wikimedia.org/mailman/listinfo/mediawiki-api-announce&gt; for notice of API deprecations and breaking changes.', u'code': u'mwoauth-invalid-authorization'}}
As you'll see it also says the authorization header is not valid, but I figured that this wasn't the main problem since the request is served fine if I remove auth=auth. Just in case though my header is {'user-agent': 'Smartse deleted contribs - <my email>'}
Thanks very much for your help with this! Smartse (talk) 22:36, 4 March 2018 (UTC)Reply
Hi Tgr. Have you had a chance to take a look at the logs yet? Smartse (talk) 10:58, 12 March 2018 (UTC)Reply
Sorry, I got distracted. Apparently mwoauth-invalid-authorization is reused for all kinds of errors so forget what I said in my earlier comments :-/ Invalid signature means an error on your side; either the algorithm for building the authorization header is wrong (sounds like you are using the one built into the requests library so that's not very likely), or you are passing in the wrong data, or your computer's clock is off. Unfortunately we don't log any useful information for signature checks :( so the logs wouldn't tell anything interesting. Tgr (WMF) (talk) 08:04, 13 March 2018 (UTC)Reply
No worries. Thanks for trying. I will try and fiddle around more and hope I can get something to work, and failing that try a bot password instead. Smartse (talk) 14:32, 20 March 2018 (UTC)Reply
I don't quite understand why, but after trying and failing to get it to work with special:botpasswords instead, I've now got it working :D It seems as if it was a problem with the API query itself as I didn't change any of the other parameters in the request, but as I said above, it worked fine when I removed "auth=auth". Smartse (talk) 20:20, 3 April 2018 (UTC)Reply
The discussion above is closed. Please do not modify it. No further edits should be made to this discussion.

Library Card

edit

The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.


Checking my "Manage connected applications" page after having been notified of a failed login attempt under a new device I have found out that a "Library Card [1.6]" (Publisher: Jsn.sherman) is connected to my account by using the OAuth protocol. Could somebody pls. advise me what this means? Thanks. ~ Oalexander (talk) 06:35, 16 August 2018 (UTC)Reply

That you have at some point logged into The Wikipedia Library Card Platform, and as part of the process authorized it to read your identity and email address on the Wikimedia sites. It's not related to failed logins in any way. Tgr (WMF) (talk) 07:30, 17 August 2018 (UTC)Reply
The discussion above is closed. Please do not modify it. No further edits should be made to this discussion.

Restrictions for new accounts ?

edit

The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.


Hi,

I plan to show how to use mix'n'match to a group of newbies and I want to know if there's restrictions for using OAuth for new accounts (like "only autoconfirmed shall pass"). Simon Villeneuve (talk) 12:42, 3 May 2019 (UTC)Reply

There are no restrictions to users (see that — new acc, no edits, no flags), but developers of tools might add any restrictions in own source code. Sorry for my English. Iluvatar (talk) 13:32, 3 May 2019 (UTC)Reply
There might be unintentional limitations coming from the fact that requests through that tool all use the same IP. So if something has an IP-level rate limit for non-autoconfirmed accounts (and several things do, e.g. 8 edits per minute), that will apply. Although for an IRL presentation with everyone using the same internet connection, such limitations would apply to non-OAuth actions as well. Tgr (WMF) (talk) 19:15, 3 May 2019 (UTC)Reply
@Magnus Manske: Do it is the case with mix'n'match ? Simon Villeneuve (talk) 19:18, 3 May 2019 (UTC)Reply
The discussion above is closed. Please do not modify it. No further edits should be made to this discussion.

prefrences and oath?

edit

The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.


i would like to know how to set my prefrences i looked in my history before and im bloked or i think i am because another ip is sharing my address and i have been thinking someone is using my ip address and email acct to do things i dont even know if this website is going to help me. can anyone give me advice? AndreaDileva (talk) 02:40, 10 October 2019 (UTC)Reply

i dont even know how to read your comment im sorry im learning how to use this sight AndreaDileva (talk) 02:47, 10 October 2019 (UTC)Reply
Are you looking for the place to make unblock requests? Tgr (WMF) (talk) 07:43, 11 October 2019 (UTC)Reply
The discussion above is closed. Please do not modify it. No further edits should be made to this discussion.

Expected oauth_callback_confirmed

edit

The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.


I receive consumer key and secret key from wiki.

I have config consumer key and secret key in phabricator.

and callback url in wiki.


but the phabricator give me a exception :

Unhandled Exception (“Exception”)

Expected ‘oauth_callback_confirmed’ to be ‘true’!


could you give some help? KermitLiu (talk) 02:59, 14 October 2019 (UTC)Reply

At a wild guess, poor error handling in your client library, which receives an error and tries to verify it as if it would be a valid token (in which case indeed it should have an oauth_callback_confirmed field). Tgr (WMF) (talk) 06:48, 14 October 2019 (UTC)Reply
mediawiki as my wiki provider, phabricator as my consumer,
i use my wiki to try, https://github.com/wikimedia/mediawiki-oauthclient-php , demo directory , as my consumer, success.
and i add print commond, then the return parameter : key,secret, oauth_callback_confirmed .
but the phabricator as the cosumer, the phabricator give me a exception.
so, the wiki is wrong, or the phabricator is wrong?

KermitLiu (talk) 08:54, 14 October 2019 (UTC)Reply
the library use https://github.com/wikimedia/phabricator-extensions KermitLiu (talk) 08:55, 14 October 2019 (UTC)Reply
We use the same setup for Wikimedia's Phabritcator so it can't be that wrong. Again, my best guess is that I think you are getting an error (which can be caused by a lot of things, wrong token configuration, out-of-sync clock, cache problems...) and Phabricator does not show the error because it does not recognize it is an error. willProcessTokenRequestResponse seems to do the right thing so maybe your wiki is returning a fatal error. Check your logs to see if that's the case.
@MModell (WMF) might be able to provide more insight. Tgr (WMF) (talk) 10:47, 14 October 2019 (UTC)Reply
thank you very much , i will try KermitLiu (talk) 01:08, 15 October 2019 (UTC)Reply
What url do you have set for the callback?
You need to specify the callback url like this:
https://your.phabricator.url/auth/login/mediawiki:/ MModell (WMF) (talk) 20:09, 10 December 2019 (UTC)Reply
The discussion above is closed. Please do not modify it. No further edits should be made to this discussion.

Unable to use croptool

edit

The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.


Croptool keeps giving me an error message, unable to authorize it. How do I fix it (~ Monkelese15 (talk) 03:47, 29 January 2020 (UTC)Reply

Please copy the exact error message. Tgr (WMF) (talk) 06:16, 29 January 2020 (UTC)Reply
The discussion above is closed. Please do not modify it. No further edits should be made to this discussion.

OAuth request token not found

edit

The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.


I am just beginning to sign in as a new contributor. The message reads:

E004

edit

(mwoauthdatastore-request-token-not-found)

The OAuth request token was not found. This is the OAuth equivalent of a session loss / CSRF error - could be caused by timeout, token reuse, the app omitting some earlier authentication step, or the token store being misconfigured on the server or being unreliable.


I am not a very savvy computer user, so will appreciate simple language in the responses. Mkayschmitt (talk) 21:47, 19 March 2020 (UTC)Reply

This can be caused by unreliable infrastructure. You should just retry a few times. Tgr (WMF) (talk) 22:28, 19 March 2020 (UTC)Reply
The discussion above is closed. Please do not modify it. No further edits should be made to this discussion.

Differentiate Oauth 1.0a and Oauth 2.0

edit

The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.


Since Oauth 1.0a and Oauth 2.0 are practically two different protocols, shall we make it more explicit what version it refer to here? I am a bit confused... Xinbenlv (talk) 19:45, 22 April 2020 (UTC)Reply

This is user documentation; there's not that much difference from a user's point of view. The developer documentation does discuss them separately. Tgr (WMF) (talk) 20:49, 22 April 2020 (UTC)Reply
The discussion above is closed. Please do not modify it. No further edits should be made to this discussion.

How do I print a Wikipedia biography?

edit

The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.


How do I print a Wikipedia biography? 2600:1014:B1B8:18C3:68A9:E0F4:CD5E:53E (talk) 20:07, 4 May 2020 (UTC)Reply

By clicking the "Print" icon in your browser, probably?
Definitely not by asking about it on a completely unrelated talk page. Tgr (talk) 13:27, 5 May 2020 (UTC)Reply
The discussion above is closed. Please do not modify it. No further edits should be made to this discussion.

fatal error logging into QuickStatements2

edit

The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.


<b>Fatal error</b>: Uncaught Exception: Error retrieving token1: {&quot;error&quot;:&quot;mwoauth-callback-not-oob-or-prefix&quot;,&quot;message&quot;:&quot;oauth_callback must be set, and must be set to \&quot;oob\&quot; (case-sensitive), or the configured callback must be a prefix of the supplied callback.&quot;,&quot;callback&quot;:&quot;api.php&quot;} in /data/project/magnustools/public_html/php/oauth.php:283 Stack trace: #0 /data/project/quickstatements/public_html/api.php(103): MW_OAuth->doAuthorizationRedirect('api.php') #1 {main} thrown in <b>/data/project/magnustools/public_html/php/oauth.php</b> on line <b>283</b><br /


I have used quickstatements successfully. I had to clear cookies for other issues and now cannot relogin. I deauthorized and now cannot use at all. Trilotat (talk) 13:54, 2 June 2020 (UTC)Reply

This appears to be a local bug in @Magnus Manske's Quickstatements tool. It may be related to his recent efforts to begin migrating his tools to the new toolforge.org domain scheme. I would suggest trying to contact him to report the bug. See wikidata:Help:QuickStatements for the community documentation on this particular tool. BDavis (WMF) (talk) 15:12, 2 June 2020 (UTC)Reply
The discussion above is closed. Please do not modify it. No further edits should be made to this discussion.

how do i search for application name with OAuth

edit

The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.


how do i search for application name with OAuth 197.210.79.204 (talk) 07:37, 6 June 2021 (UTC)Reply

You can get a list via Special:OAuthListConsumers. Search capabilities are very limited though. Tgr (WMF) (talk) 19:36, 6 June 2021 (UTC)Reply
The discussion above is closed. Please do not modify it. No further edits should be made to this discussion.

Library Card and privacy

edit

The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.


If I grant OAuth access to "Library Card", I will apparently share my e-mail address with it. I'm obviously fine with one WMF project seeing the e-mail address I use on another WMF project, but does this mean my e-mail address is shared with The Wikipedia Library partner companies? What other info is shared with these companies? The privacy policy link only leads to the general WMF privacy policy. Daß Wölf (talk) 22:04, 14 November 2021 (UTC)Reply

This is a question specific to the particular OAuth Application and not the general OAuth service. It can only be answered by someone with knowledge of the application itself. I believe that the "Data Retention and Handling" section https://wikipedialibrary.wmflabs.org/terms/ covers your question, but I encourage you to contact the project directly if you have further concerns. BDavis (WMF) (talk) 00:50, 15 November 2021 (UTC)Reply
The discussion above is closed. Please do not modify it. No further edits should be made to this discussion.

Autoconfirmed users

edit

The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.


I want to use batch processing in Quickstatements by I have this message : You can't create a new batch, because you are not autoconfirmed


Can someone help me obtain this confirmation. My account was created on november 1 and have made more than 30 contributions RStPierre (talk) 19:59, 9 November 2022 (UTC)Reply

d:Help:QuickStatements is probably a better place to get support for using the Quickstatements tool. I do see there a link to d:Wikidata:Autoconfirmed users which includes the text "Although the precise requirements for autoconfirmed status vary according to circumstances, most Wikidata user accounts that are more than four days old and have more than 50 edits are considered autoconfirmed." BDavis (WMF) (talk) 00:19, 10 November 2022 (UTC)Reply
Thank you BDavis 70.81.84.132 (talk) 02:59, 10 November 2022 (UTC)Reply
The discussion above is closed. Please do not modify it. No further edits should be made to this discussion.

Oauth2.0 JWT validation

edit

The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.


What key is used to sign the JWT (Bearer Token) returned. Gam3 (talk) 15:23, 25 June 2023 (UTC)Reply

$wgOAuth2PrivateKey (as noted on the extension page). Tgr (WMF) (talk) 18:43, 25 June 2023 (UTC)Reply
That is the question I am asking. What is that variable set to by Wikipedia APi. Gam3 (talk) 04:00, 27 June 2023 (UTC)Reply
As the variable name might suggest, it's a private key. Tgr (WMF) (talk) 13:24, 27 June 2023 (UTC)Reply
And where can I find the public half of that key? Gam3 (talk) 04:17, 28 June 2023 (UTC)Reply
I don't think we are making it public. You are unlikely to need it, it's used by code that needs to authorize access based on OAuth grants.
In theory it could be made public though - if you have a use case, please file a task to discuss it. Tgr (WMF) (talk) 18:51, 28 June 2023 (UTC)Reply
The discussion above is closed. Please do not modify it. No further edits should be made to this discussion.

Unable to get an access token

edit

The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.


Could help to understand the issue? I am using this endpoint to get an access token https://www.wikidata.org/w/rest.php/oauth2/access_token?client_credentials=client_credentials and providing client id and client secret


{

"error": "access_denied",

"error_description": "The resource owner or authorization server denied the request.",

"hint": "Client 4ab9e80d07a34633cdeab291fd8ead6a is not usable by user with ID 0",

"message": "The resource owner or authorization server denied the request."

} Dmytrodruppov (talk) 14:57, 11 December 2023 (UTC)Reply

4ab9e80d07a34633cdeab291fd8ead6a is an owner-only consumer, you should already have an access token for it. If you don't, just reset it via m:Special:OAuthConsumerRegistration/update/4ab9e80d07a34633cdeab291fd8ead6a. Tgr (WMF) (talk) 23:43, 11 December 2023 (UTC)Reply
The discussion above is closed. Please do not modify it. No further edits should be made to this discussion.

اخذ راهنمایی

edit

با درود فراوان؛ ممنون میشوم چنانچه از اتصال ویکی پدیا با سایر اپلیکیشن ها راهنمایی ام بفرمایید؛ و البته اینکه بدانم این عمل برای چه انجام میگیرد؟ با تشکرات فراوان Sina rain (talk) 17:34, 13 October 2024 (UTC)Reply

Try OAuth/For Developers or https://api.wikimedia.org/wiki/Authentication (neither has a Persian translation, unfortunately). Tgr (WMF) (talk) 13:40, 14 October 2024 (UTC)Reply

E006 - mwoauthserver-bad-consumer-key

edit

Hi, little bit lost here. Every time I try to go to Special:OAuth/authorize?response_type=code&client_id=(Consumer key) from my apps its telling me OAuth app ID is not recognized.

Anyone any ideas? Thanks GamingTwist (talk) 13:42, 14 February 2025 (UTC)Reply

1. Are you sure you are using the correct URL? /w/rest.php/oauth2/authorize?…; 2. You have not registered your application (WMF wikis only). Sorry for my English. Iluvatar (talk) 17:27, 14 February 2025 (UTC)Reply
Thank you - That was it, I'm self-hosting a instance and had my proxy misconfiguration so the rest.php/oauth didnt work so was doing it on {siteroot}/Special:OAuth/authorize. GamingTwist (talk) 18:51, 14 February 2025 (UTC)Reply
Return to "OAuth" page.