Help talk:OAuth

Is the page sufficiently stable to enable the translation? (poke User:DGarry (WMF))

Could someone review the page (just typo for the last change) before activating translation? ~ Seb35 [^_^] 14:24, 25 November 2013 (UTC)Reply

I don't see the content significantly changing any time soon, so I think the page should be stable enough for translation. Thanks! Dan Garry, Wikimedia Foundation (talk) 15:02, 25 November 2013 (UTC)Reply

My application would like to know the usernames of Wikipedia users, so that people don't have to sign up for yet another service. It wouldn't actually run any action on Wikipedia. Does it make sense to use OAuth for that, or is there a better alternative? Dnaber (talk) 19:58, 29 November 2013 (UTC)Reply

Hi Dnaber,

You can retrieve a user's username using the API. The query you can use for this is: https://en.wikipedia.org/w/api.php?format=json&action=query&meta=userinfo

That said, I suspect what you're actually asking me is "Can my website somehow use OAuth as an authentication method, so that users can sign in using their Wikipedia credentials?". The answer to that is that you can, but you shouldn't. If it's being used for authentication, the OAuth protocol is susceptible to man-in-the-middle attacks. The use of HTTPS mitigates that somewhat, but the vulnerability is still theoretically there. We'd highly recommend not using OAuth for authentication.

We're exploring the possibility of making Wikimedia wikis an OpenID provider which would allow you to use Wikimedia credentials for authorisation. We don't know if or when we'll start working on that, though.

Please let me know if you need any more information. Dan Garry, Wikimedia Foundation (talk) 16:13, 9 December 2013 (UTC)Reply

The above answer is now outdated. You can send an OAuth-authorized request to Special:OAuth/identify which will return user identity in a JWT (signed JSON token). As long as you properly validate the signature, this is safe and does not suffer from the vulnerability mentioned above. Tgr (WMF) (talk) 08:21, 13 May 2017 (UTC)Reply

So, how do I register my application? It seems like that's a thing that should be mentioned on the Help page... Magnus Manske (talk) 11:36, 6 December 2013 (UTC)Reply

Never mind, found it, and added to the Help page. Magnus Manske (talk) 12:55, 6 December 2013 (UTC)Reply

Hi Magnus,

Thanks for adding that link. It's possible I might make a help page for OAuth developers in the future which we can put that on, but for now I think it's helpful to have on the main help page.

Your application's already been approved. Let me know if I can help more. Dan Garry, Wikimedia Foundation (talk) 16:04, 9 December 2013 (UTC)Reply

Ok thanx 1.38.27.133 23:21, 7 December 2013 (UTC)Reply

Where do we find OAuth-compatible applications that people can use? There should be a list of them, and it should be linked-to from here. — SMcCandlish  Talk⇒ ɖ^⊝כ^⊙þ Contrib. 05:31, 22 June 2014 (UTC)Reply

There's a list on Special:OAuthListConsumers. Legoktm (talk) 05:44, 22 June 2014 (UTC)Reply

I registered this application on 20 June, is there any thing I need to do to get an approval? Anorange0409 (talk) 08:03, 23 June 2014 (UTC)Reply

You can just use it, but it is currently not useful, since you don't make "Edit existing pages" applicable to consumer. GZWDer (talk) 12:20, 30 October 2014 (UTC)Reply

I would like an answer to this too. I have a consumer for "Video Editing Server" that was proposed 10 days ago, and it is still not approved. In its proposed state, only my user account can use it to let the app get an access token. This is inhibiting other people from developing and testing. Ddennedy (talk) 20:16, 28 November 2014 (UTC)Reply

Is it possible to totally disable that ability, so that it will not be enabled for some reason by accident? Xoristzatziki (talk) 20:28, 23 August 2014 (UTC)Reply

Disable which ability? Legoktm (talk) 01:12, 28 August 2014 (UTC)Reply

@Legoktm @Xoristzatziki Thanks Lenna-commons (talk) 00:53, 25 January 2016 (UTC)Reply

How does one change or request a change to the callback URL? The manage page only lets you change the RSA key and IP addresses. Ddennedy (talk) 20:23, 28 November 2014 (UTC)Reply

You have to request a new consumer token, with an incremented version number. Sam Wilson 06:49, 18 September 2016 (UTC)Reply

~Is there some clarification on where/why Oauth is disabled for blocked IPs. I'm seeing some failed login attempts for unblocked users operating on schoolblocked IPs and I want to know what the exact check is. thanks. Adam (Wiki Ed) (talk) 21:30, 28 September 2015 (UTC)Reply

Hi Adam, users shouldn't (can't) use OAuth to login-- the login api calls are explicitly disabled. Are you seeing failures when potential users are logging in to authorize the Consumer? Or is the Consumer's api calls failing, because it's running from a blocked IP? Test aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa (talk) 05:04, 10 October 2015 (UTC)Reply

@CSteipp (WMF) thanks for the reply and sorry for not noticing it. I'm talking about the latter, (API calls failing). They're logged in or reported as much. Adam (Wiki Ed) (talk) 19:51, 6 November 2015 (UTC)Reply

Blocking will work the same way for OAuth requests as normal requests (but keep in mind that the IP will be that of the server hosting the OAuth application, not the real user).

Some plans to make block handling more flexible are in T159889 and T110249. Tgr (WMF) (talk) 08:31, 13 May 2017 (UTC)Reply

While this article leaves impression that OAuth is secure, Wikipedia in English claims the opposite for both protocol version 1.0 and 2.0. So, is there a safe way to use it and avoid the risks? DarkoS (talk) 19:19, 10 January 2016 (UTC)Reply

Hi @DarkoS, when implementing OAuth for MediaWiki, we made many deliberate choices to prevent known attacks, and encourage good practices by the developers who will be connecting their tools to the wiki via OAuth.

That said, how "secure" it is depends on what aspect you are looking at, and what threat models your concerned with.

• From the perspective of your server running the OAuth extension, the extension should not expose your server to any additional risk. The code has been well reviewed, and we haven't had any sql/code injections through the extension yet. The extension is supported by the WMF, so any security updates will be announced and patched.
• From the perspective of your users, OAuth has the advantage that it allows other tools to edit as them, without requiring the user to give them their password. The OAuth tokens have limited rights, and can be revoked. If your users are going to have tools edit on their behalf, using OAuth is significantly more secure than having the tool login with the user's password.
• It's entirely possible that another protocol level attack against OAuth 1.0a will be discovered, allowing an attacker to authorize their Consumer without the user's knowledge, or convince the user they are authorizing a different Consumer. Again, this extension is supported with the WMF, so we would patch that as a security issue, if we were ever made aware that that was possible.
• The claims on enwiki about phising have some merit, but I would say it's just as easy for an attacker to redirect users to a site they control "to login for OAuth" as it is to redirect them to fake copy of any wiki, and encourage the user to login. If you think that is a legitimate risk for you users, and the risk outweighs the benefits, then OAuth is not right for you.

Hope that helps! Test aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa (talk) 00:12, 23 January 2016 (UTC)Reply

While developing an application, it is often the case that one needs the callback URL to be something like http://localhost/myapp/. Is it acceptable to request consumer tokens for this?

I see that some consumers have been approved that do this (for example), so perhaps it's fine.

If it is, maybe it'd be worth adding something to the documentation saying something along the lines of "A separate consumer should be created for each stage of an application's development (e.g. testing, staging, and production)." Sam Wilson 07:00, 18 September 2016 (UTC)Reply

According to tgr on IRC: yep, it's fine to request additional consumers for this purpose. Sam Wilson 07:23, 18 September 2016 (UTC)Reply

I try sign up phabricar Shavene (talk) 17:27, 2 December 2016 (UTC)Reply

Hi there, I have a question about the OAuth-session. When I close the browser window, the session cookie will be deleted (look at this PHP-example). Is there any possibility, to "renew" the login without passing the whole process (click on grant access)? Thank you very much! FNDE (talk) 17:07, 5 January 2017 (UTC)Reply

If you are using an authentication only grant, yes. See OAuth/For_Developers#Avoid_repetitive_login_prompts BDavis (WMF) (talk) 17:35, 5 January 2017 (UTC)Reply

This is what I'm looking for, thank you! Is there a way to pass the authentication without a redirect? Maybe with CURL? FNDE (talk) 18:19, 5 January 2017 (UTC)Reply

No, the user's browser is needed to interact with the OAuth server and get the request signed. You can however store the tokens that are returned from the handshake callback. They do not expire, but can be revoked by the user via Special:OAuthManageMyGrants. On your app side you will still need some way to re-associate the user and the credentials that you persist. BDavis (WMF) (talk) 19:57, 5 January 2017 (UTC)Reply

How to my mind connecting Facebook to Wikipedia how to add? --White Gold AJ Gaspar (talk) 12:23, 14 January 2017 (UTC)Reply

Try Extension:OAuthAuthentication BDavis (WMF) (talk) 17:48, 24 February 2017 (UTC)Reply

Complete newbie & noob on this type of subject matter.

I'd like to think I'm neither the first or the only one that would like to set up Google Authentication on an Mediawiki instance.

Any help or pointers is appreciated.

Thanks,

Roy Rpammeraal (talk) 17:33, 24 February 2017 (UTC)Reply

You should look into Extension:GoogleLogin. Legoktm (talk) 19:20, 24 February 2017 (UTC)Reply

I would like to use Oauth to help people login or register on my wiki with sites such as Facebook, Twitter, Google, Microsoft etc. How do I go about that? Tribly (talk) 08:33, 19 April 2017 (UTC)Reply

Look at the existing user identity extensions such as GoogleLogin, Facebook, TwitterLogin, ULogin...

GoogleLogin is well-maintained, the others probably not so much. Tgr (WMF) (talk) 08:17, 13 May 2017 (UTC)Reply

I can see translation need for OAuth project on https://phabricator.wikimedia.org/T158564 How can I translate in gu(Gujarati) language? Drashtikaushik (talk) 12:18, 30 August 2017 (UTC)Reply

Translations are done on translatewiki: https://translatewiki.net/wiki/Special:Translate?action=translate&group=ext-oauth&language=gu&filter=%21translated BDavis (WMF) (talk) 18:09, 30 August 2017 (UTC)Reply

Or if you want to translate this wiki page, just click on the small "Translate this page" link on top. Tgr (WMF) (talk) 19:48, 30 August 2017 (UTC)Reply

thanks @BDavis (WMF) and @Tgr (WMF) What is priority task for this project? I will do accordingly. Drashtikaushik (talk) 08:26, 31 August 2017 (UTC)Reply

The Gujarati community and/or the proposer of T158564 can probably better answer that. Tgr (WMF) (talk) 18:21, 31 August 2017 (UTC)Reply

HI, i tried using flickr2commons but its say "You haven't authorized this application yet!" and when i go to here, this message appear "Sorry, something went wrong connecting this application. Go back and try to connect your account again, or contact the application author.

OAuth token not found, E004"

but in Special:OAuthManageMyGrants it show that i have Allowed OAuth Uploader on All projects . what seem to be the problem.? thank you. Mojackjutaily (talk) 04:25, 29 September 2017 (UTC)Reply

You should report this to the flickr2commons author. At a guess the tool is having problems with the cache backend it uses. Tgr (WMF) (talk) 18:48, 30 September 2017 (UTC)Reply

FWIW I can sort of reproduce, although in my case the error is Error retrieving token: mwoauthdatastore-request-token-not-found Tgr (WMF) (talk) 18:49, 30 September 2017 (UTC)Reply

Thank you i dont know what happened but its working now. Mojackjutaily (talk) 00:44, 1 October 2017 (UTC)Reply

Hi. I'm trying to use OAuth to be able to connect to the API via python using my en.wiki admin rights, but get a "mwoauth-invalid-authorization" error when using a slightly adapted version of the example code at OAuth/Owner-only consumers#Python. Does anyone have any suggestions as to what might be causing the problem? Should I try getting new tokens? Does it make a difference that I've activated 2FA? Smartse (talk) 22:24, 23 February 2018 (UTC)Reply

Normally that would mean that the consumer is waiting for admin approval, but there doesn't seem to be any such consumer. Are you using an owner-only consumer? If not, what's the consumer ID? Tgr (WMF) (talk) 22:46, 23 February 2018 (UTC)Reply

Yes I'm trying to use an owner-only consumer. The consumer key is here: [1] Smartse (talk) 21:44, 24 February 2018 (UTC)Reply

Owner-only consumers do not require approval and it should not possible to get that error for an owner-only consumer. Is there any chance you are using a different consumer ID in your bot configuration? Tgr (WMF) (talk) 23:54, 24 February 2018 (UTC)Reply

Sorry - been away for the last week. Hmm well I'm obviously doing something wrong! I've triple checked and am definitely using that key and the other 3 parameters as in the example code. I've tried making a new key and using those but still get the same error. The only slight difference I can see with my code compared to the example is that the example uses "customer_key" whereas I have a "consumer_token" but I assumed that these are synonymous. Smartse (talk) 22:49, 3 March 2018 (UTC)Reply

customer_key sounds wrong but I don't see it in the example, either. Apparently we do not log the consumer key for OAuth errors :/ so I cannot easily check in the server logs what went wrong - filed phab:T188848 about that.

Can you generate the error and tell the exact time it happened? Tgr (WMF) (talk) 03:40, 4 March 2018 (UTC)Reply

Yes I was a bit confused by that but there are 4 parameters and I entered them in the order that the request page spits out. The time and error are below. I am on UTC:

2018-03-04 22:30:01.808559

{u'servedby': u'mw1223', u'error': {u'info': u'The authorization headers in your request are not valid: Invalid signature', u'*': u'See https://en.wikipedia.org/w/api.php for API usage. Subscribe to the mediawiki-api-announce mailing list at <https://lists.wikimedia.org/mailman/listinfo/mediawiki-api-announce&gt; for notice of API deprecations and breaking changes.', u'code': u'mwoauth-invalid-authorization'}}

As you'll see it also says the authorization header is not valid, but I figured that this wasn't the main problem since the request is served fine if I remove auth=auth. Just in case though my header is {'user-agent': 'Smartse deleted contribs - <my email>'}

Thanks very much for your help with this! Smartse (talk) 22:36, 4 March 2018 (UTC)Reply

Hi Tgr. Have you had a chance to take a look at the logs yet? Smartse (talk) 10:58, 12 March 2018 (UTC)Reply

Sorry, I got distracted. Apparently mwoauth-invalid-authorization is reused for all kinds of errors so forget what I said in my earlier comments :-/ Invalid signature means an error on your side; either the algorithm for building the authorization header is wrong (sounds like you are using the one built into the requests library so that's not very likely), or you are passing in the wrong data, or your computer's clock is off. Unfortunately we don't log any useful information for signature checks :( so the logs wouldn't tell anything interesting. Tgr (WMF) (talk) 08:04, 13 March 2018 (UTC)Reply

No worries. Thanks for trying. I will try and fiddle around more and hope I can get something to work, and failing that try a bot password instead. Smartse (talk) 14:32, 20 March 2018 (UTC)Reply

I don't quite understand why, but after trying and failing to get it to work with special:botpasswords instead, I've now got it working :D It seems as if it was a problem with the API query itself as I didn't change any of the other parameters in the request, but as I said above, it worked fine when I removed "auth=auth". Smartse (talk) 20:20, 3 April 2018 (UTC)Reply

Checking my "Manage connected applications" page after having been notified of a failed login attempt under a new device I have found out that a "Library Card [1.6]" (Publisher: Jsn.sherman) is connected to my account by using the OAuth protocol. Could somebody pls. advise me what this means? Thanks. ~ Oalexander (talk) 06:35, 16 August 2018 (UTC)Reply

That you have at some point logged into The Wikipedia Library Card Platform, and as part of the process authorized it to read your identity and email address on the Wikimedia sites. It's not related to failed logins in any way. Tgr (WMF) (talk) 07:30, 17 August 2018 (UTC)Reply

Hi,

I plan to show how to use mix'n'match to a group of newbies and I want to know if there's restrictions for using OAuth for new accounts (like "only autoconfirmed shall pass"). Simon Villeneuve (talk) 12:42, 3 May 2019 (UTC)Reply

There are no restrictions to users (see that — new acc, no edits, no flags), but developers of tools might add any restrictions in own source code. Sorry for my English. Iluvatar (talk) 13:32, 3 May 2019 (UTC)Reply

There might be unintentional limitations coming from the fact that requests through that tool all use the same IP. So if something has an IP-level rate limit for non-autoconfirmed accounts (and several things do, e.g. 8 edits per minute), that will apply. Although for an IRL presentation with everyone using the same internet connection, such limitations would apply to non-OAuth actions as well. Tgr (WMF) (talk) 19:15, 3 May 2019 (UTC)Reply

@Magnus Manske: Do it is the case with mix'n'match ? Simon Villeneuve (talk) 19:18, 3 May 2019 (UTC)Reply

i would like to know how to set my prefrences i looked in my history before and im bloked or i think i am because another ip is sharing my address and i have been thinking someone is using my ip address and email acct to do things i dont even know if this website is going to help me. can anyone give me advice? AndreaDileva (talk) 02:40, 10 October 2019 (UTC)Reply

i dont even know how to read your comment im sorry im learning how to use this sight AndreaDileva (talk) 02:47, 10 October 2019 (UTC)Reply

Are you looking for the place to make unblock requests? Tgr (WMF) (talk) 07:43, 11 October 2019 (UTC)Reply

I receive consumer key and secret key from wiki.

I have config consumer key and secret key in phabricator.

and callback url in wiki.

but the phabricator give me a exception :

Unhandled Exception (“Exception”)

Expected ‘oauth_callback_confirmed’ to be ‘true’!

could you give some help? KermitLiu (talk) 02:59, 14 October 2019 (UTC)Reply

At a wild guess, poor error handling in your client library, which receives an error and tries to verify it as if it would be a valid token (in which case indeed it should have an oauth_callback_confirmed field). Tgr (WMF) (talk) 06:48, 14 October 2019 (UTC)Reply

mediawiki as my wiki provider, phabricator as my consumer,

i use my wiki to try, https://github.com/wikimedia/mediawiki-oauthclient-php , demo directory , as my consumer, success.

and i add print commond, then the return parameter ： key,secret, oauth_callback_confirmed .

but the phabricator as the cosumer, the phabricator give me a exception.

so, the wiki is wrong, or the phabricator is wrong?

KermitLiu (talk) 08:54, 14 October 2019 (UTC)Reply

the library use https://github.com/wikimedia/phabricator-extensions KermitLiu (talk) 08:55, 14 October 2019 (UTC)Reply

We use the same setup for Wikimedia's Phabritcator so it can't be that wrong. Again, my best guess is that I think you are getting an error (which can be caused by a lot of things, wrong token configuration, out-of-sync clock, cache problems...) and Phabricator does not show the error because it does not recognize it is an error. willProcessTokenRequestResponse seems to do the right thing so maybe your wiki is returning a fatal error. Check your logs to see if that's the case.

@MModell (WMF) might be able to provide more insight. Tgr (WMF) (talk) 10:47, 14 October 2019 (UTC)Reply

thank you very much , i will try KermitLiu (talk) 01:08, 15 October 2019 (UTC)Reply

What url do you have set for the callback?

You need to specify the callback url like this:

https://your.phabricator.url/auth/login/mediawiki:/ MModell (WMF) (talk) 20:09, 10 December 2019 (UTC)Reply

Croptool keeps giving me an error message, unable to authorize it. How do I fix it (~ Monkelese15 (talk) 03:47, 29 January 2020 (UTC)Reply

Please copy the exact error message. Tgr (WMF) (talk) 06:16, 29 January 2020 (UTC)Reply

I am just beginning to sign in as a new contributor. The message reads:

(mwoauthdatastore-request-token-not-found)

The OAuth request token was not found. This is the OAuth equivalent of a session loss / CSRF error - could be caused by timeout, token reuse, the app omitting some earlier authentication step, or the token store being misconfigured on the server or being unreliable.

I am not a very savvy computer user, so will appreciate simple language in the responses. Mkayschmitt (talk) 21:47, 19 March 2020 (UTC)Reply

This can be caused by unreliable infrastructure. You should just retry a few times. Tgr (WMF) (talk) 22:28, 19 March 2020 (UTC)Reply

Since Oauth 1.0a and Oauth 2.0 are practically two different protocols, shall we make it more explicit what version it refer to here? I am a bit confused... Xinbenlv (talk) 19:45, 22 April 2020 (UTC)Reply

This is user documentation; there's not that much difference from a user's point of view. The developer documentation does discuss them separately. Tgr (WMF) (talk) 20:49, 22 April 2020 (UTC)Reply

How do I print a Wikipedia biography? 2600:1014:B1B8:18C3:68A9:E0F4:CD5E:53E (talk) 20:07, 4 May 2020 (UTC)Reply

By clicking the "Print" icon in your browser, probably?

Definitely not by asking about it on a completely unrelated talk page. Tgr (talk) 13:27, 5 May 2020 (UTC)Reply

<b>Fatal error</b>: Uncaught Exception: Error retrieving token1: {&quot;error&quot;:&quot;mwoauth-callback-not-oob-or-prefix&quot;,&quot;message&quot;:&quot;oauth_callback must be set, and must be set to \&quot;oob\&quot; (case-sensitive), or the configured callback must be a prefix of the supplied callback.&quot;,&quot;callback&quot;:&quot;api.php&quot;} in /data/project/magnustools/public_html/php/oauth.php:283 Stack trace: #0 /data/project/quickstatements/public_html/api.php(103): MW_OAuth->doAuthorizationRedirect('api.php') #1 {main} thrown in <b>/data/project/magnustools/public_html/php/oauth.php</b> on line <b>283</b><br /

I have used quickstatements successfully. I had to clear cookies for other issues and now cannot relogin. I deauthorized and now cannot use at all. Trilotat (talk) 13:54, 2 June 2020 (UTC)Reply

This appears to be a local bug in @Magnus Manske's Quickstatements tool. It may be related to his recent efforts to begin migrating his tools to the new toolforge.org domain scheme. I would suggest trying to contact him to report the bug. See wikidata:Help:QuickStatements for the community documentation on this particular tool. BDavis (WMF) (talk) 15:12, 2 June 2020 (UTC)Reply

how do i search for application name with OAuth 197.210.79.204 (talk) 07:37, 6 June 2021 (UTC)Reply

You can get a list via Special:OAuthListConsumers. Search capabilities are very limited though. Tgr (WMF) (talk) 19:36, 6 June 2021 (UTC)Reply

If I grant OAuth access to "Library Card", I will apparently share my e-mail address with it. I'm obviously fine with one WMF project seeing the e-mail address I use on another WMF project, but does this mean my e-mail address is shared with The Wikipedia Library partner companies? What other info is shared with these companies? The privacy policy link only leads to the general WMF privacy policy. Daß Wölf (talk) 22:04, 14 November 2021 (UTC)Reply

This is a question specific to the particular OAuth Application and not the general OAuth service. It can only be answered by someone with knowledge of the application itself. I believe that the "Data Retention and Handling" section https://wikipedialibrary.wmflabs.org/terms/ covers your question, but I encourage you to contact the project directly if you have further concerns. BDavis (WMF) (talk) 00:50, 15 November 2021 (UTC)Reply

I want to use batch processing in Quickstatements by I have this message : You can't create a new batch, because you are not autoconfirmed

Can someone help me obtain this confirmation. My account was created on november 1 and have made more than 30 contributions RStPierre (talk) 19:59, 9 November 2022 (UTC)Reply

d:Help:QuickStatements is probably a better place to get support for using the Quickstatements tool. I do see there a link to d:Wikidata:Autoconfirmed users which includes the text "Although the precise requirements for autoconfirmed status vary according to circumstances, most Wikidata user accounts that are more than four days old and have more than 50 edits are considered autoconfirmed." BDavis (WMF) (talk) 00:19, 10 November 2022 (UTC)Reply

Thank you BDavis 70.81.84.132 (talk) 02:59, 10 November 2022 (UTC)Reply

What key is used to sign the JWT (Bearer Token) returned. Gam3 (talk) 15:23, 25 June 2023 (UTC)Reply

$wgOAuth2PrivateKey (as noted on the extension page). Tgr (WMF) (talk) 18:43, 25 June 2023 (UTC)Reply

That is the question I am asking. What is that variable set to by Wikipedia APi. Gam3 (talk) 04:00, 27 June 2023 (UTC)Reply

As the variable name might suggest, it's a private key. Tgr (WMF) (talk) 13:24, 27 June 2023 (UTC)Reply

And where can I find the public half of that key? Gam3 (talk) 04:17, 28 June 2023 (UTC)Reply

I don't think we are making it public. You are unlikely to need it, it's used by code that needs to authorize access based on OAuth grants.

In theory it could be made public though - if you have a use case, please file a task to discuss it. Tgr (WMF) (talk) 18:51, 28 June 2023 (UTC)Reply

Could help to understand the issue? I am using this endpoint to get an access token https://www.wikidata.org/w/rest.php/oauth2/access_token?client_credentials=client_credentials and providing client id and client secret

{

"error": "access_denied",

"error_description": "The resource owner or authorization server denied the request.",

"hint": "Client 4ab9e80d07a34633cdeab291fd8ead6a is not usable by user with ID 0",

"message": "The resource owner or authorization server denied the request."

} Dmytrodruppov (talk) 14:57, 11 December 2023 (UTC)Reply

4ab9e80d07a34633cdeab291fd8ead6a is an owner-only consumer, you should already have an access token for it. If you don't, just reset it via m:Special:OAuthConsumerRegistration/update/4ab9e80d07a34633cdeab291fd8ead6a. Tgr (WMF) (talk) 23:43, 11 December 2023 (UTC)Reply