Page MenuHomePhabricator
Create Task
Maniphest T59500

Impossible to use https://www.mediawiki.org/wiki/Special:OAuth/initiate?format=&oauth_callback= style URL
Open, MediumPublicFeature
Actions

Description

It keeps telling me "Invalid signature".

I have to use https://www.mediawiki.org/w/index.php?title=Special:OAuth/initiate&format=&oauth_callback=

Version: unspecified
Severity: enhancement

Details

Reference
bz57500

Related Objects
Search...

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 22 2014, 2:41 AM
bzimport added a project: MediaWiki-extensions-OAuth.
bzimport set Reference to bz57500.
bzimport added a subscriber: Unknown Object (MLST).
liangent created this task.Nov 24 2013, 8:06 AM
csteipp added a comment.Nov 25 2013, 6:09 PM

This is due to MediaWiki core adding title to the list of incoming parameters, even when it wasn't requested. I'll add that to some developer notes I'm putting together.

bd808 moved this task from Backlog to Consumer wants on the MediaWiki-extensions-OAuth board.Mar 6 2015, 10:51 PM
Aklapper mentioned this in T59576: GET call to Special:OAuth/$par without query strings (but with Authorization header) shouldn't be redirected to pretty URLs.Mar 17 2015, 10:59 AM
Ricordisamoa subscribed.Jun 29 2015, 8:42 PM
Tgr mentioned this in T155945: Review Mediawiki OAuth backend for python-social-auth.Jan 22 2017, 7:54 PM
Tgr mentioned this in T167813: Requests with an owner-only consumers results in a "Invalid signature" error.Jun 20 2017, 4:05 PM
Tgr subscribed.Oct 31 2017, 9:49 PM

I think the most realistic path foward is to have the extension generate the pretty URL (or maybe have something like MWOAuthRequest::fromRequestVariants() which returns an array or MWOAuthRequest objects), and if OAuth signature verification fails, try it with other URLs. Same in the opposite direction with T59576.

Tgr added a project: User-Tgr.Oct 31 2017, 9:49 PM
Samwilson awarded a token.Jan 23 2019, 6:08 PM
Aklapper removed subscribers: Anomie, wikibugs-l-list.Oct 16 2020, 5:02 PM
Aklapper changed the subtype of this task from "Task" to "Feature Request".Feb 4 2022, 12:23 PM
tstarling subscribed.Jul 26 2022, 5:13 AM

Note that I'm baking this bug into the ATS config in gerrit 817086. If this bug is ever fixed, the rule will have to be updated.

Tgr mentioned this in T332650: Frequent OAuth failures on Wikimedia wikis since eqiad was repooled due to db-mainstash replication lag.Mar 21 2023, 6:53 AM
Tgr added a comment.Mar 21 2023, 7:17 AM
In T59500#8103649, @tstarling wrote:

Note that I'm baking this bug into the ATS config in gerrit 817086. If this bug is ever fixed, the rule will have to be updated.

There are ~1000 failed requests to nice URLs in the last 90 days, from several different applications. We only log errors, so that doesn't necessarily mean the nice URL works (in some cases?) but it's at least suggestive. We should probably support it just in case.

Tgr mentioned this in T74186: Varnish: Mobile site redirect interferes with OAuth authorization process.Nov 26 2023, 8:52 AM
Krinkle mentioned this in T214998: RFC: Serve mobile and desktop variants through the same URL (unified mobile routing).Sep 5 2025, 4:17 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits