Create Task
Maniphest T399199

Update OAuth 2.0 sessions to include new JWT session data from core
Closed, ResolvedPublic
Actions

Description

Depends on T399198: Define standard JWT session data for supported session types. Probably all we want to do here is replacing the OAuthClaimStoreGetClaims hook provided by the OAuth extension (and used in the OAuthRateLimiter extension) with the core hook mentioned in that task.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Use prefixed 'sub' field in OAuth 2 access tokensoperations/mediawiki-configmaster+1 -4
Use canonical server as OAuth 1 /identify endpoint JWT issuermediawiki/extensions/OAuthmaster+4 -10
Use GetSessionJwtData hook for OAuth 2 access token JWTmediawiki/extensions/OAuthmaster+142 -44
Use central wiki as access token issuermediawiki/extensions/OAuthmaster+31 -26
Issue SessionManager-style 'sub' claims for non-owner-onlymediawiki/extensions/OAuthmaster+131 -9
Accept SessionManager-style 'sub' claims in access tokenmediawiki/extensions/OAuthmaster+23 -1
Use prefixed 'sub' field in OAuth 2 access tokens on beta clusteroperations/mediawiki-configmaster+7 -0
[WIP] Align access token JWT format with coremediawiki/extensions/OAuthmaster+19 -1
Fall back to core RSA keysmediawiki/extensions/OAuthmaster+4 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

JTweed-WMF created this task.Jul 10 2025, 1:50 PM
JTweed-WMF moved this task from Inbox to WE5.1.1 on the FY2025-26 KR 5.1 board.
Tgr updated the task description. (Show Details)Jul 10 2025, 8:20 PM
Tgr updated the task description. (Show Details)Jul 10 2025, 8:29 PM
Tgr mentioned this in T399201: Provide support for implementing session verification at the edge.Jul 10 2025, 8:35 PM
JTweed-WMF moved this task from Inbox, needs triage to Needs refinement on the MediaWiki-Platform-Team board.Jul 14 2025, 1:28 PM
JTweed-WMF moved this task from WE5.1.1 to WE5.1.2 on the FY2025-26 KR 5.1 board.Jul 24 2025, 8:58 AM
Tgr claimed this task.Aug 18 2025, 12:11 PM
Tgr moved this task from Needs refinement to In progress (DO NOT USE) on the MediaWiki-Platform-Team board.
gerritbot added a comment.Aug 24 2025, 3:02 PM

Change #1181282 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/extensions/OAuth@master] Fall back to core RSA keys

https://gerrit.wikimedia.org/r/1181282

gerritbot added a project: Patch-For-Review.Aug 24 2025, 3:02 PM
Tgr added a comment.Aug 24 2025, 3:16 PM

Probably all we want to do here is replacing the OAuthClaimStoreGetClaims hook provided by the OAuth extension (and used in the OAuthRateLimiter extension) with the core hook mentioned in that task.

That actually doesn't really make sense, since we want to set the claim asking for a higher rate limit on OAuth requests specifically. If someone has e.g. paid Wikimedia Enterprise for higher API rate limits, we want their OAuth-authenticated API requests to have higher quotas, but their cookie-authenticated API or web requests not (or do we?).

More pragmatically, OAuthRateLimiter is based on per-client settings, it would be a lot of refactoring with no obvious gain to make it user-based instead.

Tgr added a comment.Aug 24 2025, 8:17 PM

JWTs generated in T399200: Update existing cookie-based sessions to include JWT cookie look like this:

{
  "exp": <timestamp>,
  "iat": <timestamp>,
  "iss": "<meta-url>",
  "jti": "<random>",
  "sub": "mw:CentralAuth::<central-id>",
  "sxp": <timestamp>
}

JWTs currently generated by OAuth 2 look like this:

{
 "aud": [ "<client-id>" ],
 "exp": <timestamp>,
 "iat": <timestamp>,
 "iss": "<current-wiki-url>",
 "jti": "<random>", // used as oauth2_access_tokens.oaat_identifier in the DB
 "nbf": <timestamp>,
 "scopes": [ ... ],
 "sub": "<central-id>"
}

Some of the difference is normal and necessary (cookie-based sessions aren't associated with a client application so there is nothing useful to put into aud; they also don't have any concept of scopes; OAuth 2 has a well-defined process of replacing an invalid access token, which can be triggered from the edge with the right kind of error response, while for cookies an edge error would effectively block the user from doing anything including logging in), some is immaterial (the random nonces for jti have a different format; OAuth sets nbf even though it's the same as iat so it's pointless). The rest should ideally be unified though:

  • We should be consistent in what wiki use as the issuer (the current wiki vs. the central wiki of the farm - the central wiki probably makes more sense). Currently we use whichever wiki was used for the authorization dialog or refresh request.
  • OAuth sub is just the central user ID. SessionManager sub is mw:<CentralIdLookup scope>:<central user ID>. The latter is more robust, and can be used for throttling etc. on the edge without risk of confusing users of different wikis (when at least one is non-SUL).

If we make changes on the OAuth side, we need to ensure backwards compatibility - invalidating current accept tokens at once would be quite disruptive.

gerritbot added a comment.Aug 25 2025, 12:28 AM

Change #1181308 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/extensions/OAuth@master] [WIP] Align access token JWT format with core

https://gerrit.wikimedia.org/r/1181308

gerritbot added a comment.Sep 1 2025, 7:49 PM

Change #1181282 merged by jenkins-bot:

[mediawiki/extensions/OAuth@master] Fall back to core RSA keys

https://gerrit.wikimedia.org/r/1181282

ReleaseTaggerBot added a project: MW-1.45-notes (1.45.0-wmf.17; 2025-09-02).Sep 1 2025, 8:00 PM
Tgr renamed this task from Update OAuth 2.0 sessions to include new session data to Update OAuth 2.0 sessions to include new JWT session data from core.Sep 9 2025, 11:41 AM
Tgr mentioned this in T405578: api-gateway helm chart: use JWT to determine rate limit for rest routes.Sep 25 2025, 12:09 PM
gerritbot added a comment.Sep 28 2025, 8:53 PM

Change #1191860 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/extensions/OAuth@master] Use central wiki as access token issuer

https://gerrit.wikimedia.org/r/1191860

gerritbot added a comment.Oct 26 2025, 10:40 PM

Change #1198712 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/extensions/OAuth@master] Use GetSessionJwtData hook for OAuth 2 access token JWT

https://gerrit.wikimedia.org/r/1198712

gerritbot added a comment.Oct 26 2025, 10:41 PM

Change #1198713 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/extensions/OAuth@master] Accept SessionManager-style 'sub' claims in access token

https://gerrit.wikimedia.org/r/1198713

gerritbot added a comment.Oct 26 2025, 10:41 PM

Change #1198714 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/extensions/OAuth@master] Issue SessionManager-style 'sub' claims for non-owner-only

https://gerrit.wikimedia.org/r/1198714

gerritbot added a comment.Oct 28 2025, 6:18 PM

Change #1191860 merged by jenkins-bot:

[mediawiki/extensions/OAuth@master] Use central wiki as access token issuer

https://gerrit.wikimedia.org/r/1191860

ReleaseTaggerBot added a project: MW-1.46-notes (1.46.0-wmf.1; 2025-11-05).Oct 28 2025, 7:00 PM
bd808 mentioned this in T408721: test_identity test of oauth_tests.TestOauthLoginManager fails on wpbeta.Oct 30 2025, 3:38 PM
bd808 added a subtask: T408721: test_identity test of oauth_tests.TestOauthLoginManager fails on wpbeta.
Xqt subscribed.Oct 30 2025, 4:09 PM
Tgr edited projects, added User-notice; removed Epic.Oct 31 2025, 11:19 AM

Proposed Tech News message:

  • The JWT issuer field in OAuth 2 access tokens for SUL wikis has been changed to https://meta.wikimedia.org. Old access tokens will continue working.
  • The JWT subject field in OAuth 2 access tokens will soon change from <user id> to mw:<identity type>:<user id> where <identity type> is typically CentralAuth: (for SUL wikis) or local:<wiki id> (for other wikis). This is to avoid conflicts between different user ID types, and to make OAuth 2 access tokens and the sessionJwt cookie more consistent. Old access tokens will continue to work.
gerritbot added a comment.Oct 31 2025, 11:35 AM

Change #1200329 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/extensions/OAuth@master] Use canonical server as OAuth 1 /identify endpoint JWT issuer

https://gerrit.wikimedia.org/r/1200329

gerritbot added a comment.Oct 31 2025, 3:13 PM

Change #1200329 merged by jenkins-bot:

[mediawiki/extensions/OAuth@master] Use canonical server as OAuth 1 /identify endpoint JWT issuer

https://gerrit.wikimedia.org/r/1200329

gerritbot added a comment.Nov 1 2025, 10:57 PM

Change #1198712 merged by jenkins-bot:

[mediawiki/extensions/OAuth@master] Use GetSessionJwtData hook for OAuth 2 access token JWT

https://gerrit.wikimedia.org/r/1198712

Tgr closed subtask T408721: test_identity test of oauth_tests.TestOauthLoginManager fails on wpbeta as Resolved.Nov 3 2025, 3:50 PM
STei-WMF subscribed.Tue, Nov 4, 2:12 PM

@Tgr user-notice was added and I am following up if this will this be useful to communicate via Tech News? If yes, how can we word it?

Tgr added a comment.Wed, Nov 5, 4:35 PM

@STei-WMF see T399199#11330999 for proposed wording.

gerritbot added a comment.Thu, Nov 6, 12:23 AM

Change #1198713 merged by jenkins-bot:

[mediawiki/extensions/OAuth@master] Accept SessionManager-style 'sub' claims in access token

https://gerrit.wikimedia.org/r/1198713

gerritbot added a comment.Thu, Nov 6, 12:23 AM

Change #1198714 merged by jenkins-bot:

[mediawiki/extensions/OAuth@master] Issue SessionManager-style 'sub' claims for non-owner-only

https://gerrit.wikimedia.org/r/1198714

ReleaseTaggerBot edited projects, added MW-1.46-notes (1.46.0-wmf.2; 2025-11-12); removed MW-1.46-notes (1.46.0-wmf.1; 2025-11-05).Thu, Nov 6, 1:01 AM
matmarex added a project: MediaWiki-extensions-OAuth.Thu, Nov 6, 1:44 AM
matmarex subscribed.Thu, Nov 6, 1:40 PM
In T399199#11330999, @Tgr wrote:

Proposed Tech News message:

  • The JWT issuer field in OAuth 2 access tokens for SUL wikis has been changed to https://meta.wikimedia.org. Old access tokens will continue working.
  • The JWT subject field in OAuth 2 access tokens will soon change from <user id> to mw:<identity type>:<user id> where <identity type> is typically CentralAuth: (for SUL wikis) or local:<wiki id> (for other wikis). This is to avoid conflicts between different user ID types, and to make OAuth 2 access tokens and the sessionJwt cookie more consistent. Old access tokens will continue to work.

I added it to https://meta.wikimedia.org/wiki/Tech/News/2025/46, feel free to edit it. I added links to all the technical terms like all the terms like JWT, SUL, OAuth, but I'm not sure whether that's right.

matmarex moved this task from To Triage to In current Tech/News draft on the User-notice board.Thu, Nov 6, 1:40 PM
gerritbot added a comment.Thu, Nov 6, 6:26 PM

Change #1202766 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[operations/mediawiki-config@master] Use prefixed 'sub' field in OAuth 2 access tokens on beta & testwiki

https://gerrit.wikimedia.org/r/1202766

gerritbot added a comment.Thu, Nov 6, 6:31 PM

Change #1202768 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[operations/mediawiki-config@master] Use prefixed 'sub' field in OAuth 2 access tokens

https://gerrit.wikimedia.org/r/1202768

gerritbot added a comment.Thu, Nov 6, 10:55 PM

Change #1202766 merged by jenkins-bot:

[operations/mediawiki-config@master] Use prefixed 'sub' field in OAuth 2 access tokens on beta cluster

https://gerrit.wikimedia.org/r/1202766

Stashbot added a comment.Thu, Nov 6, 11:02 PM

Mentioned in SAL (#wikimedia-operations) [2025-11-06T23:02:29Z] <cjming@deploy2002> Started scap sync-world: Backport for [[gerrit:1201826|Use wikimedia.org as the "server" for the wiki-agnostic RESTbase specs]], [[gerrit:1202766|Use prefixed 'sub' field in OAuth 2 access tokens on beta cluster (T399199)]], [[gerrit:1202807|Re-run xLab MW Module Loaded experiment v2 (T401705)]]

Stashbot mentioned this in T401705: Implement debugging for events in the Javascript SDK.Thu, Nov 6, 11:02 PM
Stashbot added a comment.Thu, Nov 6, 11:04 PM

Mentioned in SAL (#wikimedia-operations) [2025-11-06T23:04:47Z] <cjming@deploy2002> cjming, tgr, aaron: Backport for [[gerrit:1201826|Use wikimedia.org as the "server" for the wiki-agnostic RESTbase specs]], [[gerrit:1202766|Use prefixed 'sub' field in OAuth 2 access tokens on beta cluster (T399199)]], [[gerrit:1202807|Re-run xLab MW Module Loaded experiment v2 (T401705)]] synced to the testservers (see https://wikitech.wikimedia.org/wiki/Mwdebug). Changes can now be verified there

Stashbot added a comment.Thu, Nov 6, 11:11 PM

Mentioned in SAL (#wikimedia-operations) [2025-11-06T23:11:02Z] <cjming@deploy2002> Finished scap sync-world: Backport for [[gerrit:1201826|Use wikimedia.org as the "server" for the wiki-agnostic RESTbase specs]], [[gerrit:1202766|Use prefixed 'sub' field in OAuth 2 access tokens on beta cluster (T399199)]], [[gerrit:1202807|Re-run xLab MW Module Loaded experiment v2 (T401705)]] (duration: 08m 34s)

gerritbot added a comment.Fri, Nov 7, 2:15 PM

Change #1181308 abandoned by Gergő Tisza:

[mediawiki/extensions/OAuth@master] [WIP] Align access token JWT format with core

Reason:

Ended up implementing it in a different way than what was sketched out here, will see how well it works out.

https://gerrit.wikimedia.org/r/1181308

STei-WMF moved this task from In current Tech/News draft to Already announced/Archive on the User-notice board.Tue, Nov 11, 7:54 PM
Tgr mentioned this in T410085: Repeat OAuth failures in translatewiki.net with Pywikibot.Thu, Nov 13, 8:32 PM
Nemoralis subscribed.Mon, Nov 17, 4:31 AM

Please take a look at https://commons.wikimedia.org/wiki/Commons:Village_pump/Technical#Special_name_space_redirect

gerritbot added a comment.Wed, Nov 19, 2:58 PM

Change #1202768 merged by jenkins-bot:

[operations/mediawiki-config@master] Use prefixed 'sub' field in OAuth 2 access tokens

https://gerrit.wikimedia.org/r/1202768

Stashbot added a comment.Wed, Nov 19, 2:58 PM

Mentioned in SAL (#wikimedia-operations) [2025-11-19T14:58:45Z] <tgr@deploy2002> Started scap sync-world: Backport for [[gerrit:1202768|Use prefixed 'sub' field in OAuth 2 access tokens (T399199)]]

Stashbot added a comment.Wed, Nov 19, 3:03 PM

Mentioned in SAL (#wikimedia-operations) [2025-11-19T15:03:37Z] <tgr@deploy2002> tgr: Backport for [[gerrit:1202768|Use prefixed 'sub' field in OAuth 2 access tokens (T399199)]] synced to the testservers (see https://wikitech.wikimedia.org/wiki/Mwdebug). Changes can now be verified there.

Stashbot added a comment.Wed, Nov 19, 3:15 PM

Mentioned in SAL (#wikimedia-operations) [2025-11-19T15:15:29Z] <tgr@deploy2002> Finished scap sync-world: Backport for [[gerrit:1202768|Use prefixed 'sub' field in OAuth 2 access tokens (T399199)]] (duration: 16m 43s)

Tgr closed this task as Resolved.Wed, Nov 19, 3:23 PM
Maintenance_bot removed a project: Patch-For-Review.Wed, Nov 19, 3:30 PM
Nemoralis unsubscribed.Wed, Nov 19, 4:08 PM
Maintenance_bot edited projects, added User-notice-archive; removed User-notice.Sat, Nov 29, 4:30 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits