Invalid client secrets in API Portal
Closed, ResolvedPublic2 Estimated Story PointsBUG REPORT
Actions

Assigned To

Authored By

	apaskulin
	May 24 2021, 11:38 PM

Description

Expected behavior

OAuth client secrets created or reset through the API Portal are valid and unique.

Observed behavior

OAuth client secrets recently created or reset through the API Portal are shared between clients and result in an invalid client error when fetching an access token.

# Get auth code
https://meta.wikimedia.org/w/rest.php/oauth2/authorize?client_id=CLIENT_ID_HERE&response_type=code

# Get access token
curl -X POST -F 'grant_type=authorization_code' \
-F 'code=AUTH_CODE_HERE' \
-F 'client_id=CLIENT_ID_HERE' \
-F 'client_secret=CLIENT_SECRET_HERE' \
https://meta.wikimedia.org/w/rest.php/oauth2/access_token

# Error
{"error":"invalid_client","error_description":"Client authentication failed","message":"Client authentication failed"}

I was able to replicate this error with secrets that were reset on May 24, 2021. The last time I tested this successfully was February 8, 2021. Client secrets reset via Meta work as expected. Could be related to similar past issue T264457: Client secret shared between clients

Details

	Subject	Repo	Branch	Lines +/-
	Fix client secret display after reset on API Portal	mediawiki/extensions/OAuth	master	+4 -13

Customize query in gerrit

Related Objects
Search...

Status	Subtype	Assigned	Task
Open		None	T284344 Streamline API Portal Onboarding Experience
Resolved		VirginiaPoundstone	T301375 API Platform Clinic Duty
Resolved	BUG REPORT	BPirkle	T283552 Invalid client secrets in API Portal

Event Timeline

apaskulin created this task.May 24 2021, 11:38 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 24 2021, 11:38 PM

• AMooney triaged this task as Medium priority.May 25 2021, 3:23 PM

• AMooney moved this task from Inbox to Later on the Platform Team Workboards (Clinic Duty Team) board.

Ameisenigel moved this task from Backlog to Tech debt on the API-Portal board.May 26 2021, 10:53 AM

• sdkim subscribed.May 26 2021, 3:30 PM

• sdkim added a project: API Platform.Jun 10 2021, 2:42 PM

• sdkim changed the subtype of this task from "Task" to "Bug Report".Jun 10 2021, 2:49 PM

• sdkim moved this task from Incoming to Must do now on the API Platform board.Jul 21 2021, 6:31 PM

• sdkim moved this task from Must do now to Needs Grooming on the API Platform board.Jul 27 2021, 6:25 PM

• nnikkhoui subscribed.Aug 16 2021, 5:09 PM

apaskulin removed a project: Platform Team Workboards (Clinic Duty Team).Aug 20 2021, 5:55 PM

apaskulin updated the task description. (Show Details)Dec 1 2021, 12:23 AM

• sdkim set the point value for this task to 2.Dec 2 2021, 5:13 PM

• sdkim moved this task from Needs Grooming to Must do now on the API Platform board.

• sdkim added a parent task: T284344: Streamline API Portal Onboarding Experience.Dec 3 2021, 5:13 PM

• DAbad raised the priority of this task from Medium to High.Jan 27 2022, 5:15 PM

• DAbad moved this task from Must do now to Should do next on the API Platform board.

• DAbad moved this task from Should do next to Must do now on the API Platform board.

BPirkle claimed this task.Jan 31 2022, 7:58 PM

BPirkle moved this task from Must do now to Backlog on the API Platform board.

I've reproduced what seems to be the same behavior on my local.

Assuming I've reproduced it correctly, then the $clientAccess->getSecretKey() call on line 60 of AbstractClientHandler is actually returning an error message (mwoauth-field-private) and not the actual secret key. The Utils::hmacDBSecret() call on that same line therefore receives an instance of Message rather than a key.

Because the Message instance is the same in all cases, it happily hashes to the same value for all clients (and is equally useless as a secret key for all of them).

Next steps:

figure out why we're getting an error instead of the actual key (and fix)
make this code more robust so that it recognizes errors instead of hashing Message objects

Followup:

Looks like this was already fixed once here:
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/OAuth/+/633551

But then that fix was (maybe inadvertently?) reverted as part of a larger change here:
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/OAuth/+/657386

In fact, the logic in the section of interest can be simplified a bit, as the test for valid client is already covered by the $status->isGood() test, and we already return to the caller an appropriate error message in that case.

Patch incoming.

Change 759753 had a related patch set uploaded (by BPirkle; author: BPirkle):

[mediawiki/extensions/OAuth@master] Restore fix from https://gerrit.wikimedia.org/r/c/mediawiki/extensions/OAuth/+/633551 that was (maybe inadvertently?) reverted in https://gerrit.wikimedia.org/r/c/mediawiki/extensions/OAuth/+/657386

https://gerrit.wikimedia.org/r/759753

gerritbot added a project: Patch-For-Review.Feb 4 2022, 6:16 PM

Atieno added a parent task: T301375: API Platform Clinic Duty.Feb 9 2022, 4:30 PM

@nnikkhoui to review patch this week

• DAbad moved this task from Backlog to QA/Review on the API Platform board.Feb 22 2022, 2:13 PM

Change 759753 merged by jenkins-bot:

[mediawiki/extensions/OAuth@master] Fix client secret display after reset on API Portal

https://gerrit.wikimedia.org/r/759753

ReleaseTaggerBot added a project: MW-1.38-notes (1.38.0-wmf.25; 2022-03-07).Mar 7 2022, 5:00 PM

Maintenance_bot removed a project: Patch-For-Review.Mar 7 2022, 5:10 PM

• nnikkhoui moved this task from QA/Review to Sign-off on the API Platform board.Mar 7 2022, 8:36 PM

Verified that this is fixed in production. Thanks all!

BPirkle closed this task as Resolved.Apr 13 2022, 2:12 AM

Invalid client secrets in API PortalClosed, ResolvedPublic2 Estimated Story PointsBUG REPORTActions