Expected behavior
OAuth client secrets created or reset through the API Portal are valid and unique.
Observed behavior
OAuth client secrets recently created or reset through the API Portal are shared between clients and result in an invalid client error when fetching an access token.
# Get auth code https://meta.wikimedia.org/w/rest.php/oauth2/authorize?client_id=CLIENT_ID_HERE&response_type=code # Get access token curl -X POST -F 'grant_type=authorization_code' \ -F 'code=AUTH_CODE_HERE' \ -F 'client_id=CLIENT_ID_HERE' \ -F 'client_secret=CLIENT_SECRET_HERE' \ https://meta.wikimedia.org/w/rest.php/oauth2/access_token # Error {"error":"invalid_client","error_description":"Client authentication failed","message":"Client authentication failed"}
I was able to replicate this error with secrets that were reset on May 24, 2021. The last time I tested this successfully was February 8, 2021. Client secrets reset via Meta work as expected. Could be related to similar past issue T264457: Client secret shared between clients