Description

Steps to replicate the issue (include links if applicable):

Go to https://domains.wikibase.cloud/wiki/Special:OAuthConsumerRegistration/propose/oauth2
Fill out the form with valid input (see screenshots below) and attempt to submit

What happens?:

This results in a 500 error from the server despite repeated attempts

What should have happened instead?:

OAuth consumer should be registered

Software version (skip for WMF-hosted wikis like Wikipedia):

Wikibase.Cloud as of 2023-05-18

Other information (browser name/version, screenshots, etc.):

Possible Solution

In T336937#10408480, @GreenReaper wrote:

[...]I took a look and it's the "This consumer is for use only by X" option. This gives the stated error with the selected permissions, and a 500 error if you use either of the default permission radio buttons instead. this may be a solution.

RhinosF1 on https://issue-tracker.miraheze.org/T7386

I think we need to set $wgOAuth2PrivateKey & $wgOAuth2PublicKey

Event Timeline

@Harej Hello!
Sorry for the long delay, we are going through the tickets now checking what's still current.
We tried this, and it works for us currently.
Could you please check if it works for you? If it doesn't, could you tell us exactly what you put in the form?

I now get this error:

[6aab8836cf02dc6764ce8a29] 2024-11-14 19:19:54: Fatal exception of type "Lcobucci\JWT\Signer\Key\FileCouldNotBeRead"

Hi @Harej !
Could you please share the input you provide on the form?
Thanks!

My input and the resulting error

Thanks, @Harej !
I was able to reproduce on my instance.

this may be a solution.

Anton.Kokh moved this task from Product - To Be Reviewed with the Team to Product - Ready to Pick Up on the Wikibase Cloud board.Jan 14 2025, 3:44 PM

Anton.Kokh moved this task from Product - Ready to Pick Up to Kanban Board Q1 2025 on the Wikibase Cloud board.

Anton.Kokh edited projects, added Wikibase Cloud (Kanban Board Q1 2025); removed Wikibase Cloud.

We need to think about how we are going to manage all these keys for all of the different wikis. @dang correctly identified that we can't check these into git. I think we have a few options and we probably want to have a separate key per site to prevent across site attacks:

we could have the API generate and send a key to Mediawiki
- this is probably the neatest way and we can set the whole key in $wgOAuth2PrivateKey and $wgOAuth2PublicKey as per https://www.mediawiki.org/wiki/Extension:OAuth#Configuration
- this means we need to add these as two new settings to the API (see https://github.com/wbstack/api/blob/main/app/WikiSetting.php)
- then generate content for them at wiki creation time (c.f. https://github.com/wbstack/api/blob/7b1f1dec2481d2503d88966cbbc25de43df2dda2/app/Http/Controllers/WikiController.php#L102)
- to generate this content we'd need to do some research about how to create these keypairs in PHP. Shelling out and creating them using ssh-keygen/openssl see https://oauth2.thephpleague.com/installation/#generating-public-and-private-keys) is possible but would probably require extra logic to write these to some temporary place and then read them in.
~~We could generate and store a key in a k8s secret; mount them all into the MW pods and then have the API pass the correct path to the right key~~
- this probably will result in a crazy amount of secrets that need to be mounted into a single worker container

@dang will research how to generate a suitable public/private keypair purely in our platform api

Code of Conduct · GPL ·

	F57775961: Screenshot 2024-12-03 at 12.06.23 PM.png
	Dec 3 2024, 8:06 PM

	F57775959: Screenshot 2024-12-03 at 12.06.16 PM.png
	Dec 3 2024, 8:06 PM

	F57775957: Screenshot 2024-12-03 at 12.06.08 PM.png
	Dec 3 2024, 8:06 PM

	F57775956: Screenshot 2024-12-03 at 12.05.44 PM.png
	Dec 3 2024, 8:06 PM