Last modified: 2014-06-17 20:17:42 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T62034, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 60034 - OAuth and mobile redirection do not play nicely together
OAuth and mobile redirection do not play nicely together
Status: RESOLVED FIXED
Product: MediaWiki extensions
Classification: Unclassified
OAuth (Other open bugs)
unspecified
All All
: High major (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-01-14 11:10 UTC by Jarry1250
Modified: 2014-06-17 20:17 UTC (History)
8 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Jarry1250 2014-01-14 11:10:16 UTC 
The redirection to m.mediawiki.org appears to confuse the MediaWiki.org-based OAuth grant process, both in terms of when it forces you to log in, and when you press Allow.
Comment 1 Chris Steipp 2014-01-14 15:36:37 UTC 
Just to make sure I understand, this is when you (the end user) use a mobile browser to visit www.mediawiki.org/wiki/Special:OAuth/authorize?

On /authorize, the url isn't signed, so the process should still work, assuming mobile frontend correctly translates the form into something the device can read.

For the other Special:OAuth subpages (/initialize, /token, etc), the url is signed, and a redirect would really mess things up. But your backend / server is making those calls. If your server's user-agent is being identified as a mobile device, we have a slightly different problem.
Comment 2 Jarry1250 2014-01-14 16:42:01 UTC 
As of time of writing, you should get (one particular example) of this problem by browsing to http://tools.wmflabs.org/voiceintro/ on your mobile device. HTH.
Comment 3 Erik Moeller 2014-05-27 17:30:46 UTC 
I'm increasing the importance on this as it makes it pretty much impossible to develop mobile web apps that use OAuth, AFAICT. Another good example to test this with is http://tools.wmflabs.org/wikidata-game/ .
Comment 4 Chris Steipp 2014-05-28 21:49:12 UTC 
Jarry1250, let me make sure I understand the issue.

When authorizing with Widar (Erik's link in comment 3), Widar is sending the user to www.mediawiki.org/w/index.php?title=Special:OAuth/authorize&...

The first bug I see is that mobile frontend doesn't redirect that special page to m.mediawiki.org on my mobile phone. Is that what you're referring to?

However, if I manually update the url to m.mediawiki.org, I get a mobile-looking dialog, and Widar is authorized to act as me after I click authorize.

In Widar's case, this bug is because Widar redirects the user to /w/index.php, and MobileFrontend specifically doesn't redirect those links. If Widar is updated to send the user to /wiki/Special:OAuth/authorize?..., then it should Just Work.
Comment 5 Max Semenik 2014-05-28 21:52:26 UTC 
(In reply to Chris Steipp from comment #4)
> In Widar's case, this bug is because Widar redirects the user to
> /w/index.php, and MobileFrontend specifically doesn't redirect those links.
> If Widar is updated to send the user to /wiki/Special:OAuth/authorize?...,
> then it should Just Work.

s/MobileFrontend/Varnish/
Comment 6 Jarry1250 2014-05-29 14:22:49 UTC 
If you logout on your phone, then navigate to the voiceintro URL above, you are eventually redirected  to https://m.mediawiki.org/wiki/Special:CentralLogin/complete?token=too (or at least I am) when I hit login
Comment 7 Chris Steipp 2014-06-17 19:21:59 UTC 
(In reply to Jarry1250 from comment #6)
> If you logout on your phone, then navigate to the voiceintro URL above, you
> are eventually redirected  to
> https://m.mediawiki.org/wiki/Special:CentralLogin/complete?token=too (or at
> least I am) when I hit login

If the site redirects you to mobile on the call to /authorize, you'll get the mobile login (assuming your phone is logged out), which works correctly.

I added an example in my oauth library, and it works fine with my Android phone:
https://github.com/Stype/mwoauth-php/blob/master/webdemo.php#L19

Is there some other issue you're encountering, or can we close this bug?
Comment 8 Jarry1250 2014-06-17 20:17:42 UTC 
It seems to be working now, yes. I'll keep playing around though.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links