Last modified: 2014-08-08 20:16:44 UTC
I am accessing OAuth over HTTPS (https://www.mediawiki.org), but the issuer (iss field) I am getting back from the service says http://www.mediawiki.org (no HTTPS). Because of this verification fails.
I set iss to $wgCanonicalServer, since that is the most stable and, canonical, representation of the server name. To get around the verification failure, you can either keep track of what the canonical server name is supposed to be (that's what I do in the php library I maintain- https://github.com/Stype/mwoauth-php). Or in Phabricator, we pull off the protocol and just compare the host portion of the url. We can't use $_SERVER['SERVER_NAME'] / $_SERVER['HTTP_HOST'], because those can be influenced by an attacker. If we use $wgServer, you have the same problem that you can't match the protocol. Probably the only realistic enhancement would be to use wgCanonicalServer, but update the protocol. That seems more confusing to me, but this issue has been reported (personally) to me enough times, that I'm open to changing it. Just not sure what the best answer is.
Then maybe MediaWiki (https://www.mediawiki.org/wiki/MediaWiki) has a wrong $wgCanonicalServer setting. Because if you open http://www.mediawiki.org it redirects to HTTPS. So it seems https://www.mediawiki.org is the canonical URL for the site. Server name could not be influenced by an attacker (if yes, you have an error in your server configuration)? But http host yes. But server name does not contain the protocol anyway, no? You could use $_SERVER["HTTPS"]: https://stackoverflow.com/questions/1175096/how-to-find-out-if-you-are-using-https-without-serverhttps But then you will have to make sure that your forward proxy daemon properly sets this (if you run MediaWiki behind it, what you do at mediawiki.org it seems).
Hm, it seems it does not redirect to HTTPS on all my browsers. Maybe this is HTTPS Anywhere. :-)
(In reply to Mitar from comment #2) > Then maybe MediaWiki (https://www.mediawiki.org/wiki/MediaWiki) has a wrong > $wgCanonicalServer setting. Because if you open http://www.mediawiki.org it > redirects to HTTPS. So it seems https://www.mediawiki.org is the canonical > URL for the site. www.mediawiki.org has $wgCanonicalServer set to "http://www.mediawiki.org". If you're logged in, you probably have the force HTTPS cookie which is causing the redirect. But yeah, I prefer you *DO* use https when calling /identify, just to preserve your user's privacy, if nothing else. So the in the preferred case, there will be a missmatch, which isn't great design I admin. We could just set https:// always, to encourage Consumer to use it too.. but that seems a little evil too. > Server name could not be influenced by an attacker (if yes, you have an > error in your server configuration)? But http host yes. But server name does > not contain the protocol anyway, no? I think I've seen the host header used when apache used * as the vhost... but yeah, as you point out that doesn't include protocol, so back to the same problem. > You could use $_SERVER["HTTPS"]: > https://stackoverflow.com/questions/1175096/how-to-find-out-if-you-are-using- > https-without-serverhttps > > But then you will have to make sure that your forward proxy daemon properly > sets this (if you run MediaWiki behind it, what you do at mediawiki.org it > seems). $request->getProtocol(). You've been away too long :)
Hm, maybe we could just require anyone using OAuth to use HTTPS at all times? OAuth should simply be declined without HTTPS? There is really no need for HTTP for APIs. (CPU ought not be an excuse.) (For other installations other could decide on configuration and deal with correctly setting wgCanonicalServer.)
(In reply to Chris Steipp from comment #1) > If we use $wgServer, you have the same > problem that you can't match the protocol. wfExpandUrl( $wgServer, PROTO_CURRENT ) maybe?