Last modified: 2014-10-28 17:50:27 UTC
Hi, I have to always authorize the Flickr2Commons tool before using it. I also use this tool on my smartphone. When I've set the user agent of the browser I use (Habit Browser) to be Android, I get redirected to a blanc page after clicking on "allow". This is not the case when I set the browsers user agent to PC.
Correction: the blank page says "Error retrieving token: mwoauthdatastore-request-token-not-found"
What is the exact user agent string on the phone? Do you literally refer to the string "PC"? Exact strings welcome in order to reproduce...
The user agent resulting in the error, eg. "Android": Mozilla/5.0 (Linux; U; Android 4.0.1; ja-jp; Galaxy Nexus Build/ITL41D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 The "PC" user agent not resulting in error: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; ja-jp) AppleWebKit/533.16 (KHTML, like Gecko) Version/5.0 Safari/533.16
Verified, when editing from a user-agent that would be redirected to the mobile site, after authorizing, page gets redirected to mobile site and errors. E006 ----- Steps to reproduce: *From a cell phone, where you have not opted out of mobile interface and it sends a mobile UA *Go to http://tools.wmflabs.org/oauth-hello-world/index.php?action=authorize *Follow instructions, eventually get an error.
(In reply to Bawolff (Brian Wolff) from comment #4) > Verified, when editing from a user-agent that would be redirected to the > mobile site, after authorizing, page gets redirected to mobile site and > errors. I had suspected this, thanks for confirming. After some further investigation, it looks to me like it's actually a bug in WMF's varnish layer trying to redirect mobile clients to the mobile site: it doesn't hit on the first request that uses /w/index.php?title=Special:OAuth/authorize&oauth_token=abc123&oauth_consumer_key=abc123, but the POST back to /wiki/Special:OAuth/authorize is caught and since browsers treat a 302 redirect as 303 rather than 307 this breaks everything. The relevant code appears to be in the operations/puppet repo, templates/varnish/text-frontend.inc.vcl.erb, sub mobile_redirect.
Change 167453 had a related patch set uploaded by MaxSem: Perform mobile redirect only for GET requests https://gerrit.wikimedia.org/r/167453
(In reply to Brad Jorsch from comment #5) > (In reply to Bawolff (Brian Wolff) from comment #4) > > Verified, when editing from a user-agent that would be redirected to the > > mobile site, after authorizing, page gets redirected to mobile site and > > errors. > > I had suspected this, thanks for confirming. > > After some further investigation, it looks to me like it's actually a bug in > WMF's varnish layer trying to redirect mobile clients to the mobile site: it > doesn't hit on the first request that uses > /w/index.php?title=Special:OAuth/ > authorize&oauth_token=abc123&oauth_consumer_key=abc123, but the POST back to > /wiki/Special:OAuth/authorize is caught and since browsers treat a 302 > redirect as 303 rather than 307 this breaks everything. The relevant code > appears to be in the operations/puppet repo, > templates/varnish/text-frontend.inc.vcl.erb, sub mobile_redirect. Yep, this is actually a known issue. Mobile can't really redirect calls to /w/index.php, so OAuth app authors need to redirect their users to "/wiki/Special:OAuth/authorize?oauth_token=..." instead of "/w/index.php?title=...". So Max'es patch will probably work, although then the login experience on mobile isn't great. And we'll have to make sure the centralauth handshake continues to work. Or OAuth app authors can use /wiki/Special:OAuth urls, and the experience is better, but we can't control their code. Or we make a special varnish rule to allow mobile redirecting for this specific url pattern ("/w/index.php?title=Special:OAuth/authorize")... But I haven't fully thought through what else that would impact.
I thought we had trouble with OAuth getting confused by internal rewriting somewhere that changed /wiki/Special:OAuth to /w/index.php?title=Special:OAuth and broke the signature validation. Did that get fixed?
(In reply to Brad Jorsch from comment #8) > I thought we had trouble with OAuth getting confused by internal rewriting > somewhere that changed /wiki/Special:OAuth to > /w/index.php?title=Special:OAuth and broke the signature validation. Did > that get fixed? Yeah, that's one of the confusing parts. For any calls that are signed, that is the case, so title=Special:OAuth is the best format for the url. The /authorize call is the only one not signed, since it's just redirecting the user, so the clean url can be used.
Change 167453 merged by Faidon Liambotis: Perform mobile redirect only for GET and HEAD requests https://gerrit.wikimedia.org/r/167453
