Page MenuHomePhabricator

OAuth and mobile redirection do not play nicely together
Closed, ResolvedPublic

Description

The redirection to m.mediawiki.org appears to confuse the MediaWiki.org-based OAuth grant process, both in terms of when it forces you to log in, and when you press Allow.


Version: unspecified
Severity: major

Details

Reference
bz60034

Event Timeline

bzimport raised the priority of this task from to High.Nov 22 2014, 2:52 AM
bzimport set Reference to bz60034.
bzimport added a subscriber: Unknown Object (MLST).

Just to make sure I understand, this is when you (the end user) use a mobile browser to visit www.mediawiki.org/wiki/Special:OAuth/authorize?

On /authorize, the url isn't signed, so the process should still work, assuming mobile frontend correctly translates the form into something the device can read.

For the other Special:OAuth subpages (/initialize, /token, etc), the url is signed, and a redirect would really mess things up. But your backend / server is making those calls. If your server's user-agent is being identified as a mobile device, we have a slightly different problem.

As of time of writing, you should get (one particular example) of this problem by browsing to http://tools.wmflabs.org/voiceintro/ on your mobile device. HTH.

I'm increasing the importance on this as it makes it pretty much impossible to develop mobile web apps that use OAuth, AFAICT. Another good example to test this with is http://tools.wmflabs.org/wikidata-game/ .

Jarry1250, let me make sure I understand the issue.

When authorizing with Widar (Erik's link in comment 3), Widar is sending the user to www.mediawiki.org/w/index.php?title=Special:OAuth/authorize&...

The first bug I see is that mobile frontend doesn't redirect that special page to m.mediawiki.org on my mobile phone. Is that what you're referring to?

However, if I manually update the url to m.mediawiki.org, I get a mobile-looking dialog, and Widar is authorized to act as me after I click authorize.

In Widar's case, this bug is because Widar redirects the user to /w/index.php, and MobileFrontend specifically doesn't redirect those links. If Widar is updated to send the user to /wiki/Special:OAuth/authorize?..., then it should Just Work.

(In reply to Chris Steipp from comment #4)

In Widar's case, this bug is because Widar redirects the user to
/w/index.php, and MobileFrontend specifically doesn't redirect those links.
If Widar is updated to send the user to /wiki/Special:OAuth/authorize?...,
then it should Just Work.

s/MobileFrontend/Varnish/

If you logout on your phone, then navigate to the voiceintro URL above, you are eventually redirected to https://m.mediawiki.org/wiki/Special:CentralLogin/complete?token=too (or at least I am) when I hit login

(In reply to Jarry1250 from comment #6)

If you logout on your phone, then navigate to the voiceintro URL above, you
are eventually redirected to
https://m.mediawiki.org/wiki/Special:CentralLogin/complete?token=too (or at
least I am) when I hit login

If the site redirects you to mobile on the call to /authorize, you'll get the mobile login (assuming your phone is logged out), which works correctly.

I added an example in my oauth library, and it works fine with my Android phone:
https://github.com/Stype/mwoauth-php/blob/master/webdemo.php#L19

Is there some other issue you're encountering, or can we close this bug?

It seems to be working now, yes. I'll keep playing around though.