Talk:Authentication

Welcome to the discussion for the Authentication page! To leave a comment, select Edit.

Is the Access token WIKI api not active? the creds don't seem to be working KvDevs (talk) 07:28, 3 June 2023 (UTC)Reply

Hi KvDevs, Authenticating using an access token should work. If you can share more about what you're trying (without sharing your token), I can try to help troubleshoot. --APaskulin (WMF) (talk) 17:40, 5 June 2023 (UTC)Reply

hey @APaskulin (WMF)thanks for your prompt reply but it started working now. It was a Postman issue seems like

Thanks! KvDevs (talk) 02:15, 6 June 2023 (UTC)Reply

I tried to follow the "User authentication" instructions, but it failed with an HTTP 415 error when I tried to get an access token:

curl -X POST -F 'grant_type=authorization_code' \
       -F 'code=MY_AUTHORIZATION_CODE' \
       -F 'client_id=CLIENT_ID' \
       -F 'client_secret=CLIENT_SECRET' \
       https://meta.wikimedia.org/w/rest.php/oauth2/access_token | jq .
 {
   "errorKey": "rest-unsupported-content-type",
   "messageTranslations": {
     "en": "Unsupported Content-Type: multipart/form-data"
   },
   "httpCode": 415,
   "httpReason": "Unsupported Media Type"
 }

I was able to get it working by using the --data flag instead of -F/--form:

curl -X POST --data 'grant_type=authorization_code&code=MY_AUTHORIZATION_CODE&client_id=CLIENT_ID&client_secret=CLIENT_SECRET' \
       https://meta.wikimedia.org/w/rest.php/oauth2/access_token | jq .
 {
   "token_type": "Bearer",
   "expires_in": 14400,
   "access_token": "ACCESS_TOKEN",
   "refresh_token": "REFRESH_TOKEN"
 }

This is my version of curl, which I'm running on macOS:

$ curl --version
curl 8.6.0 (x86_64-apple-darwin23.0) libcurl/8.6.0 (SecureTransport) LibreSSL/3.3.6 zlib/1.2.12 nghttp2/1.61.0
Release-Date: 2024-01-31
Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns ldap ldaps mqtt pop3 pop3s rtsp smb smbs smtp smtps telnet tftp

Features: alt-svc AsynchDNS GSS-API HSTS HTTP2 HTTPS-proxy IPv6 Kerberos Largefile libz MultiSSL NTLM NTLM_WB SPNEGO SSL threadsafe UnixSockets

I'm fairly sure I ran this example in the past and it worked correctly – has something changed recently?

(This is related to https://github.com/Flickr-Foundation/flickypedia/issues/478) Alexwlchan (talk) 11:39, 3 July 2024 (UTC)Reply

Hi Alexwlchan, Thanks for bringing this up! It looks like there was a recent change that caused the endpoints to do longer accept form data. I'll update this page to reflect that. If you're interested in helping edit these docs, I'd be happy to add you as a documentation editor, just add a comment requesting access to Talk:Community/Contributing. --APaskulin (WMF) (talk) 23:07, 8 July 2024 (UTC)Reply

Using this command:

curl -X POST -d 'grant_type=client_credentials' \

-d 'client_id=YOUR_CLIENT_ID' \

-d 'client_secret=YOUR_CLIENT_SECRET' \

https://meta.wikimedia.org/w/rest.php/oauth2/access_token

I am getting this response:

{"token_type":"Bearer","expires_in":14400,"access_token":"..."}

Why is the refresh_token not there? The page says it should return access_token and refresh_token. RakhamDev (talk) 04:58, 25 September 2024 (UTC)Reply

Hi RakhamDev, Thanks for reporting this! I was able to replicate this behavior, and I've opened a bug report (phab:T375792). --APaskulin (WMF) (talk) 19:39, 26 September 2024 (UTC)Reply

In what situation would you use a client credentials grant? I feel people would be better served if the documentation pointed them towards owner-only consumers. --Tgr (WMF) (talk) 13:08, 14 October 2024 (UTC)Reply

I've updated the guide to clarify that the client credentials grant doesn't return a refresh token. RakhamDev, feel free to try the Authentication#Personal_API_tokens flow if you're experiencing difficulties with the client credentials grant. --APaskulin (WMF) (talk) 15:33, 20 December 2024 (UTC)Reply