Page MenuHomePhabricator

OAuthServerProject
ActivePublic

Details

Description

Implementation of an OAuth 2.0 server for Phabricator, as described here: http://tools.ietf.org/html/draft-ietf-oauth-v2-23

In other words, this project makes Phabricator an OAuth 2.0 server / provider.

This is a good idea so that Phabricator can potentially be the master authority service for a given company or subset of tools within a company. Phacility is also very interested in setting up a "master" Phabricator instance which is the central authority service for "child" Phabricator instances as part of providing Phabricator in a SaaS format.

Recent Activity

Dec 13 2018

epriestley added a comment to T2549: Support linking multiple external accounts from the same provider with one Phabricator account.

Sorry, yeah, I meant T6703.

Dec 13 2018, 12:48 PM · Restricted Project, Restricted Project, LDAP, Auth, OAuthServer
urzds added a comment to T2549: Support linking multiple external accounts from the same provider with one Phabricator account.

I believe that instead of T7667 you meant to write T6703.

Dec 13 2018, 11:20 AM · Restricted Project, Restricted Project, LDAP, Auth, OAuthServer

Dec 12 2018

epriestley closed T2549: Support linking multiple external accounts from the same provider with one Phabricator account as Wontfix.

There are two flavors of this:

Dec 12 2018, 7:53 PM · Restricted Project, Restricted Project, LDAP, Auth, OAuthServer

Nov 8 2017

maxim.efremoff added a watcher for OAuthServer: maxim.efremoff.
Nov 8 2017, 10:34 AM

Oct 31 2016

epriestley closed T11794: OAuth Server Doesn't Handle Client ID and Secret in HTTP Basic Auth as Resolved by committing rPee834c5958d0: oauthserver: get client ID/secret from HTTP auth.
Oct 31 2016, 3:23 PM · OAuthServer, Bug Report

Oct 29 2016

epriestley added a comment to T11794: OAuth Server Doesn't Handle Client ID and Secret in HTTP Basic Auth.

...and here are foreseeable issues with this mess occurring in the wild:

Oct 29 2016, 12:49 AM · OAuthServer, Bug Report
epriestley added a comment to T11794: OAuth Server Doesn't Handle Client ID and Secret in HTTP Basic Auth.

Broadly, I want to avoid implementing things that don't have good technical justifications.

Oct 29 2016, 12:30 AM · OAuthServer, Bug Report

Oct 28 2016

wrl added a comment to T11794: OAuth Server Doesn't Handle Client ID and Secret in HTTP Basic Auth.

I've done some more digging as well and it appears that this issue arose in the Go library already: https://github.com/golang/oauth2/issues/111

Oct 28 2016, 11:33 PM · OAuthServer, Bug Report
epriestley added a comment to T11794: OAuth Server Doesn't Handle Client ID and Secret in HTTP Basic Auth.

Is "GitHub-specific OAuth" just normal OAuth with client_id / client_secret as parameters instead of in an "Authorization" header? The GitHub OAuth documentation seems to suggest passing these as parameters, too.

Oct 28 2016, 9:31 PM · OAuthServer, Bug Report
wrl added a comment to T11794: OAuth Server Doesn't Handle Client ID and Secret in HTTP Basic Auth.

It seems like section 2.3.1 is poorly worded. They talk about a "client password" but the example request only includes client_secret as a POST variable. In the case of the Golang OAuth2 module (which Concourse uses), it sets the basic auth username to the client ID and the password to the client secret (https://github.com/golang/oauth2/blob/master/internal/token.go#L164).

Oct 28 2016, 9:15 PM · OAuthServer, Bug Report
epriestley added a comment to T11794: OAuth Server Doesn't Handle Client ID and Secret in HTTP Basic Auth.

I don't think we have a "client password" in this case -- I believe that refers to a mode that no one uses for anything (well, maybe a mode that Concourse uses, I guess), where the flow is actually handling normal user passwords?

Oct 28 2016, 7:36 PM · OAuthServer, Bug Report
wrl added a revision to T11794: OAuth Server Doesn't Handle Client ID and Secret in HTTP Basic Auth: D16763: oauthserver: get client ID/secret from HTTP auth.
Oct 28 2016, 5:29 AM · OAuthServer, Bug Report
wrl created T11794: OAuth Server Doesn't Handle Client ID and Secret in HTTP Basic Auth.
Oct 28 2016, 5:22 AM · OAuthServer, Bug Report

Aug 22 2016

cgdd0039 added a comment to T2549: Support linking multiple external accounts from the same provider with one Phabricator account.
  • I deleted the @mierle account.
  • It's currently not possible to link a Phabricator account to more than one external account of a given type (where "type" is one of "Facebook", "Google", "GitHub", etc.). In hindsight this was an architectural mistake, but I didn't think about it at the time and left us with a mess to clean up. It will be resolved by {T1536}, which is a sort of umbrella task for remedying various missteps on the auth pathway. We've made some progress on that, but it will be at least a little while before it lands.
Aug 22 2016, 8:07 AM · Restricted Project, Restricted Project, LDAP, Auth, OAuthServer

Jul 4 2016

eadler moved T2549: Support linking multiple external accounts from the same provider with one Phabricator account from Restricted Project Column to Restricted Project Column on the Restricted Project board.
Jul 4 2016, 9:19 PM · Restricted Project, Restricted Project, LDAP, Auth, OAuthServer

May 18 2016

bcooksley added a comment to T10975: Unable to edit applications in OAuth Server - edge table missing.

Thanks for the quick fix.
I realise now I was always trying to change the access policies....

May 18 2016, 6:51 AM · OAuthServer, Bug Report

May 17 2016

epriestley closed T10975: Unable to edit applications in OAuth Server - edge table missing as Resolved by committing rP875b86671566: Add missing "oauth_server_edge" tables.
May 17 2016, 3:50 PM · OAuthServer, Bug Report
epriestley claimed T10975: Unable to edit applications in OAuth Server - edge table missing.
May 17 2016, 1:51 PM · OAuthServer, Bug Report
epriestley added a revision to T10975: Unable to edit applications in OAuth Server - edge table missing: D15938: Add missing "oauth_server_edge" tables.
May 17 2016, 11:54 AM · OAuthServer, Bug Report
epriestley added a comment to T10975: Unable to edit applications in OAuth Server - edge table missing.

I can only reproduce this if (3) is changing "Visible To", exactly: i.e., same file policy scrambling issue as T10778. Should have the same fix.

May 17 2016, 11:48 AM · OAuthServer, Bug Report
eadler added a comment to T10975: Unable to edit applications in OAuth Server - edge table missing.

Ref T10778

May 17 2016, 10:42 AM · OAuthServer, Bug Report
bcooksley created T10975: Unable to edit applications in OAuth Server - edge table missing.
May 17 2016, 7:58 AM · OAuthServer, Bug Report

Apr 20 2016

cburroughs moved T2549: Support linking multiple external accounts from the same provider with one Phabricator account from Restricted Project Column to Restricted Project Column on the Restricted Project board.
Apr 20 2016, 3:56 PM · Restricted Project, Restricted Project, LDAP, Auth, OAuthServer
cburroughs added a project to T2549: Support linking multiple external accounts from the same provider with one Phabricator account: Restricted Project.
Apr 20 2016, 3:40 PM · Restricted Project, Restricted Project, LDAP, Auth, OAuthServer

Apr 7 2016

eadler moved T2549: Support linking multiple external accounts from the same provider with one Phabricator account from Restricted Project Column to Restricted Project Column on the Restricted Project board.
Apr 7 2016, 6:12 PM · Restricted Project, Restricted Project, LDAP, Auth, OAuthServer
eadler added a project to T2549: Support linking multiple external accounts from the same provider with one Phabricator account: Restricted Project.
Apr 7 2016, 6:11 PM · Restricted Project, Restricted Project, LDAP, Auth, OAuthServer

Apr 3 2016

epriestley merged task T5020: Phabricator as a login provider into T7303: Provide OAuth access to Conduit.
Apr 3 2016, 1:29 PM · OAuthServer
epriestley added a comment to T5020: Phabricator as a login provider.

I am going to merge this into T7303, which is a slightly narrower task describing OAuth access to Conduit.

Apr 3 2016, 1:29 PM · OAuthServer

Feb 25 2016

cburroughs added projects to T2549: Support linking multiple external accounts from the same provider with one Phabricator account: Auth, LDAP.
Feb 25 2016, 9:35 PM · Restricted Project, Restricted Project, LDAP, Auth, OAuthServer

Oct 24 2015

epriestley closed T6707: 'Attaching' two external accounts of the same type results in AphrontCountQueryException, a subtask of T2549: Support linking multiple external accounts from the same provider with one Phabricator account, as Resolved.
Oct 24 2015, 11:50 AM · Restricted Project, Restricted Project, LDAP, Auth, OAuthServer

Sep 5 2015

epriestley added a commit to T7173: Improve "you can not log in to this instance" workflow: Restricted Diffusion Commit.
Sep 5 2015, 12:45 PM · OAuthServer, Phacility

Sep 3 2015

epriestley added a comment to T7173: Improve "you can not log in to this instance" workflow.

That stuff will deploy on ~Saturday, new UX is roughly this:

Sep 3 2015, 5:09 PM · OAuthServer, Phacility
epriestley closed T7173: Improve "you can not log in to this instance" workflow as Resolved by committing Restricted Diffusion Commit.
Sep 3 2015, 5:06 PM · OAuthServer, Phacility
epriestley added a commit to T7173: Improve "you can not log in to this instance" workflow: rP9d0332c2c0a4: Modernize OAuthserver and provide more context on "no permission" exception.
Sep 3 2015, 5:05 PM · OAuthServer, Phacility
epriestley added a commit to T7173: Improve "you can not log in to this instance" workflow: rP1fc60a9a6e70: Modularize Aphront exception handling.
Sep 3 2015, 5:04 PM · OAuthServer, Phacility
epriestley added a commit to T7173: Improve "you can not log in to this instance" workflow: rP20ce1a905f3a: Replace AphrontUsageException with AphrontMalformedRequestException.
Sep 3 2015, 5:04 PM · OAuthServer, Phacility
epriestley added a revision to T7173: Improve "you can not log in to this instance" workflow: Restricted Differential Revision.
Sep 3 2015, 3:50 PM · OAuthServer, Phacility
epriestley added a revision to T7173: Improve "you can not log in to this instance" workflow: D14050: Modernize OAuthserver and provide more context on "no permission" exception.
Sep 3 2015, 3:47 PM · OAuthServer, Phacility
epriestley claimed T7173: Improve "you can not log in to this instance" workflow.
Sep 3 2015, 3:44 PM · OAuthServer, Phacility

Jul 23 2015

chad changed the visibility for T2549: Support linking multiple external accounts from the same provider with one Phabricator account.
Jul 23 2015, 4:41 AM · Restricted Project, Restricted Project, LDAP, Auth, OAuthServer

Apr 26 2015

epriestley closed T7497: "Create Application" should be greyed out if not allowed by policy as Resolved by committing rP3f77ad9368c7: "Create Application" button in OAuth Server application should be greyed out….
Apr 26 2015, 7:51 PM · OAuthServer
lpriestley added a revision to T7497: "Create Application" should be greyed out if not allowed by policy: D12560: "Create Application" button in OAuth Server application should be greyed out if user does not have correct capabilities..
Apr 26 2015, 7:46 PM · OAuthServer

Mar 21 2015

epriestley assigned T7497: "Create Application" should be greyed out if not allowed by policy to lpriestley.
Mar 21 2015, 11:56 AM · OAuthServer

Mar 7 2015

joshuaspence updated the task description for T7497: "Create Application" should be greyed out if not allowed by policy.
Mar 7 2015, 3:08 AM · OAuthServer
joshuaspence created T7497: "Create Application" should be greyed out if not allowed by policy.
Mar 7 2015, 2:53 AM · OAuthServer

Jan 15 2015

btrahan closed T6949: Hide OAuth server secrets behind "Show Secret" to defuse screenshot/over-the-shoulder leaks as Resolved by committing rP1cc81b1d0ae4: OAuthServer - hide client secret behind a "View Secret" action.
Jan 15 2015, 1:27 AM · Phacility, Security, OAuthServer

Jan 14 2015

btrahan added a revision to T6949: Hide OAuth server secrets behind "Show Secret" to defuse screenshot/over-the-shoulder leaks: D11401: OAuthServer - hide client secret behind a "View Secret" action.
Jan 14 2015, 10:51 PM · Phacility, Security, OAuthServer
btrahan closed T6955: Make PhabricatorOAuthServerClient implement PhabricatorDestructibleInterface as Resolved by committing rP4655b7e4da8e: OAuthServer - implement destructible interface on oauth server client objects.
Jan 14 2015, 12:17 AM · OAuthServer, Phacility
btrahan added a revision to T6955: Make PhabricatorOAuthServerClient implement PhabricatorDestructibleInterface: D11378: OAuthServer - implement destructible interface on oauth server client objects.
Jan 14 2015, 12:02 AM · OAuthServer, Phacility

Jan 13 2015

epriestley moved T6955: Make PhabricatorOAuthServerClient implement PhabricatorDestructibleInterface from Backlog to v0 Closed Beta on the Phacility board.
Jan 13 2015, 3:01 PM · OAuthServer, Phacility