On Thu, Dec 22, 2016 at 11:16 AM, Scott Koranda <skoranda@gmail.com> wrote:

First question: Is that form of the token, specifically having +\ at the end, correct and expected?

Yes. They were included years ago, I believe to help catch data corruption introduced by broken proxies.

If I then take that token and execute

$createAccountToken = $response['query']['tokens']['createaccounttoken'];

$oauth->fetch("https://myserver/w/api.php?action=createaccount&format=json&name=FooBar&email=foobar@gmail.com&realname=FooBar&mailpassword=false&reason=provisioning&language=en&token=$createAccountToken", null, OAUTH_HTTP_METHOD_PUT);

I receive

{"error":{"code":"createnotoken","info":"The token parameter must be set","*":"See https://myserver/w/api.php for API usage"}}

Second question: What am I doing wrong when invoking the createaccount action?

Two things:

1. The parameter is named "createtoken", not "token".

2. You're not urlencoding it.

I am following documentation at

https://www.mediawiki.org/wiki/API:Account_creation

but it is not clear to me which parts of that page may be deprecated and precisely how I should provision a new account.

I should update that page for AuthManager. In the mean time, account creation in 1.27 and later works much like action=clientlogin, as documented at https://www.mediawiki.org/wiki/API:Login#The_clientlogin_action. See also https://www.mediawiki.org/w/api.php?modules=createaccount for the auto-generated documentation.

Brad Jorsch (Anomie)
Senior Software Engineer
Wikimedia Foundation