Hi all, I'm trying to create an OAuth 2.0 consumer, for use only by my account, but Wikibase reports the following error:
*Notice*: Key file "file://" permissions are not correct, recommend changing to 600 or 660 instead of 755 in */var/www/html/vendor/league/oauth2-server/src/CryptKey.php* on line *59*
[487866b8566d2c885048b46b] 2025-08-26 00:02:52: Fatal exception of type "Lcobucci\JWT\Signer\Key\FileCouldNotBeRead"
Seeing this error for an existing file would be one thing, but seeing it for "file://" makes me wonder if there is additional configuration I need to do. I've attached the screenshot of the configuration options I hose for the API consumer. My goal is to create an authentication method that is simpler to implement for my scripts than the full OAuth 2.0 token negotiation, which is causing its own set of errors, namely:
{ "error": "rest-write-denied", "httpCode": 403, "httpReason": "Forbidden" }
despite having this in LocalSettings.php
$wgGroupPermissions['*']['writeapi'] = true;
Is anyone successfully using OAuth 2.0 on WBS Deploy? I'd appreciate any insight you may have, or the steps you took to set your instance up. Michael Lindsey Law Library UC Berkeley
Hello again Wikibase friends, I seem to be narrowing down our OAuth 2.0 problem. As noted a few days ago, our Wikibase Deploy instance fails to create a "Client Credentials" grant type, i.e. by checking the box for "This consumer is for use only by..." The error reported shows that the key file is invalid. Creating an "Authorization Code" grant type succeeds, but when I attempt to use it, the server responds with an error: The authorization server encountered an unexpected condition which prevented it from fulfilling the request: The path "" does not contain a valid key file" This too seems to indicate an unset value for the public/private keys on the wikibase. I'm adding this as an issue in Suite Deploy and will chime in again if I get resolution. Michael
On Mon, Aug 25, 2025 at 5:17 PM Michael Lindsey mlindsey@berkeley.edu wrote:
Hi all, I'm trying to create an OAuth 2.0 consumer, for use only by my account, but Wikibase reports the following error:
*Notice*: Key file "file://" permissions are not correct, recommend changing to 600 or 660 instead of 755 in */var/www/html/vendor/league/oauth2-server/src/CryptKey.php* on line *59*
[487866b8566d2c885048b46b] 2025-08-26 00:02:52: Fatal exception of type "Lcobucci\JWT\Signer\Key\FileCouldNotBeRead"
Seeing this error for an existing file would be one thing, but seeing it for "file://" makes me wonder if there is additional configuration I need to do. I've attached the screenshot of the configuration options I hose for the API consumer. My goal is to create an authentication method that is simpler to implement for my scripts than the full OAuth 2.0 token negotiation, which is causing its own set of errors, namely:
{ "error": "rest-write-denied", "httpCode": 403, "httpReason": "Forbidden" }
despite having this in LocalSettings.php
$wgGroupPermissions['*']['writeapi'] = true;
Is anyone successfully using OAuth 2.0 on WBS Deploy? I'd appreciate any insight you may have, or the steps you took to set your instance up. Michael Lindsey Law Library UC Berkeley
Crosslinking to the filed issue @ https://github.com/wmde/wikibase-release-pipeline/issues/894
On Wed, 27 Aug 2025 at 18:43, Michael Lindsey via Wikibase Community User Group wikibaseug@lists.wikimedia.org wrote:
Hello again Wikibase friends, I seem to be narrowing down our OAuth 2.0 problem. As noted a few days ago, our Wikibase Deploy instance fails to create a "Client Credentials" grant type, i.e. by checking the box for "This consumer is for use only by..." The error reported shows that the key file is invalid. Creating an "Authorization Code" grant type succeeds, but when I attempt to use it, the server responds with an error: The authorization server encountered an unexpected condition which prevented it from fulfilling the request: The path "" does not contain a valid key file" This too seems to indicate an unset value for the public/private keys on the wikibase. I'm adding this as an issue in Suite Deploy and will chime in again if I get resolution. Michael
On Mon, Aug 25, 2025 at 5:17 PM Michael Lindsey mlindsey@berkeley.edu wrote:
Hi all, I'm trying to create an OAuth 2.0 consumer, for use only by my account, but Wikibase reports the following error:
*Notice*: Key file "file://" permissions are not correct, recommend changing to 600 or 660 instead of 755 in */var/www/html/vendor/league/oauth2-server/src/CryptKey.php* on line *59*
[487866b8566d2c885048b46b] 2025-08-26 00:02:52: Fatal exception of type "Lcobucci\JWT\Signer\Key\FileCouldNotBeRead"
Seeing this error for an existing file would be one thing, but seeing it for "file://" makes me wonder if there is additional configuration I need to do. I've attached the screenshot of the configuration options I hose for the API consumer. My goal is to create an authentication method that is simpler to implement for my scripts than the full OAuth 2.0 token negotiation, which is causing its own set of errors, namely:
{ "error": "rest-write-denied", "httpCode": 403, "httpReason": "Forbidden" }
despite having this in LocalSettings.php
$wgGroupPermissions['*']['writeapi'] = true;
Is anyone successfully using OAuth 2.0 on WBS Deploy? I'd appreciate any insight you may have, or the steps you took to set your instance up. Michael Lindsey Law Library UC Berkeley
Wikibase Community User Group mailing list -- wikibaseug@lists.wikimedia.org To unsubscribe send an email to wikibaseug-leave@lists.wikimedia.org
I asked on Telegram and Deepesha at WMDE got back to us with this from the team, not sure if it helps but here is what was suggested: ____ We follow this method for QuickStatements:
https://github.com/wmde/wikibase-release-pipeline/blob/af60b0d87b158feece835...
They need to be sure to set --oauthVersion <OAUTHVERSION>: OAuth version (1 or 2, default 1) option and probably others
I hope this gives you some sort of lead, please also let me know if I can help with further details ____
-- Laurence 'GreenReaper' Parry ________________________________ From: Michael Lindsey via Wikibase Community User Group wikibaseug@lists.wikimedia.org Sent: Wednesday, August 27, 2025 6:43:57 pm To: Wikibase Community User Group wikibaseug@lists.wikimedia.org Cc: Michael Lindsey mlindsey@berkeley.edu Subject: [Wikibase] Re: WBS Deploy: OAuth 2.0
Hello again Wikibase friends, I seem to be narrowing down our OAuth 2.0 problem. As noted a few days ago, our Wikibase Deploy instance fails to create a "Client Credentials" grant type, i.e. by checking the box for "This consumer is for use only by..." The error reported shows that the key file is invalid. Creating an "Authorization Code" grant type succeeds, but when I attempt to use it, the server responds with an error: The authorization server encountered an unexpected condition which prevented it from fulfilling the request: The path "" does not contain a valid key file" This too seems to indicate an unset value for the public/private keys on the wikibase. I'm adding this as an issue in Suite Deploy and will chime in again if I get resolution. Michael
On Mon, Aug 25, 2025 at 5:17 PM Michael Lindsey <mlindsey@berkeley.edumailto:mlindsey@berkeley.edu> wrote: Hi all, I'm trying to create an OAuth 2.0 consumer, for use only by my account, but Wikibase reports the following error:
Notice: Key file "file://" permissions are not correct, recommend changing to 600 or 660 instead of 755 in /var/www/html/vendor/league/oauth2-server/src/CryptKey.php on line 59
[487866b8566d2c885048b46b] 2025-08-26 00:02:52: Fatal exception of type "Lcobucci\JWT\Signer\Key\FileCouldNotBeRead"
Seeing this error for an existing file would be one thing, but seeing it for "file://" makes me wonder if there is additional configuration I need to do. I've attached the screenshot of the configuration options I hose for the API consumer. My goal is to create an authentication method that is simpler to implement for my scripts than the full OAuth 2.0 token negotiation, which is causing its own set of errors, namely:
{ "error": "rest-write-denied", "httpCode": 403, "httpReason": "Forbidden" }
despite having this in LocalSettings.php
$wgGroupPermissions['*']['writeapi'] = true;
Is anyone successfully using OAuth 2.0 on WBS Deploy? I'd appreciate any insight you may have, or the steps you took to set your instance up. Michael Lindsey Law Library UC Berkeley
Hi all, and thank you Laurence, I am linking here to the github issue where the conversation continues. https://github.com/wmde/wikibase-release-pipeline/issues/894#issuecomment-32... To my eye, it appears that $wgOAuth2PublicKey and $wgOAuth2PrivateKey are not set on my instance, and that is why creating the OAuth 2.0 client fails. In our case, OAuth 1.0a is a workaround, but I would be interested to see this 2.0 issue through while it's still fresh in my mind. Michael
On Thu, Aug 28, 2025 at 8:22 AM Laurence Parry greenreaper@hotmail.com wrote:
I asked on Telegram and Deepesha at WMDE got back to us with this from the team, not sure if it helps but here is what was suggested: ____ We follow this method for QuickStatements:
https://github.com/wmde/wikibase-release-pipeline/blob/af60b0d87b158feece835...
They need to be sure to set --oauthVersion <OAUTHVERSION>: OAuth version (1 or 2, default 1) option and probably others
I hope this gives you some sort of lead, please also let me know if I can help with further details ____
-- Laurence 'GreenReaper' Parry
*From:* Michael Lindsey via Wikibase Community User Group < wikibaseug@lists.wikimedia.org> *Sent:* Wednesday, August 27, 2025 6:43:57 pm *To:* Wikibase Community User Group wikibaseug@lists.wikimedia.org *Cc:* Michael Lindsey mlindsey@berkeley.edu *Subject:* [Wikibase] Re: WBS Deploy: OAuth 2.0
Hello again Wikibase friends, I seem to be narrowing down our OAuth 2.0 problem. As noted a few days ago, our Wikibase Deploy instance fails to create a "Client Credentials" grant type, i.e. by checking the box for "This consumer is for use only by..." The error reported shows that the key file is invalid. Creating an "Authorization Code" grant type succeeds, but when I attempt to use it, the server responds with an error: The authorization server encountered an unexpected condition which prevented it from fulfilling the request: The path "" does not contain a valid key file" This too seems to indicate an unset value for the public/private keys on the wikibase. I'm adding this as an issue in Suite Deploy and will chime in again if I get resolution. Michael
On Mon, Aug 25, 2025 at 5:17 PM Michael Lindsey mlindsey@berkeley.edu wrote:
Hi all, I'm trying to create an OAuth 2.0 consumer, for use only by my account, but Wikibase reports the following error:
*Notice*: Key file "file://" permissions are not correct, recommend changing to 600 or 660 instead of 755 in */var/www/html/vendor/league/oauth2-server/src/CryptKey.php* on line *59*
[487866b8566d2c885048b46b] 2025-08-26 00:02:52: Fatal exception of type "Lcobucci\JWT\Signer\Key\FileCouldNotBeRead"
Seeing this error for an existing file would be one thing, but seeing it for "file://" makes me wonder if there is additional configuration I need to do. I've attached the screenshot of the configuration options I hose for the API consumer. My goal is to create an authentication method that is simpler to implement for my scripts than the full OAuth 2.0 token negotiation, which is causing its own set of errors, namely:
{ "error": "rest-write-denied", "httpCode": 403, "httpReason": "Forbidden" }
despite having this in LocalSettings.php
$wgGroupPermissions['*']['writeapi'] = true;
Is anyone successfully using OAuth 2.0 on WBS Deploy? I'd appreciate any insight you may have, or the steps you took to set your instance up. Michael Lindsey Law Library UC Berkeley
wikibaseug@lists.wikimedia.org
