The task about the generic and uninformative error message is T245477: OAuth server should provide clear and useful feedback about client errors.

@bd808 do you have a link to reading/docs on what you mean by "use as prefix" functionality?

juuuuust kidding @bd808 haha youre referring to callback_is_prefix option in OAuth extension?

In T264516#7276272, @nnikkhoui wrote:

juuuuust kidding @bd808 haha youre referring to callback_is_prefix option in OAuth extension?

Yes. I believe that is how it is stored in the database. The confusing part for users is that when you select "OAuth 2.0" as the OAuth protocol version on https://meta.wikimedia.org/wiki/Special:OAuthConsumerRegistration/propose the Allow consumer to specify a callback in requests and use "callback" URL above as a required prefix. checkbox on the page is neither hidden nor disabled and the form submission will succeed.

I believe this gives users, especially users who have used the callback prefix option with OAuth 1.0a, the incorrect impression that the callback can be changed at runtime as part of the grant authorization flow. I can at last freely admit that it confused me until I got errors that made very little sense and then read the source code to figure out what I was doing wrong with my client code.

@bd808 i tinkered with this a little, and I think the actual issue might be actually related to T297888. When I create an OAuth 2.0 client, the grant types are not being saved to the database (as is described in T297888) and I receive the same error you noted. However, when I hack around the UI to get the grant types to actually save to the database and then I supply a redirect uri that does not match that which i initially registered with, I do in fact get a specific error message with the attribute: hint: Invalid redirect URI.

In T264516#7614461, @nnikkhoui wrote:

I do in fact get a specific error message with the attribute: hint: Invalid redirect URI.

Getting a better error message is nice, but that doesn't really fix the documentation and implementation problem that [x] Allow consumer to specify a callback in requests and use "callback" URL above as a required prefix. is invalid configuration when the protocol is OAuth 2. The registering user has no idea that this is the case unless they have read this task or the source code. The option shows in the UI and is not addressed in the technical documentation.

I just checked again and looks like the checkbox was hidden after this ticket was created in this patch by @Tgr this past August.

Since it is not an option to ever set the redirect_uri at call time, can we just remove the row from the /oauth2/client row in the OAuth2 endpoints table?

I think we should have separate form pages for OAuth 1 / 2. This issue should be fixable by just hiding the checkbox & chaning the form labels a little, but it's hard to juggle that while the user can switch between the two protocols just by changing a dropdown.

Change 770607 had a related patch set uploaded (by TChin; author: TChin):

[mediawiki/extensions/OAuth@master] Split OAuth consumer registration form into two distinct forms for OAuth 1.0a and OAuth 2.0

https://gerrit.wikimedia.org/r/770607

Change 770607 merged by jenkins-bot:

[mediawiki/extensions/OAuth@master] Split OAuth consumer registration form into two distinct forms for OAuth 1.0a and OAuth 2.0

https://gerrit.wikimedia.org/r/770607