The https://github.com/thephpleague/oauth2-server library backing the OAuth2 support in Extension:OAuth follows a strict interpretation of the OAuth2 specification which only supports exact matches of the redirect_uri parameter to the callback value given in the consumer registration.
Neither the documentation at https://www.mediawiki.org/wiki/OAuth/For_Developers#Registration nor the user interface provided by Special:OAuthConsumerRegistration/propose explain this difference between the OAuth 1.0a and the OAuth 2.0 implementations.
The OAuth 2.0 validation behavior is explained pretty well at https://www.oauth.com/oauth2-servers/redirect-uris/redirect-uri-registration/, but I don't think we should assume that everyone can finally track that down to figure out why they keep getting the content free Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method) error message if they assumed that the "use as prefix" functionality actually works with OAuth 2.0.
Arguably there is a software bug here as well in the generic error message. I probably would have figured out the issue faster if a distinct error response was given explaining that problem was a redirect_uri mismatch.
Acceptance Criteria
- Update documentation
- Update error message