Page MenuHomePhabricator
Create Task
Maniphest T107605

Support two-factor authentication on CentralAuth wikis
Closed, ResolvedPublic
Actions

Description

Currently, 2FA via OATHAuth is not compatible with CentralAuth's SSO. A user would have to enable 2FA on every SUL wiki individually (and setup 2FA on any future wikis the WMF deploys as soon as it's deployed), with a different secret, and login using the correct wiki's secret. Otherwise, an attacker can login using just a password on a SUL wiki where 2FA isn't enabled for the account, and CentralAuth will auto-login the user on any other wiki.

Details

SubjectRepoBranchLines +/-
Enable Ex:OATH on CentralAuth wikis, limited rightsoperations/mediawiki-configmaster+4 -3
Enable Ex:OATHAuth on test wikis, disabled for all usersoperations/mediawiki-configmaster+15 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

csteipp created this task.Jul 31 2015, 5:33 PM
csteipp raised the priority of this task from to High.
csteipp updated the task description. (Show Details)
csteipp added projects: Security-Team, MediaWiki-extensions-CentralAuth.
csteipp subscribed.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 31 2015, 5:33 PM
Legoktm renamed this task from Support two-factor authentication on WMF SUL wikis to Support two-factor authentication on CentralAuth wikis.Jul 31 2015, 7:24 PM
Legoktm set Security to None.
Legoktm subscribed.Jul 31 2015, 11:00 PM

Should this be blocked on the AuthManager re-write?

csteipp added a subtask: T89459: Modernize MediaWiki authentication system (AuthManager).Aug 1 2015, 12:03 AM
Ricordisamoa subscribed.Aug 2 2015, 4:05 AM
Tgr mentioned this in T89459: Modernize MediaWiki authentication system (AuthManager).Aug 26 2015, 4:37 AM
Krenair subscribed.Aug 26 2015, 1:11 PM
Tgr added a subtask: T110457: Update OATHAuth to use AuthManager.Aug 27 2015, 2:25 AM
Tgr reopened subtask T89459: Modernize MediaWiki authentication system (AuthManager) as Open.Aug 27 2015, 7:08 AM
Samwalton9-WMF subscribed.Nov 4 2015, 11:14 AM

Just a note that an RfC this year resulted in supported for 2FA on the English Wikipedia; https://en.wikipedia.org/wiki/Wikipedia:Village_pump_(proposals)/Archive_123#RfC:_Proposal_to_add_optional_multi-factor_authentication_to_the_English_Wikipedia

Kharkiv07 subscribed.Nov 4 2015, 6:58 PM
csteipp added a comment.Nov 4 2015, 7:46 PM

Thanks @Samwalton9, I hand't seen that.

Right now, the extensions that handles 2FA on wiki (OATHAuth) only applies the setting on a single wiki, but SUL allows a user account to login on any wiki and then be logged in across projects. So we're not able to do this currently, unless a developer wants to make OAUTHAuth CentralAuth-aware.

KTC subscribed.Nov 4 2015, 8:18 PM
Reedy awarded a token.Nov 12 2015, 10:16 PM
Reedy mentioned this in T118513: Setup OATHAuth on non-CentralAuth wikis.Nov 12 2015, 10:23 PM
Jdforrester-WMF subscribed.Nov 12 2015, 11:16 PM
Yanpas subscribed.Dec 26 2015, 9:50 AM
MGChecker subscribed.Jan 16 2016, 10:19 PM
Restricted Application added a subscriber: Luke081515. · View Herald TranscriptJan 16 2016, 10:19 PM
csteipp assigned this task to dpatrick.Feb 11 2016, 10:48 PM
dpatrick moved this task from Incoming to In Progress on the Security-Team board.Feb 11 2016, 11:23 PM
zhuyifei1999 subscribed.Mar 12 2016, 11:23 AM
csteipp added a subscriber: Andrew.Mar 16 2016, 3:24 PM

@Andrew - We're planning to merge a bunch of OATH patches this week, one which requires a maintenance script to be run on labswiki (updating the scratch token storage format). Is there a good time to schedule that with you?

Glaisher subscribed.Mar 16 2016, 3:27 PM
Andrew added a comment.Mar 16 2016, 4:03 PM

@csteipp, any deployer should have the rights to run the script, so finding someone to run it should be easy. I don't much care when you do it, although I typically schedule wikitech maintenance well away from any other maintenance or deployment windows since people are generally looking at wikitech docs while deploying.

csteipp created subtask T130700: Create central OATHAuth table for CentralAuth wikis.Mar 23 2016, 5:24 AM
csteipp added a comment.Mar 23 2016, 9:40 PM

@Andrew, I probably should have given you more warning, but I've got this deployment schedule in about 30 mins. If anything looks odd, I'll revert. But like I said, there's very little chance of this affecting users.

csteipp added a subtask: T100376: Add user right for enabling two-factor authentication.Mar 24 2016, 5:41 PM
csteipp added a subtask: T100374: Allow for using separate database for OATH credentials (for CentralAuth compatibility).
csteipp added a subtask: T55195: OATH token input should be on a separate page.
csteipp moved this task from In Progress to Epics in progress on the Security-Team board.Mar 24 2016, 6:18 PM
MZMcBride subscribed.Apr 2 2016, 4:26 PM
csteipp closed subtask T55195: OATH token input should be on a separate page as Resolved.Apr 7 2016, 12:08 AM
csteipp closed subtask T100376: Add user right for enabling two-factor authentication as Resolved.
csteipp added a subtask: T131420: Install Ex:OATH to beta.Apr 14 2016, 9:56 PM
csteipp closed subtask T100374: Allow for using separate database for OATH credentials (for CentralAuth compatibility) as Resolved.
gerritbot subscribed.May 18 2016, 6:06 PM

Change 289486 had a related patch set uploaded (by CSteipp):
Enable Ex:OATHAuth on test wikis, disabled for all users

https://gerrit.wikimedia.org/r/289486

gerritbot added a project: Patch-For-Review.May 18 2016, 6:06 PM
csteipp closed subtask T130700: Create central OATHAuth table for CentralAuth wikis as Resolved.May 18 2016, 6:14 PM
gerritbot added a comment.May 18 2016, 6:32 PM

Change 289486 merged by jenkins-bot:
Enable Ex:OATHAuth on test wikis, disabled for all users

https://gerrit.wikimedia.org/r/289486

csteipp added a comment.May 18 2016, 6:58 PM

OATH has been rolled out to testwiki and test2wiki. Everything seems to be working as expected. Assuming no issues come up, I'll make it available on all wikis (to Staff global group only) tomorrow in SWAT.

gerritbot added a comment.May 23 2016, 5:29 PM

Change 290271 had a related patch set uploaded (by CSteipp):
Enable Ex:OATH on CentralAuth wikis, limited rights

https://gerrit.wikimedia.org/r/290271

gerritbot added a comment.May 25 2016, 5:11 PM

Change 290271 merged by jenkins-bot:
Enable Ex:OATH on CentralAuth wikis, limited rights

https://gerrit.wikimedia.org/r/290271

Ajraddatz subscribed.May 25 2016, 5:45 PM
Anomie closed subtask T110457: Update OATHAuth to use AuthManager as Resolved.May 31 2016, 8:07 PM
Anomie mentioned this in T130340: [Reading Infrastructure 2015-16 Q4] Enable two-factor authentication via AuthManager on the Wikimedia cluster.Jun 16 2016, 4:59 PM
dpatrick closed this task as Resolved.Jul 12 2016, 3:02 AM
dpatrick removed a subtask: T89459: Modernize MediaWiki authentication system (AuthManager).

This was officially resolved as of the date that AuthManager was enabled on public wikis.

zhuyifei1999 added a comment.Jul 12 2016, 12:33 PM
In T107605#2451137, @dpatrick wrote:

This was officially resolved as of the date that AuthManager was enabled on public wikis.

What's the ETA for 2FA available for eg. admins on public wikis?

MGChecker removed a project: Patch-For-Review.Jul 22 2016, 11:29 AM
Ladsgroup subscribed.Aug 21 2016, 12:37 PM
In T107605#2452408, @zhuyifei1999 wrote:
In T107605#2451137, @dpatrick wrote:

This was officially resolved as of the date that AuthManager was enabled on public wikis.

What's the ETA for 2FA available for eg. admins on public wikis?

Seconding to this comment. It would be great for checkusers, oversights and other people with non-public-data access.

Fae subscribed.Nov 12 2016, 12:43 PM
He7d3r subscribed.Nov 15 2016, 1:53 PM
MarcoAurelio moved this task from Backlog to Done on the MediaWiki-extensions-CentralAuth board.Dec 15 2016, 4:20 PM
Aklapper mentioned this in T163036: Problem of login.Apr 16 2017, 11:55 AM
Rameshti subscribed.Apr 16 2017, 1:27 PM

When I login my wiki account, I fill my user name and password. then I sowing this massage.- " Please enter a verification code from your authentication device

Token

Continue login"
I don't know what's token so I can't login wiki account. Please help me.

Aklapper added a comment.Apr 16 2017, 6:44 PM

@Rameshti: This task is about making the software allow two-factor authentication. This task is resolved as the software can do this now.
This task is not a general support forum for problems with specific wiki accounts. Please see T163036 instead. Thanks for your understanding!

sbassett moved this task from Epics in progress to Our Part Is Done on the Security-Team board.Jun 11 2019, 6:10 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL