Page MenuHomePhabricator
Create Task
Maniphest T248339

Decide how to deal with WebAuthn login/registration flow on Wikimedia wikis in future
Open, Needs TriagePublic
Actions

Description

Creating this due to T244088: Logging in at another wiki than WebAuth was set up fails

Basically, as is, if you enable WebAuthn on enwiki, you can't login to dewiki using the same WebAuthn credentials...

In T244088#5875266, @ItSpiderman wrote:

The patch above will let you manually configure the relying party name and id (domain). It can be set to the root part of the domain, to make WebAuthn work for multiple sub-domains, while without it, it can be used on one specific subdomain only. So, it does add some functionality, but still not as much as you would need.

Also, beware, that all single-domain-specific keys (all keys that are registered so far), cannot be used anymore if configuration related to the RP is changed. This would require all users to re-register their keys.

This may help with *.wikipedia.org, but it doesn't help with *.wikimedia.org etc. This has been merged

We need to come up with a long term plan on how to deal with this (which is probably like doing a redirect/similar to loginwiki (or meta? or ??); or some other sort of login portal (ala how google do it)) for WebAuthn.

The likes of fishbowl and private wikis are fine, wikitech will become a problem when we make it a CA wiki later, but we can cross that bridge later.

In the meantime, we should probably look at adding to the WebAuthn messages to notify people of this, and that they need to login where they enabled it to take advantage of this, pending a longer term solution

This is a UX problem, and as such, is yet another blocker to wider rollout of 2FA for the general population

Related Objects
Search...

Event Timeline

Reedy created this task.Mar 23 2020, 6:29 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 23 2020, 6:29 PM
Reedy renamed this task from Decide how to deal with WebAuthn on Wikimedia wikis in future to Decide how to deal with WebAuthn login/registration flow on Wikimedia wikis in future.Mar 23 2020, 6:30 PM
Reedy added a subtask: T244088: Logging in at another wiki than WebAuth was set up fails.
Reedy added a subscriber: Osnard.
Anomie subscribed.Mar 24 2020, 1:52 PM

which is probably like doing a redirect/similar to loginwiki (or meta? or ??)

At the AuthManager level that would involve returning a REDIRECT AuthenticationResponse pointing to some page on loginwiki (or wherever, but loginwiki seems most sensible to me). The page redirected to should eventually return back to the ->returnToUrl that was on the AuthenticationRequest that resulted in the REDIRECT response.

Anomie moved this task from Inbox to Triage Meeting Inbox on the Platform Engineering board.Mar 24 2020, 1:52 PM
Reedy moved this task from Incoming to Watching on the Security-Team board.Mar 24 2020, 3:23 PM
Reedy added a project: SecTeam Discussion.
Anomie removed a project: MediaWiki-extensions-CentralAuth.Mar 24 2020, 3:35 PM
Anomie moved this task from Triage Meeting Inbox to Tracking/Watching on the Platform Engineering board.Mar 24 2020, 8:06 PM
Reedy mentioned this in T248878: [SPIKE] Investigate potential move to Webauthn support.Mar 30 2020, 4:37 PM
Reedy removed a subtask: T244088: Logging in at another wiki than WebAuth was set up fails.Apr 11 2020, 6:59 PM
Reedy added a parent task: T244088: Logging in at another wiki than WebAuth was set up fails.
Reedy updated the task description. (Show Details)Apr 11 2020, 7:07 PM
Reedy mentioned this in T244088: Logging in at another wiki than WebAuth was set up fails.Apr 11 2020, 7:20 PM
Reedy closed subtask T248367: Update messages to notify WebAuthn users that they need to login on the same wiki they registered as Resolved.Apr 19 2020, 9:46 PM
Charlotte mentioned this in T230043: Add WebAuthn support to Mobile apps.May 1 2020, 3:35 PM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:01 PM
taavi subscribed.Jan 24 2021, 9:00 PM
Legoktm mentioned this in T226797: CentralAuth login session and auto-login no longer work across wikis in Safari and Firefox.Mar 4 2021, 12:04 AM
AntiCompositeNumber subscribed.Sep 15 2021, 11:49 PM
Reedy moved this task from Backlog to User Experience on the MediaWiki-extensions-OATHAuth board.Feb 17 2022, 3:35 PM
Tgr mentioned this in T345249: Mitigate phase-out of third-party cookies in CentralAuth.Oct 7 2023, 6:58 PM
Tgr mentioned this in T348388: Use central login wiki for login (SUL3).Oct 7 2023, 11:39 PM
Tgr subscribed.Jan 9 2024, 11:09 PM

I expect this will be solved by T348388: Use central login wiki for login (SUL3) (which is supposed to happen this year). Which presents a problem of its own: T354701: Enable migration of WebAuthn credentials to loginwiki

Reedy moved this task from User Experience to External on the MediaWiki-extensions-OATHAuth board.Jan 13 2024, 1:48 AM
alistair3149 subscribed.Feb 25 2024, 6:34 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits