Page MenuHomePhabricator
Create Task
Maniphest T255370

Document best practices for user login if user is using 2FA
Open, LowPublic
Actions

Description

It came up in T255344: Openrefine: problems logging in and has come up in T150582: Support two-factor authentication in AutoWikiBrowser...

We should document the best practices of user login for different types of applications and login flows, when a user is using 2FA on their account.

In some cases, OAuth can be used, but for cases where code is open source, and distributed in apps, we can't keep secrets secret. Owner only OAuth apps may work, but higher barrier to entry

BotPasswords generally work as a catch all solution

The API action=clientlogin does support taking OATHToken as a parameter (used by the Mobile Apps at least), but should we be encouraging this pattern? In open source applications it's a bit saner, but what about non open source apps

In T150582#4826673, @Tgr wrote:

... I'm not sure it is worth the effort, nor that it is good security practice to train users to put their password and 2FA into random desktop apps they have downloaded from the internet.

Some example cases:

Related Objects

Event Timeline

Reedy created this task.Jun 14 2020, 2:47 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 14 2020, 2:47 PM
Tgr added a comment.Jun 14 2020, 4:33 PM

Shouldn't OAuth 2 be usable for mobile apps / desktop tools as long as they are able to open an URL in the browser and to intercept certain return URL types? (And for pure-JS apps, too.)

Reedy added a comment.Jun 14 2020, 5:27 PM

Probably. Examples and description isn't exhaustive :)

Reedy added a project: Platform Engineering.Jun 17 2020, 4:00 PM

Tagging CPT as they're the ones maintaining/authoring OAuth improvements, and had the WebAuthn extension developed etc.

Seems in the purview, along with API Gateway stuff too, this sort of documentation will be useful for those developers

Dsharpe moved this task from Incoming to Watching on the Security-Team board.Jun 17 2020, 4:21 PM
eprodromou triaged this task as Low priority.Jun 18 2020, 7:12 PM
eprodromou edited projects, added Platform Team Initiatives (API Gateway); removed Platform Engineering.
eprodromou added subscribers: apaskulin, eprodromou.

@apaskulin This seems like some of the content we'll be covering in the Portal. I don't think the fallback to Action API mechanisms is the right way for us to go, but we should have information on how to use OAuth with Open Source and non-confidential clients.

eprodromou added a project: MediaWiki-extensions-OATHAuth.Jun 18 2020, 7:13 PM

We think this might be OATHAuth-related, so tagging it in here too.

apaskulin awarded a token.Jul 15 2020, 9:46 PM
Htriedman removed a project: Security-Team.Oct 13 2021, 7:24 PM
Reedy moved this task from Backlog to User Experience on the MediaWiki-extensions-OATHAuth board.Feb 17 2022, 3:34 PM
Aklapper added a project: serviceops.Apr 1 2024, 8:17 AM

As API Gateway is nowadays owned by serviceops, adding the serviceops project tag to open API Gateway tasks tagged with the deprecated/archived "Platform Team Initiatives (API Gateway)" tag at https://phabricator.wikimedia.org/project/profile/4321/, as part of Phabricator Housekeeping.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL