Page MenuHomePhabricator

Support OAuth for login onto gerrit.wikimedia.org
Open, Stalled, LowestPublic

Description

Apologies if this has been asked already elsewhere. I could not find it.

To allow easy login on gerrit, please allow log-in via OAuth as we do on this Phabricator instance.

Thank you.

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 11 2016, 5:12 PM

gerrit-oauth-provider exist in the wild, but I don't know LDAP implications and whether it makes sense to investigate with Differential being the long-term goal...

I thought about differential. However my impression is that a total migration will still take some time. In the meanwhile, maybe we can benefit from it. Thanks.

I'm not sure it's worth the work, we don't really need non-technical users in gerrit do we?

I'd say that we don't due to the nature of gerrit. I recognize that it's mainly because of lazyness that I'm asking for this, so I don't have to type so many times a password to log in to Wikimedia, to Phabricator, to Gerrit and Wikitech. If most of the active gerrit regulars won't find it useful, I'm willing to drop the request. I'm however sorry not to have found a more appropriate place to discuss and propose this.

@bd808 has plans for eventually merging LDAP with SUL, I think.

@bd808 has plans for eventually merging LDAP with SUL, I think.

There isn't a full plan with a timeline yet, but yes I'm starting work towards associating LDAP and normal Wikimedia unified accounts. When we get this fully done then it may be possible to find a way use Wikimedia OAUTH with gerrit.

I doint think this will work, I believe gerrit only supports one login system at a time unlike mediawiki which can support a lot. But I'm guessing here.

demon triaged this task as Lowest priority.Nov 15 2016, 6:13 PM
demon added a subscriber: demon.

I doint think this will work, I believe gerrit only supports one login system at a time unlike mediawiki which can support a lot. But I'm guessing here.

Yes, gerrit supports one login method at a time. Converting to OAuth would involve removing LDAP. Not impossible, but there will be migration costs.

@bd808 has plans for eventually merging LDAP with SUL, I think.

There isn't a full plan with a timeline yet, but yes I'm starting work towards associating LDAP and normal Wikimedia unified accounts. When we get this fully done then it may be possible to find a way use Wikimedia OAUTH with gerrit.

Yeah, I think that's gotta happen first if we want this to work sanely. Adjusting priority appropriately.

demon moved this task from Bugs & stuff to Local hacks on the Gerrit board.Jan 6 2017, 4:36 AM
demon changed the task status from Open to Stalled.Feb 5 2018, 11:12 PM
demon closed this task as Declined.Feb 5 2018, 11:36 PM

Actually nvm LDAP is our standard.

Tgr added a comment.Feb 6 2018, 8:14 PM

It's not a very good standard though (e.g. the registration experience we provide is pretty bad) and probably probably contributes to our dwindling volunteer numbers. Plus having passwords is always an annoyance and a slight security risk (no keylogger can steal an OAuth login button). There would be merit in using a more sensible login method IMO. Of course, it would depend on having some way to assign LDAP groups to external accounts (hence, wikitech SUL migration probably).

demon reopened this task as Stalled.Feb 6 2018, 11:28 PM

That's totally a route to go too....OAuthing services that currently are behind LDAP would be awesome. But I figure it's better to be consistent with other LDAP-backed services than go it alone.

Most of the existing setups use Apache's mod_auth_ldap or whatever. I've seen some work on a mod_auth_openidc, I don't know if there are other options.

I'm going to reopen this as stalled.

Tgr added a comment.Feb 6 2018, 11:46 PM

Could probably use mod_authnz_fcgi with something like mediawiki/oauthclient? Anyway this is blocked on having some connection between LDAP and SUL (so T148048: Store Wikimedia unified account name (SUL) in LDAP directory I guess?).

demon added a comment.Feb 7 2018, 12:07 AM

Would suck to have to install PHP just for that but I get your point: can do it indirectly via authnz_fcgi or similar.

Tgr added a comment.Feb 7 2018, 12:34 AM

I think authnz_fcgi allows the CGI script to be hosted remotely so it could be centralized (and then use something like mod_session to remember the user).

Sorry for the off-topic. Maybe we should move towards using 2FA for gerrit instead, and require it for people with +2 access on mediawiki as well as those on ldap/{wmf,ops}, operations/puppet, Gerrit Administrators, Gerrit Managers, and other sensitive places/groups. @Paladox Does Gerrit support 2FA?

Gerrit dosent support 2fa as far as I know.

Does Gerrit support 2FA?

Currently the two-factor protection for Wikimedia developer accounts must be handled by the Wikitech MediaWiki deployment. The Time-based One Time Password (TOTP) second factor we use must always be checked with access to state information about other attempts to use the token. This is a protection against replay attacks: Alice provides TOTP token to Service A, Mallory intercepts TOTP token in transit between Alice and Service A, Mallory provides TOTP token + credentials for Alice to Service B before the token expires. We protect against this by recording (user, TOTP token) pairs and checking to ensure that the same TOTP token has not been used previously. The best way to start enforcing 2FA protection across multiple applications using Wikimedia developer accounts (LDAP) would be to implement a true single sign-on (SSO) service like Kerberos or SAML. See also T179463: Create a single application to provision and manage developer (LDAP) accounts.