Page MenuHomePhabricator

Add user group to wikitech granting the oathauth-api-all right
Closed, ResolvedPublic


The MediaWiki Action API has two actions that can be used to allow checking for two-factor auth protections on an account and verifying OATH tokens. These actions are security sensitive and have been protected with a new oathauth-api-all right. Currently this right is not granted to any groups on WMF wikis. I propose creating a new oathauth group having this right to allow internal use of the OATH apis by Wikimedia services that use LDAP logins.

I would like to use these API actions in Striker to enable two-factor auth protection for it's LDAP account logins. Doing so will allow adding management of sensitive LDAP information such as ssh keys to the application. To do this, the application will need a Wikitech user account (StrikerBot) with the oathauth-api-all right.