Page MenuHomePhabricator

All Wikimedia developer services should use single sign-on
Open, HighPublic

Description

Wikimedia developer services here refers to things like Phabricator, Gerrit, Kibana, Grafana, Wikitech/Horizon etc.

Most of these currently use LDAP to share credentials, but that's not true single sign-on, authentication still happens locally. That's bad for usability (people have to type in passwords all the time) and bad for security (if any one of these services gets compromised, the attacker can harvest the credentials for all the others). It also prevents the use of shared credentials in less secure environments (such as the beta cluster), resulting in awkward workarounds.

There should be an easy way (probably some kind of Apache config that can be enabled by applying a puppet role) to put a website behind single sign-on and limit it to certain user groups.

Related Objects

StatusSubtypeAssignedTask
OpenNone
OpenNone
OpenNone
ResolvedAndrew
ResolvedAndrew
ResolvedAndrew
ResolvedAndrew
ResolvedMarcoAurelio
ResolvedAndrew
OpenNone
Resolvedbd808
Resolvedyuvipanda
Resolvedbd808
Resolvedbd808
Resolvedbd808
OpenNone
ResolvedNone
OpenNone
DuplicateNone
OpenNone
OpenMarostegui
ResolvedAndrew
ResolvedMarostegui
ResolvedAndrew
DeclinedAndrew
ResolvedAndrew
ResolvedAndrew
ResolvedLadsgroup
OpenNone
OpenNone
OpenNone
OpenNone
ResolvedJdforrester-WMF
DeclinedNone
StalledNone
OpenNone
OpenNone

Event Timeline

One option would be to use Wikimedia SUL via mod_authnz_fcgi and a custom authentication client frontend (probably based on oauthclient-php). That would require T148048: Store Wikimedia unified account name (SUL) in LDAP directory, and the auth frontend doing an LDAP group lookup or providing it some way to fetch those groups via the OAuth identify request.

chasemp added a project: Security-Team.

@MoritzMuehlenhoff seems like maybe some merging of this stuff into T233921 and co would make sense?