Page MenuHomePhabricator

SO878 Step 2: Implement WebAuthn method
Open, NormalPublic

Description

Objective: Authentication using WebAuthn is possible in MediaWiki.
The following functions are the result of this project phase

  • Login form
  • Ability to log in using WebAuthn

Event Timeline

Osnard created this task.Mar 13 2019, 2:09 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 13 2019, 2:09 PM
ItSpiderman added a comment.EditedApr 1 2019, 1:27 PM

There is a library for WebAuthn that fits our need very well. It is https://packagist.org/packages/web-auth/webauthn-lib#v1.0.1
Basic PoC implementation done successfully.

Considerations:

  • in all versions it requires PHP 7.1
  • it requires relatively large number of dependencies (most of which would be need in own implementation as well)
  • it requires php_gmp extension to be enabled
  • signature of some methods will change in the next version (current alpha)

This is very comprehensive library and saves us lots and lots of time.


Question:

  • How do we handle device loss for WebAuthn?
Osnard added a comment.Apr 1 2019, 2:17 PM

Regarding webauthn-lib:

It would be awesome if WebAuthn could be used as the first factor rather than the second factor (i.e. if I enabled two-factor auth, it would then ask me to create a password). :)

Biggest technical problem i see with this is that we must have authenticated user set in order to register WebAuthn key. It would be fine for new users, but existing users would have to register WebAuthn key while logged-in, so we would need separate UIs for exisiting and new users, which i dont think is nice (in addition to other issues).
Of course, there is a question of schedule and deadlines, this would require a lot of work on refactoring of OATHAuth, since OATHAuth is now set to explicitly verify second factor, as well as on WebAuthn.

Meeting minutes from status call 2019-04-17

  • Brian changed Dejans account on gerrit so he will be able to amend patchsets again
  • PHP 7.1 requirement of lib-webauthn might be a problem! Cindy will check when WMF cluster will move to PHP 7.2
  • Hallo Welt will schedule a hands-on session with WMF to show current user interface and user expierence
  • There are some unanswered comments on the last patchset that need to be addressed

Meeting minutes from status call 2019-04-24

  • To overcome the libraries dependency issue we will probably create a dedicated extension for WebAuthn module (Possible names: "WebAuthn", "2FA", "OATH-WebAuthn", ...). By this the OATHAuth extension can stay on HHVM 3.18 compat and the new extension can require PHP 7.1+
  • Descriptive texts should be added to the UI
  • Demo on https://oathauth.wmf.hallowelt.biz/wiki/Main_Page
  • Questions:
    • Can WebAuthn be used to login from different domains? e.g. wiktionary.org and wikipedia.org? Maybe use a centralized login entrypoint like login.wikimedia,org

Change 508788 had a related patch set uploaded (by Robert Vogel; owner: ItSpiderman):
[mediawiki/extensions/WebAuthn@master] Implement WebAuthn module

https://gerrit.wikimedia.org/r/508788

CCicalese_WMF renamed this task from SO878 Step 2: Enable WebAuthn method to SO878 Step 2: Implement WebAuthn method.Jul 10 2019, 2:12 PM
Reedy added a subscriber: Reedy.

I noted on the gerrit patch...

webauthn-lib has 1.2.2 out, and also 2.0.3 out

https://github.com/web-auth/webauthn-lib/compare/v1.2.0...v1.2.2
https://github.com/web-auth/webauthn-lib/compare/v1.2.0...v2.0.3

I imagine we should be using at least 1.2.2, if not 2.0.3 if the changes are applicable