Page MenuHomePhabricator

SO878 Step 2: Implement WebAuthn method
Closed, ResolvedPublic

Description

Objective: Authentication using WebAuthn is possible in MediaWiki.
The following functions are the result of this project phase

  • Login form
  • Ability to log in using WebAuthn

Details

Related Gerrit Patches:
mediawiki/extensions/OATHAuth : REL1_34Ask user to reauthenticate before changing 2FA method
mediawiki/extensions/OATHAuth : masterAsk user to reauthenticate before changing 2FA method
mediawiki/extensions/WebAuthn : masterImplement WebAuthn module
mediawiki/extensions/OATHAuth : masterImprove ManageForm

Event Timeline

Osnard created this task.Mar 13 2019, 2:09 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 13 2019, 2:09 PM
ItSpiderman added a comment.EditedApr 1 2019, 1:27 PM

There is a library for WebAuthn that fits our need very well. It is https://packagist.org/packages/web-auth/webauthn-lib#v1.0.1
Basic PoC implementation done successfully.

Considerations:

  • in all versions it requires PHP 7.1
  • it requires relatively large number of dependencies (most of which would be need in own implementation as well)
  • it requires php_gmp extension to be enabled
  • signature of some methods will change in the next version (current alpha)

This is very comprehensive library and saves us lots and lots of time.


Question:

  • How do we handle device loss for WebAuthn?
Osnard added a comment.Apr 1 2019, 2:17 PM

Regarding webauthn-lib:

It would be awesome if WebAuthn could be used as the first factor rather than the second factor (i.e. if I enabled two-factor auth, it would then ask me to create a password). :)

Biggest technical problem i see with this is that we must have authenticated user set in order to register WebAuthn key. It would be fine for new users, but existing users would have to register WebAuthn key while logged-in, so we would need separate UIs for exisiting and new users, which i dont think is nice (in addition to other issues).
Of course, there is a question of schedule and deadlines, this would require a lot of work on refactoring of OATHAuth, since OATHAuth is now set to explicitly verify second factor, as well as on WebAuthn.

Meeting minutes from status call 2019-04-17

  • Brian changed Dejans account on gerrit so he will be able to amend patchsets again
  • PHP 7.1 requirement of lib-webauthn might be a problem! Cindy will check when WMF cluster will move to PHP 7.2
  • Hallo Welt will schedule a hands-on session with WMF to show current user interface and user expierence
  • There are some unanswered comments on the last patchset that need to be addressed

Meeting minutes from status call 2019-04-24

  • To overcome the libraries dependency issue we will probably create a dedicated extension for WebAuthn module (Possible names: "WebAuthn", "2FA", "OATH-WebAuthn", ...). By this the OATHAuth extension can stay on HHVM 3.18 compat and the new extension can require PHP 7.1+
  • Descriptive texts should be added to the UI
  • Demo on https://oathauth.wmf.hallowelt.biz/wiki/Main_Page
  • Questions:
    • Can WebAuthn be used to login from different domains? e.g. wiktionary.org and wikipedia.org? Maybe use a centralized login entrypoint like login.wikimedia,org

Change 508788 had a related patch set uploaded (by Robert Vogel; owner: ItSpiderman):
[mediawiki/extensions/WebAuthn@master] Implement WebAuthn module

https://gerrit.wikimedia.org/r/508788

CCicalese_WMF renamed this task from SO878 Step 2: Enable WebAuthn method to SO878 Step 2: Implement WebAuthn method.Jul 10 2019, 2:12 PM
Reedy added a subscriber: Reedy.

I noted on the gerrit patch...

webauthn-lib has 1.2.2 out, and also 2.0.3 out

https://github.com/web-auth/webauthn-lib/compare/v1.2.0...v1.2.2
https://github.com/web-auth/webauthn-lib/compare/v1.2.0...v2.0.3

I imagine we should be using at least 1.2.2, if not 2.0.3 if the changes are applicable

Reedy added a comment.Sep 3 2019, 11:16 AM

I noticed between FF and Chrome they gave different size text boxes for the same size window etc

Chrome:

FF:

Reedy added a comment.Sep 3 2019, 11:18 AM

And copy pasting from the gerrit patchset too...

[21e59a99bf9df9cbe5fa3b4f] /w/index.php?title=Special:Manage_Two-factor_authentication&action=enable&module=webauthn&action=debug Error from line 126 of /var/www/wiki/mediawiki/extensions/WebAuthn/src/HTMLForm/WebAuthnManageForm.php: Call to undefined method MediaWiki\Extension\OATHAuth\Key\TOTPKey::getFriendlyName()

Backtrace:

#0 /var/www/wiki/mediawiki/extensions/OATHAuth/src/HTMLForm/OATHAuthOOUIHTMLForm.php(66): MediaWiki\Extension\WebAuthn\HTMLForm\WebAuthnManageForm->getDescriptors()
#1 /var/www/wiki/mediawiki/extensions/WebAuthn/src/HTMLForm/WebAuthnManageForm.php(41): MediaWiki\Extension\OATHAuth\HTMLForm\OATHAuthOOUIHTMLForm->__construct(MediaWiki\Extension\OATHAuth\OATHUser, MediaWiki\Extension\OATHAuth\OATHUserRepository, MediaWiki\Extension\WebAuthn\Module\WebAuthn)
#2 /var/www/wiki/mediawiki/extensions/WebAuthn/src/Module/WebAuthn.php(138): MediaWiki\Extension\WebAuthn\HTMLForm\WebAuthnManageForm->__construct(MediaWiki\Extension\OATHAuth\OATHUser, MediaWiki\Extension\OATHAuth\OATHUserRepository, MediaWiki\Extension\WebAuthn\Module\WebAuthn)
#3 /var/www/wiki/mediawiki/extensions/OATHAuth/src/Special/OATHManage.php(233): MediaWiki\Extension\WebAuthn\Module\WebAuthn->getManageForm(string, MediaWiki\Extension\OATHAuth\OATHUser, MediaWiki\Extension\OATHAuth\OATHUserRepository)
#4 /var/www/wiki/mediawiki/extensions/OATHAuth/src/Special/OATHManage.php(178): MediaWiki\Extension\OATHAuth\Special\OATHManage->addCustomContent(MediaWiki\Extension\WebAuthn\Module\WebAuthn)
#5 /var/www/wiki/mediawiki/extensions/OATHAuth/src/Special/OATHManage.php(96): MediaWiki\Extension\OATHAuth\Special\OATHManage->addModuleHTML(MediaWiki\Extension\WebAuthn\Module\WebAuthn)
#6 /var/www/wiki/mediawiki/core/includes/specialpage/SpecialPage.php(573): MediaWiki\Extension\OATHAuth\Special\OATHManage->execute(NULL)
#7 /var/www/wiki/mediawiki/core/includes/specialpage/SpecialPageFactory.php(582): SpecialPage->run(NULL)
#8 /var/www/wiki/mediawiki/core/includes/MediaWiki.php(296): MediaWiki\Special\SpecialPageFactory->executePath(Title, RequestContext)
#9 /var/www/wiki/mediawiki/core/includes/MediaWiki.php(892): MediaWiki->performRequest()
#10 /var/www/wiki/mediawiki/core/includes/MediaWiki.php(523): MediaWiki->main()
#11 /var/www/wiki/mediawiki/core/index.php(42): MediaWiki->run()
#12 {main}
Reedy added a comment.Sep 3 2019, 11:25 AM

And copy pasting from the gerrit patchset too...

[21e59a99bf9df9cbe5fa3b4f] /w/index.php?title=Special:Manage_Two-factor_authentication&action=enable&module=webauthn&action=debug Error from line 126 of /var/www/wiki/mediawiki/extensions/WebAuthn/src/HTMLForm/WebAuthnManageForm.php: Call to undefined method MediaWiki\Extension\OATHAuth\Key\TOTPKey::getFriendlyName()
Backtrace:
#0 /var/www/wiki/mediawiki/extensions/OATHAuth/src/HTMLForm/OATHAuthOOUIHTMLForm.php(66): MediaWiki\Extension\WebAuthn\HTMLForm\WebAuthnManageForm->getDescriptors()
#1 /var/www/wiki/mediawiki/extensions/WebAuthn/src/HTMLForm/WebAuthnManageForm.php(41): MediaWiki\Extension\OATHAuth\HTMLForm\OATHAuthOOUIHTMLForm->__construct(MediaWiki\Extension\OATHAuth\OATHUser, MediaWiki\Extension\OATHAuth\OATHUserRepository, MediaWiki\Extension\WebAuthn\Module\WebAuthn)
#2 /var/www/wiki/mediawiki/extensions/WebAuthn/src/Module/WebAuthn.php(138): MediaWiki\Extension\WebAuthn\HTMLForm\WebAuthnManageForm->__construct(MediaWiki\Extension\OATHAuth\OATHUser, MediaWiki\Extension\OATHAuth\OATHUserRepository, MediaWiki\Extension\WebAuthn\Module\WebAuthn)
#3 /var/www/wiki/mediawiki/extensions/OATHAuth/src/Special/OATHManage.php(233): MediaWiki\Extension\WebAuthn\Module\WebAuthn->getManageForm(string, MediaWiki\Extension\OATHAuth\OATHUser, MediaWiki\Extension\OATHAuth\OATHUserRepository)
#4 /var/www/wiki/mediawiki/extensions/OATHAuth/src/Special/OATHManage.php(178): MediaWiki\Extension\OATHAuth\Special\OATHManage->addCustomContent(MediaWiki\Extension\WebAuthn\Module\WebAuthn)
#5 /var/www/wiki/mediawiki/extensions/OATHAuth/src/Special/OATHManage.php(96): MediaWiki\Extension\OATHAuth\Special\OATHManage->addModuleHTML(MediaWiki\Extension\WebAuthn\Module\WebAuthn)
#6 /var/www/wiki/mediawiki/core/includes/specialpage/SpecialPage.php(573): MediaWiki\Extension\OATHAuth\Special\OATHManage->execute(NULL)
#7 /var/www/wiki/mediawiki/core/includes/specialpage/SpecialPageFactory.php(582): SpecialPage->run(NULL)
#8 /var/www/wiki/mediawiki/core/includes/MediaWiki.php(296): MediaWiki\Special\SpecialPageFactory->executePath(Title, RequestContext)
#9 /var/www/wiki/mediawiki/core/includes/MediaWiki.php(892): MediaWiki->performRequest()
#10 /var/www/wiki/mediawiki/core/includes/MediaWiki.php(523): MediaWiki->main()
#11 /var/www/wiki/mediawiki/core/index.php(42): MediaWiki->run()
#12 {main}

It seems like WebAuthnManageForm::getDescriptors assumes that $oathUser->getKeys(); will return WebAuthnKey, which isn't the case, and can return other IAuthKey subclasses, like TOTPKey (in this case, I have TOTP enabled already on my account, so this is expected)

I guess neither module should assume the type of IAuthKey returned... Cause it could be a mix!

Change 534146 had a related patch set uploaded (by ItSpiderman; owner: ItSpiderman):
[mediawiki/extensions/OATHAuth@master] Improve ManageForm

https://gerrit.wikimedia.org/r/534146

Reedy added a comment.Sep 3 2019, 2:47 PM

Don't know the best place to leave this....

So if someone logs in with one 2FA, they can override and replace it without any warning/message. And without any re-auth... I'm guessing this is mostly due to me doing it as serial actions one after another, rather than letting some time expire (IIRC there's a 15 minute "no reauth window" or similar?)

However, it doesn't feel a good workflow that you can just override one 2FA with another, without providing input from the other device to disable it....

I do think the patch is in reasonable shape though that we can probably merge it, and make any changes ontop of it, rather than (many) more amendments
A great use case is if I logged in with one, left my machine unattended, someone could immediately just replace my 2FA, and if I didn't do anything about it very soon after... They'd have control of the 2FA on my device, and I'd be confused as to why mine apparently wasn't working

Change 534146 merged by jenkins-bot:
[mediawiki/extensions/OATHAuth@master] Improve ManageForm

https://gerrit.wikimedia.org/r/534146

Change 508788 merged by jenkins-bot:
[mediawiki/extensions/WebAuthn@master] Implement WebAuthn module

https://gerrit.wikimedia.org/r/508788

Reedy closed this task as Resolved.Sep 5 2019, 3:12 PM
Reedy removed a project: Patch-For-Review.

Closing as resolved as items in this task as detailed have been done, patch now merged

Some followup work needed, but other tasks are tracking those

Change 535793 had a related patch set uploaded (by ItSpiderman; owner: ItSpiderman):
[mediawiki/extensions/OATHAuth@master] Ask user to reauthenticate before changing 2FA method

https://gerrit.wikimedia.org/r/535793

Change 535793 merged by jenkins-bot:
[mediawiki/extensions/OATHAuth@master] Ask user to reauthenticate before changing 2FA method

https://gerrit.wikimedia.org/r/535793

Change 541919 had a related patch set uploaded (by Reedy; owner: ItSpiderman):
[mediawiki/extensions/OATHAuth@REL1_34] Ask user to reauthenticate before changing 2FA method

https://gerrit.wikimedia.org/r/541919

Change 541919 merged by jenkins-bot:
[mediawiki/extensions/OATHAuth@REL1_34] Ask user to reauthenticate before changing 2FA method

https://gerrit.wikimedia.org/r/541919

WDoranWMF closed this task as Resolved.Oct 10 2019, 10:47 PM