SO878 Step 2: Implement WebAuthn method
Closed, ResolvedPublic
Actions

Description

Objective: Authentication using WebAuthn is possible in MediaWiki.
The following functions are the result of this project phase

Login form
Ability to log in using WebAuthn

Details

Related Changes in Gerrit:

Subject	Repo	Branch	Lines +/-
Implement WebAuthn module	mediawiki/extensions/WebAuthn	master	+2 K -3
Ask user to reauthenticate before changing 2FA method	mediawiki/extensions/OATHAuth	REL1_34	+10 -2
Ask user to reauthenticate before changing 2FA method	mediawiki/extensions/OATHAuth	master	+10 -2
Improve ManageForm	mediawiki/extensions/OATHAuth	master	+8 -8

Customize query in gerrit

Related Objects
Search...

Status	Assigned	Task
Resolved	Reedy	T227242 Deploy WebAuthn to Wikimedia Wikis
Resolved	ItSpiderman	T100373 WebAuthn (U2F) integration for Extension:OATHAuth
Resolved	ItSpiderman	T218211 SO878 Step 2: Implement WebAuthn method
Resolved	Reedy	T227244 Security review of WebAuthn library dependencies
Open	None	T232099 What to do about multiple libraries implementing the same thing?

Event Timeline

Osnard created this task.Mar 13 2019, 2:09 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 13 2019, 2:09 PM

• CCicalese_WMF triaged this task as Medium priority.Mar 25 2019, 4:28 PM

• CCicalese_WMF added a parent task: T100373: WebAuthn (U2F) integration for Extension:OATHAuth.

• CCicalese_WMF added projects: Platform Engineering (Multi-DC (TEC1)), Platform Team Workboards (Contractor - Ready).Mar 26 2019, 5:59 PM

• CCicalese_WMF moved this task from Multi-DC (TEC1) to Needs Cleaning - Security, stability, performance, and scalability (TEC1) on the Platform Engineering board.

• CCicalese_WMF edited projects, added Platform Engineering (Needs Cleaning - Security, stability, performance, and scalability (TEC1)); removed Platform Engineering (Multi-DC (TEC1)).

There is a library for WebAuthn that fits our need very well. It is https://packagist.org/packages/web-auth/webauthn-lib#v1.0.1
Basic PoC implementation done successfully.

Considerations:

in all versions it requires PHP 7.1
it requires relatively large number of dependencies (most of which would be need in own implementation as well)
it requires php_gmp extension to be enabled
signature of some methods will change in the next version (current alpha)

This is very comprehensive library and saves us lots and lots of time.

Question:

How do we handle device loss for WebAuthn?

Regarding webauthn-lib:

The library seems to be under active development
The library is part of a symfony bundle called webauthn-framework. This framework also seems to be under active development (https://github.com/web-auth/webauthn-framework/pulse)
The library is licensed under MIT
The library is well documented
The library has a quite good scrutinizer score (https://scrutinizer-ci.com/g/web-auth/webauthn-framework/?branch=master)
The library has a quite good rating at symfony insights https://insight.symfony.com/

It would be awesome if WebAuthn could be used as the first factor rather than the second factor (i.e. if I enabled two-factor auth, it would then ask me to create a password). :)

Biggest technical problem i see with this is that we must have authenticated user set in order to register WebAuthn key. It would be fine for new users, but existing users would have to register WebAuthn key while logged-in, so we would need separate UIs for exisiting and new users, which i dont think is nice (in addition to other issues).
Of course, there is a question of schedule and deadlines, this would require a lot of work on refactoring of OATHAuth, since OATHAuth is now set to explicitly verify second factor, as well as on WebAuthn.

Meeting minutes from status call 2019-04-17

Brian changed Dejans account on gerrit so he will be able to amend patchsets again
PHP 7.1 requirement of lib-webauthn might be a problem! Cindy will check when WMF cluster will move to PHP 7.2
Hallo Welt will schedule a hands-on session with WMF to show current user interface and user expierence
There are some unanswered comments on the last patchset that need to be addressed

Meeting minutes from status call 2019-04-24

To overcome the libraries dependency issue we will probably create a dedicated extension for WebAuthn module (Possible names: "WebAuthn", "2FA", "OATH-WebAuthn", ...). By this the OATHAuth extension can stay on HHVM 3.18 compat and the new extension can require PHP 7.1+
Descriptive texts should be added to the UI
Demo on https://oathauth.wmf.hallowelt.biz/wiki/Main_Page
Questions:
- Can WebAuthn be used to login from different domains? e.g. wiktionary.org and wikipedia.org? Maybe use a centralized login entrypoint like login.wikimedia,org

Change 508788 had a related patch set uploaded (by Robert Vogel; owner: ItSpiderman):
[mediawiki/extensions/WebAuthn@master] Implement WebAuthn module

https://gerrit.wikimedia.org/r/508788

gerritbot added a project: Patch-For-Review.Jul 4 2019, 7:31 AM

• WDoranWMF moved this task from Contractor - Ready to S&F Workboard on the Platform Team Workboards board.Jul 5 2019, 4:55 PM

• WDoranWMF edited projects, added Platform Team Workboards (S&F Workboard); removed Platform Team Workboards (Contractor - Ready).

• WDoranWMF moved this task from Backlog to Current sprint Backlog on the Platform Team Workboards (S&F Workboard) board.Jul 5 2019, 4:57 PM

• CCicalese_WMF renamed this task from SO878 Step 2: Enable WebAuthn method to SO878 Step 2: Implement WebAuthn method.Jul 10 2019, 2:12 PM

Jdforrester-WMF subscribed.Jul 15 2019, 5:51 PM

• CCicalese_WMF edited projects, added Core Platform Team Initiatives (Two-Factor Authentication (TEC1)); removed Platform Engineering (Needs Cleaning - Security, stability, performance, and scalability (TEC1)).Jul 27 2019, 4:12 PM

I noted on the gerrit patch...

webauthn-lib has 1.2.2 out, and also 2.0.3 out

https://github.com/web-auth/webauthn-lib/compare/v1.2.0...v1.2.2
https://github.com/web-auth/webauthn-lib/compare/v1.2.0...v2.0.3

I imagine we should be using at least 1.2.2, if not 2.0.3 if the changes are applicable

Reedy mentioned this in T231242: [Spike] Webauthn support for iOS app.Aug 29 2019, 11:00 AM

• CCicalese_WMF moved this task from Current sprint Backlog to In Progress/Doing on the Platform Team Workboards (S&F Workboard) board.Aug 30 2019, 9:00 PM

I noticed between FF and Chrome they gave different size text boxes for the same size window etc

Chrome:

Screenshot 2019-09-03 at 12.14.14.png (566×1 px, 73 KB)

FF:

Screenshot 2019-09-03 at 12.14.10.png (570×1 px, 72 KB)

And copy pasting from the gerrit patchset too...

[21e59a99bf9df9cbe5fa3b4f] /w/index.php?title=Special:Manage_Two-factor_authentication&action=enable&module=webauthn&action=debug Error from line 126 of /var/www/wiki/mediawiki/extensions/WebAuthn/src/HTMLForm/WebAuthnManageForm.php: Call to undefined method MediaWiki\Extension\OATHAuth\Key\TOTPKey::getFriendlyName()

Backtrace:

#0 /var/www/wiki/mediawiki/extensions/OATHAuth/src/HTMLForm/OATHAuthOOUIHTMLForm.php(66): MediaWiki\Extension\WebAuthn\HTMLForm\WebAuthnManageForm->getDescriptors()
#1 /var/www/wiki/mediawiki/extensions/WebAuthn/src/HTMLForm/WebAuthnManageForm.php(41): MediaWiki\Extension\OATHAuth\HTMLForm\OATHAuthOOUIHTMLForm->__construct(MediaWiki\Extension\OATHAuth\OATHUser, MediaWiki\Extension\OATHAuth\OATHUserRepository, MediaWiki\Extension\WebAuthn\Module\WebAuthn)
#2 /var/www/wiki/mediawiki/extensions/WebAuthn/src/Module/WebAuthn.php(138): MediaWiki\Extension\WebAuthn\HTMLForm\WebAuthnManageForm->__construct(MediaWiki\Extension\OATHAuth\OATHUser, MediaWiki\Extension\OATHAuth\OATHUserRepository, MediaWiki\Extension\WebAuthn\Module\WebAuthn)
#3 /var/www/wiki/mediawiki/extensions/OATHAuth/src/Special/OATHManage.php(233): MediaWiki\Extension\WebAuthn\Module\WebAuthn->getManageForm(string, MediaWiki\Extension\OATHAuth\OATHUser, MediaWiki\Extension\OATHAuth\OATHUserRepository)
#4 /var/www/wiki/mediawiki/extensions/OATHAuth/src/Special/OATHManage.php(178): MediaWiki\Extension\OATHAuth\Special\OATHManage->addCustomContent(MediaWiki\Extension\WebAuthn\Module\WebAuthn)
#5 /var/www/wiki/mediawiki/extensions/OATHAuth/src/Special/OATHManage.php(96): MediaWiki\Extension\OATHAuth\Special\OATHManage->addModuleHTML(MediaWiki\Extension\WebAuthn\Module\WebAuthn)
#6 /var/www/wiki/mediawiki/core/includes/specialpage/SpecialPage.php(573): MediaWiki\Extension\OATHAuth\Special\OATHManage->execute(NULL)
#7 /var/www/wiki/mediawiki/core/includes/specialpage/SpecialPageFactory.php(582): SpecialPage->run(NULL)
#8 /var/www/wiki/mediawiki/core/includes/MediaWiki.php(296): MediaWiki\Special\SpecialPageFactory->executePath(Title, RequestContext)
#9 /var/www/wiki/mediawiki/core/includes/MediaWiki.php(892): MediaWiki->performRequest()
#10 /var/www/wiki/mediawiki/core/includes/MediaWiki.php(523): MediaWiki->main()
#11 /var/www/wiki/mediawiki/core/index.php(42): MediaWiki->run()
#12 {main}

In T218211#5460763, @Reedy wrote:

And copy pasting from the gerrit patchset too...

[21e59a99bf9df9cbe5fa3b4f] /w/index.php?title=Special:Manage_Two-factor_authentication&action=enable&module=webauthn&action=debug Error from line 126 of /var/www/wiki/mediawiki/extensions/WebAuthn/src/HTMLForm/WebAuthnManageForm.php: Call to undefined method MediaWiki\Extension\OATHAuth\Key\TOTPKey::getFriendlyName()

Backtrace:

#0 /var/www/wiki/mediawiki/extensions/OATHAuth/src/HTMLForm/OATHAuthOOUIHTMLForm.php(66): MediaWiki\Extension\WebAuthn\HTMLForm\WebAuthnManageForm->getDescriptors()
#1 /var/www/wiki/mediawiki/extensions/WebAuthn/src/HTMLForm/WebAuthnManageForm.php(41): MediaWiki\Extension\OATHAuth\HTMLForm\OATHAuthOOUIHTMLForm->__construct(MediaWiki\Extension\OATHAuth\OATHUser, MediaWiki\Extension\OATHAuth\OATHUserRepository, MediaWiki\Extension\WebAuthn\Module\WebAuthn)
#2 /var/www/wiki/mediawiki/extensions/WebAuthn/src/Module/WebAuthn.php(138): MediaWiki\Extension\WebAuthn\HTMLForm\WebAuthnManageForm->__construct(MediaWiki\Extension\OATHAuth\OATHUser, MediaWiki\Extension\OATHAuth\OATHUserRepository, MediaWiki\Extension\WebAuthn\Module\WebAuthn)
#3 /var/www/wiki/mediawiki/extensions/OATHAuth/src/Special/OATHManage.php(233): MediaWiki\Extension\WebAuthn\Module\WebAuthn->getManageForm(string, MediaWiki\Extension\OATHAuth\OATHUser, MediaWiki\Extension\OATHAuth\OATHUserRepository)
#4 /var/www/wiki/mediawiki/extensions/OATHAuth/src/Special/OATHManage.php(178): MediaWiki\Extension\OATHAuth\Special\OATHManage->addCustomContent(MediaWiki\Extension\WebAuthn\Module\WebAuthn)
#5 /var/www/wiki/mediawiki/extensions/OATHAuth/src/Special/OATHManage.php(96): MediaWiki\Extension\OATHAuth\Special\OATHManage->addModuleHTML(MediaWiki\Extension\WebAuthn\Module\WebAuthn)
#6 /var/www/wiki/mediawiki/core/includes/specialpage/SpecialPage.php(573): MediaWiki\Extension\OATHAuth\Special\OATHManage->execute(NULL)
#7 /var/www/wiki/mediawiki/core/includes/specialpage/SpecialPageFactory.php(582): SpecialPage->run(NULL)
#8 /var/www/wiki/mediawiki/core/includes/MediaWiki.php(296): MediaWiki\Special\SpecialPageFactory->executePath(Title, RequestContext)
#9 /var/www/wiki/mediawiki/core/includes/MediaWiki.php(892): MediaWiki->performRequest()
#10 /var/www/wiki/mediawiki/core/includes/MediaWiki.php(523): MediaWiki->main()
#11 /var/www/wiki/mediawiki/core/index.php(42): MediaWiki->run()
#12 {main}

It seems like WebAuthnManageForm::getDescriptors assumes that $oathUser->getKeys(); will return WebAuthnKey, which isn't the case, and can return other IAuthKey subclasses, like TOTPKey (in this case, I have TOTP enabled already on my account, so this is expected)

I guess neither module should assume the type of IAuthKey returned... Cause it could be a mix!

Change 534146 had a related patch set uploaded (by ItSpiderman; owner: ItSpiderman):
[mediawiki/extensions/OATHAuth@master] Improve ManageForm

https://gerrit.wikimedia.org/r/534146

Don't know the best place to leave this....

So if someone logs in with one 2FA, they can override and replace it without any warning/message. And without any re-auth... I'm guessing this is mostly due to me doing it as serial actions one after another, rather than letting some time expire (IIRC there's a 15 minute "no reauth window" or similar?)

However, it doesn't feel a good workflow that you can just override one 2FA with another, without providing input from the other device to disable it....

I do think the patch is in reasonable shape though that we can probably merge it, and make any changes ontop of it, rather than (many) more amendments
A great use case is if I logged in with one, left my machine unattended, someone could immediately just replace my 2FA, and if I didn't do anything about it very soon after... They'd have control of the 2FA on my device, and I'd be confused as to why mine apparently wasn't working

Change 534146 merged by jenkins-bot:
[mediawiki/extensions/OATHAuth@master] Improve ManageForm

https://gerrit.wikimedia.org/r/534146

ReleaseTaggerBot added a project: MW-1.34-notes (1.34.0-wmf.22; 2019-09-10).Sep 4 2019, 12:00 PM

Reedy mentioned this in T232008: Ability to overwrite 2FA method without providing/re-auth using existing secondary authentication method.Sep 4 2019, 4:40 PM

Reedy changed the status of subtask T227244: Security review of WebAuthn library dependencies from Stalled to Open.Sep 4 2019, 4:51 PM

Change 508788 merged by jenkins-bot:
[mediawiki/extensions/WebAuthn@master] Implement WebAuthn module

https://gerrit.wikimedia.org/r/508788

Closing as resolved as items in this task as detailed have been done, patch now merged

Some followup work needed, but other tasks are tracking those

• CCicalese_WMF moved this task from In Progress/Doing to Done on the Platform Team Workboards (S&F Workboard) board.Sep 10 2019, 7:59 PM

Change 535793 had a related patch set uploaded (by ItSpiderman; owner: ItSpiderman):
[mediawiki/extensions/OATHAuth@master] Ask user to reauthenticate before changing 2FA method

https://gerrit.wikimedia.org/r/535793

gerritbot added a project: Patch-For-Review.Sep 11 2019, 8:31 AM

Reedy closed subtask T227244: Security review of WebAuthn library dependencies as Resolved.Oct 8 2019, 5:17 PM

Change 535793 merged by jenkins-bot:
[mediawiki/extensions/OATHAuth@master] Ask user to reauthenticate before changing 2FA method

https://gerrit.wikimedia.org/r/535793

Change 541919 had a related patch set uploaded (by Reedy; owner: ItSpiderman):
[mediawiki/extensions/OATHAuth@REL1_34] Ask user to reauthenticate before changing 2FA method

https://gerrit.wikimedia.org/r/541919

Change 541919 merged by jenkins-bot:
[mediawiki/extensions/OATHAuth@REL1_34] Ask user to reauthenticate before changing 2FA method

https://gerrit.wikimedia.org/r/541919

ReleaseTaggerBot added a project: MW-1.35-notes (1.35.0-wmf.2; 2019-10-15).Oct 9 2019, 10:00 PM

• WDoranWMF reopened this task as Open.Oct 10 2019, 4:57 PM

• WDoranWMF edited projects, added Platform Team Workboards (Clinic Duty Team); removed Platform Team Workboards (S&F Workboard).

• WDoranWMF moved this task from Inbox to External Code Review Needed on the Platform Team Workboards (Clinic Duty Team) board.

• WDoranWMF closed this task as Resolved.Oct 10 2019, 10:47 PM

Reedy mentioned this in T235645: OATHAuth requesting re-auth during the middle (or mostly just before the end) of the process.Oct 16 2019, 1:24 PM