Page MenuHomePhabricator
Create Task
Maniphest T229508

User requests login using OAuth 2.0
Closed, ResolvedPublic
Actions

Description

  1. Client sends a request of the form:
    • https://WIKI_AUTH_ENDPOINT/auth?response_type=code&client_id=CLIENT_ID& scope=SCOPE&state=STATE
    • State is a random string generated by the client which will be sent back to the client.
  2. Server verifies that there is a logged-in user associated with the wiki
    • If not, redirect to Special:UserLogin
  3. User is presented with the authorization dialog (client is not whitelisted)
  4. If the user does not approve, an authentication failure is returned
  5. If the user approves:
    • Server generates authentication code
    • Server redirects back to the client with:
      • https://REDIRECT_URI/cb?code=AUTH_CODE&state=STATE
  6. Client sends a POST request to https://WIKI_AUTH_ENDPOINT/token with the following parameters:
    • grant_type=authorization_code
    • code=AUTH_CODE
    • client_id=CLIENT_ID
    • client_secret=CLIENT_SECRET
  7. Server responds with and access token and expiration or an error
  8. Configurable optional step to get user information from the server
  • Client whitelisting (see step 3) is out of scope for this task but may be implemented later
  • Research scope values
  • Is there a standard approach for retrieving the user values?
    • While the implementation should be independent of client, see "Configuring the JSON User Endpoint" at https://meta.discourse.org/t/oauth2-basic-support/33879 for how to retrieve user values from Discourse to return user id, username, full name (optional), and email (optional)

Priority: Must Have

Acceptance Criteria:

Case 1:

  1. User requests login from client
    • User is already logged in to the server (wiki)
  2. User is presented with the authorization dialog
  3. User authorizes server
  4. RESULT: User is logged in to the client and returned user information is available

Case 2:

  1. User requests login from client
    • User is already logged in to the server (wiki)
  2. User is presented with the authorization dialog
  3. User does not authorize server
  4. RESULT: User is not logged in to the client

Case 3:

  1. User requests login from client
    • User is already not logged in to the server (wiki)
  2. User is presented with the log in page for the wiki
    • User successfully logs in to the wiki
  3. User is presented with the authorization dialog
  4. User authorizes server
  5. RESULT: User is logged in to the client and returned user information is available

Case 4:

  1. User requests login from client
    • User is not already logged in to the server (wiki)
  2. User is presented with the log in page for the wiki
    • User successfully logs in to the wiki
  3. User is presented with the authorization dialog
  4. User does not authorize server
  5. RESULT: User is not logged in to the client

Case 5:

  1. User requests login from client
    • User is not already logged in to the server (wiki)
  2. User is presented with the log in page for the wiki
    • User does not successfully log in to the wiki
  3. RESULT: User is not logged in to the client or the server

Details

SubjectRepoBranchLines +/-
Move OAuth2 functionality to OAuth(1) - oauth2 workflowmediawiki/extensions/OAuthmaster+2 K -109
Move OAuth2 functionality to OAuth(1) - phpunit testsmediawiki/extensions/OAuthmaster+562 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

CCicalese_WMF triaged this task as Medium priority.Jul 31 2019, 10:53 PM
CCicalese_WMF created this task.
CCicalese_WMF moved this task from Epic Backlog to User Stories Needing EM Sign Off on the Platform Team Workboards (Epics) board.
CCicalese_WMF mentioned this in T229509: User requests login to client when user is not already logged in to server (wiki).Jul 31 2019, 10:58 PM
CCicalese_WMF updated the task description. (Show Details)
CCicalese_WMF mentioned this in T229511: Admin whitelists client.Jul 31 2019, 11:02 PM
WDoranWMF moved this task from User Stories Needing EM Sign Off to User Stories Ready for Engineering on the Platform Team Workboards (Epics) board.Aug 14 2019, 1:01 PM
CCicalese_WMF moved this task from User Stories Ready for Engineering to Teleport to User Story Workboard on the Platform Team Workboards (Epics) board.Aug 30 2019, 9:15 PM
CCicalese_WMF edited projects, added Platform Team Workboards (User Stories); removed Platform Team Workboards (Epics).
CCicalese_WMF moved this task from Backlog to Need Engineering Tasks on the Platform Team Workboards (User Stories) board.Aug 30 2019, 9:20 PM
CCicalese_WMF moved this task from Need Engineering Tasks to Doing on the Platform Team Workboards (User Stories) board.Aug 30 2019, 9:24 PM
CCicalese_WMF edited projects, added Platform Team Workboards (S&F Workboard); removed Platform Team Workboards (User Stories).Sep 10 2019, 7:57 PM
CCicalese_WMF moved this task from Backlog to Current sprint Backlog on the Platform Team Workboards (S&F Workboard) board.
CCicalese_WMF moved this task from Current sprint Backlog to In Progress/Doing on the Platform Team Workboards (S&F Workboard) board.Sep 11 2019, 4:51 PM
CCicalese_WMF merged a task: T229509: User requests login to client when user is not already logged in to server (wiki).Sep 11 2019, 4:56 PM
CCicalese_WMF renamed this task from User requests login to client when user is already logged in to server (wiki) to User requests login using OAuth 2.0.Sep 11 2019, 5:01 PM
CCicalese_WMF removed a project: Story.
CCicalese_WMF updated the task description. (Show Details)
gerritbot added a comment.Nov 4 2019, 2:58 PM

Change 544919 had a related patch set uploaded (by ItSpiderman; owner: ItSpiderman):
[mediawiki/extensions/OAuth@master] Move OAuth2 functionality to OAuth(1) - oauth2 workflow

https://gerrit.wikimedia.org/r/544919

gerritbot added a project: Patch-For-Review.Nov 4 2019, 2:58 PM
gerritbot added a comment.Nov 18 2019, 3:00 PM

Change 551550 had a related patch set uploaded (by ItSpiderman; owner: ItSpiderman):
[mediawiki/extensions/OAuth@master] Move OAuth2 functionality to OAuth(1) - phpunit tests

https://gerrit.wikimedia.org/r/551550

CCicalese_WMF added a subtask: T239940: Security review of OAuth 2.0 patches.Dec 5 2019, 6:26 PM
gerritbot added a comment.Dec 9 2019, 2:56 PM

Change 551550 abandoned by ItSpiderman:
Move OAuth2 functionality to OAuth(1) - phpunit tests

Reason:
Done in individual changes

https://gerrit.wikimedia.org/r/551550

gerritbot added a comment.Jan 13 2020, 4:01 PM

Change 544919 merged by jenkins-bot:
[mediawiki/extensions/OAuth@master] Move OAuth2 functionality to OAuth(1) - oauth2 workflow

https://gerrit.wikimedia.org/r/544919

Maintenance_bot removed a project: Patch-For-Review.Jan 13 2020, 4:11 PM
Reedy closed subtask T239940: Security review of OAuth 2.0 patches as Resolved.Jan 13 2020, 4:19 PM
CCicalese_WMF closed this task as Resolved.Jan 17 2020, 8:53 PM
CCicalese_WMF moved this task from In Progress/Doing to Done on the Platform Team Workboards (S&F Workboard) board.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL