Page MenuHomePhabricator

Admin whitelists client
Open, LowPublic

Description

Admin whitelists client so that users do not have to give consent to share profile information every time they login.

This feature must be controlled by a configuration flag which would default to not allowing whitelisting. If whitelisting is enabled on a wiki that is providing authentication, then client admins would be able to specify if the client should be whitelisted when registering the client with the wiki or editing the client's OAuth configuration for the wiki. If a client is thus whitelisted, users who are authenticating with the client would not be presented with the consent dialog from the wiki during the authentication process. Note that this is not a desirable feature for a public wiki used for authentication with untrusted clients, since it can cause information leakage of user profile information to the clients. However, it is a very useful feature between trusted applications in an enterprise.

Priority: Optional

Acceptance Criteria:

In T229508 and T229509, the user is not presented with an authorization dialog at step 3 and the workflow continues as if the user had authorized the server.

Details

Related Gerrit Patches:
mediawiki/extensions/OAuth2 : masterAdmin whitelists client

Event Timeline

CCicalese_WMF triaged this task as Normal priority.Jul 31 2019, 11:02 PM
CCicalese_WMF created this task.
CCicalese_WMF lowered the priority of this task from Normal to Low.Aug 1 2019, 4:24 PM

Change 539116 had a related patch set uploaded (by ItSpiderman; owner: ItSpiderman):
[mediawiki/extensions/OAuth2@master] Admin whitelists client

https://gerrit.wikimedia.org/r/539116

Somehow I missed this. I think this is kind of a dangerous workflow; taking away the user's control of whether to give their ID to the client is really troubling.

Whitelisting would be optional. It is useful in an enterprise environment, where one application in an enterprise serves as the authentication provider for another trusted application. That being said, I've seen that done at the OpenID Connect layer on top of OAuth 2.0 for the openid scope, not in general. I'd be interested in a Security perspective. @Reedy?

In an enterprise situation that makes sense. I think it's a problem for public sites like WMF sites.

Reedy added a comment.Oct 8 2019, 2:47 PM

In an enterprise situation that makes sense. I think it's a problem for public sites like WMF sites.

Of course, MediaWiki is also used by other people than WMF sites...

Of course, MediaWiki is also used by other people than WMF sites...

I should have been clearer. "I didn't think of the enterprise application. Whitelisting client apps seems like something that would be very rarely done for public sites, if ever. I don't know enough about OpenID Connect in enterprise application workflows to comment."

CCicalese_WMF updated the task description. (Show Details)Oct 8 2019, 3:12 PM

I updated the task description for clarity.