Page MenuHomePhabricator

Bundle WebAuthn extension with MediaWiki
Open, LowPublic


The WebAuthn extension allows for use of physical security tokens (U2F, etc.) as a second factor for OATHAuth (already bundled). I think it would be a good addition to the TOTP auth method we already have.

I note that the documentation claims to require the gmp PHP extension, which core doesn't, so that's a blocker. Our base-convert library generally works around most needs of gmp, so I think in theory it should be possible to replace.

  • Passed security review or already Wikimedia deployed
  • Voting CI structure tests
  • Runs MediaWiki-CodeSniffer
  • Runs phan
  • Supports MySQL, SQLite, and Postgres (if there are schema changes)
  • GPL v2 or later compatible license
  • Extension's default configuration provides optimal experience
  • Tested with web installer

Event Timeline

Reedy triaged this task as Low priority.Jan 29 2021, 2:48 AM

Hey there. This task is proposed as a blocker to MediaWiki 1.37, which will be cut in less than three weeks' time. Please consider whether this will make that deadline, and if not, move it to block the MediaWiki 1.38 release (MW-1.38-release) or remove as a blocker entirely.

I can't find the task for this offhand.. But the fact it doesn't work so well when enabled on one wiki, and then when used to try and login on a different wiki (or more specifically, a different domain) is a potential blocker here...

T303495: Merge WebAuthn extension into OATHAuth would be another way to achieve the goals of this task and IMO a better long-term direction.