Implement a modern auto-verification for the WSOAuth extension
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	valerio.bozzolan
	May 28 2021, 7:02 AM

Description

Preamble

The MediaWiki extension WSOAuth allows to have an external identity provider for your wiki relying on the OAuth protocol.

This extension was probably designed to speedup sign up in a fresh wiki, or in a wiki where the nicknames were the same of another wiki, without much concerns about allowing already registered users to decide whether or not to authorize a certain identity provider for them.

Description of the issue

At the moment, it's up to the server system administrator to fight a phenomenon called "account usurpation" with WSOAuth.

In short, when you are sure that a specific nickname Foobar in your local wiki is in use by the same human of the same nickname from the upstream identity provider, you tell the server sysadmin to execute a maintenance script from the command line:

$ php extensions/WSOAuth/maintenance/migrateUser.php --user 'Foobar'

This workflow was damn simple and effective for those wikis where all the already existing users have nicknames definitely the same as upstream. In fact, to just approve every upstream nickname to login into your local nicknames, you can just execute this command:

$ php extensions/WSOAuth/maintenance/migrateUser.php --user '*' --migrate-all

or:

$wgOAuthMigrateUsersByUsername = true;

In short this is the current WSOAuth workflow:

user wants to login via an external identity provider
1. Case 1: server sysadmin authorized that nickname previously
  1. user redirected to external identity provider and insert its correct credentials
  2. redirected back to your wiki and login success
2. Case 2: server sysadmin does not authorized it previously
  1. login fail

That's not a desirable use case for some reasons:

manual verification activity in large wikis takes time
- every hour of a server sysadmin costs ($$)
it's not clear how to verify an user (contact each user via Special:SendEmail via both wikis?)
this can be the cause of human errors or social engineering
this does not cover some use-cases

Desirable use case

Let's take GitLab. GitLab is not MediaWiki but, as user, you may get yourself a good idea.

GitLab has lot of external identity providers. They do not have any "account usurpation" system because none of its identity providers is allowed to "usurp" any existing account. GitLab's workflow, instead, is:

user wants to login via an external identity provider
1. Case 1: user (→ not server sysadmin) authorized it previously
  1. user redirected to external identity provider and insert its correct credentials
  2. redirected back to GitLab and login success
2. Case 2: user does not authorized it previously
  1. login just fail

How to enter in Case 1? Let's see:

user is already authenticated
user press "allows this specific identity provider"
user redirected to external identity provider and insert correct credentials
user redirected back to GitLab and that identity provider is now usable

NOTE: In GitLab, server sysadmins are not involved in any step of this workflow.

Resolution criteria

add a way, for legacy registered users, to activate remote logins for themselves (instead of requiring interventions by the system administrator)
allow a legacy existing user with nickname "Foo" to authorize itself even if it's remote nickname is "Fee" or whatever

Details

	Subject	Repo	Branch	Lines +/-
	Implement auto-account usurpation	mediawiki/extensions/WSOAuth	master	+426 -51

Customize query in gerrit

Related Objects
Search...

Status	Assigned	Task
Resolved	valerio.bozzolan	T278135 Implement OAuth login for WMCH's members wiki
Open	None	T277278 Implement OAuth login into Wikimini
Resolved	Xxmarijnw	T283908 Implement a modern auto-verification for the WSOAuth extension

Event Timeline

valerio.bozzolan created this task.May 28 2021, 7:02 AM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 28 2021, 7:02 AM

I mark this Task with WMCH-Infrastructure because Wikimedia CH is interested in this feature but it should be related also to this Tag:

T283873: Create a Project #mediawiki-extensions-WSOAuth

valerio.bozzolan added a parent task: T278135: Implement OAuth login for WMCH's members wiki.May 28 2021, 7:09 AM

I set to Medium because there are good intentions to develop it in weeks.

valerio.bozzolan updated the task description. (Show Details)May 28 2021, 1:08 PM

I would like to clarify that WSOAuth does not provide support for multiple external identity providers, nor does PluggableAuth. There is currently an open initiative to add this support to PluggableAuth.

With that in mind, I do not see why a separate special page (ConnectedOAuthAccounts) is needed to facility automatic account usurpation. A form could probably just be added to Special:Preferences that performs the OAuth flow immediately, without any redirection to a special page defined by WSOAuth. Instead, the user could be send directly to Special:PluggableAuthLogin, exactly as if they had clicked on "Log in with OAuth" on Special:UserLogin.

A form could probably just be added to Special:Preferences

Yup that's better. Thank you!

Xxmarijnw claimed this task.Jun 2 2021, 9:02 AM

Xxmarijnw added a project: MediaWiki-extensions-WSOAuth.

Change 697793 had a related patch set uploaded (by Xxmarijnw; author: Xxmarijnw):

[mediawiki/extensions/WSOAuth@master] Implement auto-account usurpation

https://gerrit.wikimedia.org/r/697793

gerritbot added a project: Patch-For-Review.Jun 2 2021, 2:27 PM

I have implemented the requested changes above and created a patch set for them. @valerio.bozzolan could you take a look at it?

For the case where the user has not authorised the remote login and the login should fail, I added a configuration option ($wgOAuthDisallowRemoteOnlyAccounts). The default value of this configuration option is false, meaning the login will NOT fail and the old WSOAuth behaviour is used.

Furthermore, in my previous comment I mentioned that a form could probably be added to Special:Preferences. This turned out to not as easy as I thought, and because my time was limited I decided to still create a separate special page for it. This also has the benefit that more information about enabling remote sign-in can be given.

Please let me know if you find any bugs or things that are not implemented the way you wanted and I will have a look at it as soon as possible.

Xxmarijnw moved this task from Backlog to In Progress on the MediaWiki-extensions-WSOAuth board.Jun 2 2021, 2:42 PM

Xxmarijnw moved this task from In Progress to Waiting for Merge on the MediaWiki-extensions-WSOAuth board.

I will review it ASAP my friend. It looks promising. Thank you for your work in advance!

Thinking aloud, it would be interesting to allow users to remove that given remote authorization from their preferences.

This is useful for sensitive wikis with users with security paranoia where they don't want any potential risk incoming from an external identity provider like Facebook.

It wasn't included in the required features so don't worry. We can talk about it again in the future.

One issue I still found with the current implementation is that the following scenario may occur:

Suppose user A has two accounts, X and Y. X is a local-only account and Y is a remote-only account. As such, he can only use the local login to log into X, and can only use OAuth to log into Y. Now, user A logs in into his local account X and connects the remote account Y to his account. This is currently not blocked by the extension. Later, he tries to log in into his remote-only account Y, but as this account is now connected to X, he will be logged in as X.

I am not sure how big of an issue this is, and whether it needs to be addressed. @valerio.bozzolan what do you think? PS. Could you resubmit your code-review on Gerrit? I made some changes in response to @DannyS712, but that removed the +1 you gave.

In T283908#7138232, @Xxmarijnw wrote:

Suppose user A has two accounts, X and Y. X is a local-only account and Y is a remote-only account. As such, he can only use the local login to log into X, and can only use OAuth to log into Y. Now, user A logs in into his local account X and connects the remote account Y to his account. This is currently not blocked by the extension. Later, he tries to log in into his remote-only account Y, but as this account is now connected to X, he will be logged in as X.

I am not sure how big of an issue this is, and whether it needs to be addressed. @valerio.bozzolan what do you think?

An "Accept my last remote login" strategy that's fine for me for now. Moreover, this case cannot happen in Wikimedia CH. They always have local login enabled.

Just as before someone was contacting the server administrator to trust their own remote account, then the user will contact the server administrator only to fix such corner case. Right now, with your improvement as-is, the server administrator has a lower amount of workload than before.

Let's file a Task to further improve this workflow but that's OK for me as-is.

I would like for this to be merged soon, so other people can also benefit from these changes. @valerio.bozzolan do you know someone who might have time to review these changes in the near future?

Change 697793 merged by Xxmarijnw:

[mediawiki/extensions/WSOAuth@master] Implement auto-account usurpation

https://gerrit.wikimedia.org/r/697793

Restricted Repository Identity mentioned this in rEWAU203d51dd9099: Implement auto-account usurpation.Dec 14 2021, 7:25 PM

Xxmarijnw closed this task as Resolved.Dec 14 2021, 7:26 PM

Maintenance_bot removed a project: Patch-For-Review.Dec 14 2021, 8:10 PM

valerio.bozzolan moved this task from Backlog to Recent Changes on the WMCH-Infrastructure board.Dec 15 2021, 9:38 AM

valerio.bozzolan awarded a token.Dec 15 2021, 10:00 AM

valerio.bozzolan updated the task description. (Show Details)Dec 15 2021, 10:16 AM

Thank you everybody! That's great. I've updated the MediaWiki documentation. I don't know the best place to announce this. Tried here: