Page MenuHomePhabricator
Create Task
Maniphest T303495

Merge WebAuthn extension into OATHAuth
Closed, ResolvedPublic
Actions

Description

OATHAuth provides the infrastructure for 2FA support, and contains a TOTP code-based module provider. It's also bundled with the tarball. WebAuthn extends upon that by adding a provider for Yubikeys and similar devices.

It would be easier to make changes to OATHAuth if all the code was contained in the same Git repository. Also these days WebAuthn is an well-known standard and for 2FA purposes, using security keys is generally expected as an addition to TOTP. It would be good if we could ship both with minimal setup.

Given that we do want to bundle WebAuthn (T258007: Bundle WebAuthn extension with MediaWiki), merging would be another way to get to that goal.

The main blocker is the current WebAuthn library depends on the gmp extension, which the tarball currently doesn't. That dependency should be removed or be made a core dependency.

Details

Related Changes in Gerrit:
Show related patches Customize query in gerrit
Related Changes in GitLab:
TitleReferenceAuthorSource BranchDest Branch
settings.yaml: Stop branching WebAuthnrepos/releng/release!232reedyreedy-main-patch-72251main
Customize query in GitLab

Related Objects
Search...

Event Timeline

Legoktm created this task.Mar 10 2022, 4:10 AM
Legoktm triaged this task as Low priority.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 10 2022, 4:10 AM
Legoktm mentioned this in T258007: Bundle WebAuthn extension with MediaWiki.Mar 10 2022, 4:11 AM
Legoktm mentioned this in T303404: ArgumentCountError: Too few arguments to function MediaWiki\Extension\OATHAuth\OATHUserRepository::remove(), 2 passed in /srv/mediawiki/php-1.38.0-wmf.25/extensions/WebAuthn/src/HTMLForm/WebAuthnDisableForm.php on line 114 and exactly 3 expected.
Nikerabbit subscribed.Mar 10 2022, 6:58 AM
Reedy subscribed.Mar 10 2022, 1:19 PM

The main blocker is the current WebAuthn library depends on the gmp extension, which the tarball currently doesn't. That dependency should be removed or be made a core dependency.

Unless I'm missing something, it doesn't actually.

A few of the dependencies in require have ext-bcmath and/or ext-gmp in suggest... And that is only for performance reasons, suggesting there's fallbacks in most (all?) of them

Krinkle awarded a token.Mar 10 2022, 6:01 PM
alistair3149 awarded a token.Nov 22 2022, 6:47 AM
alistair3149 subscribed.
Tgr subscribed.Dec 21 2022, 11:00 PM

They both provide secondary authenication factors, and quite different ones. Conceptually there shouldn't be much reason to merge. If one depends on the other, that might be a sign that the common piece of functionality should be in core?

Legoktm added a comment.Jan 31 2023, 3:53 PM
In T303495#8485761, @Tgr wrote:

They both provide secondary authenication factors, and quite different ones. Conceptually there shouldn't be much reason to merge.

Indeed, it's mostly for practical reasons:

  • Easier to refactor OATHAuth if all the code was in one Git repository
  • Easier for sysadmins to enable 2FA support on their wiki if it's just one extension rather than two

If one depends on the other, that might be a sign that the common piece of functionality should be in core?

Maybe... 🤔

Reedy added a comment.Jan 31 2023, 8:36 PM

FWIW, the main reason it was split originally was it required newer PHP version than WMF had at the time, so it was easier to split it and allow development in a seperate (non deployed, at the time) repo...

Tgr mentioned this in T348206: Improve logging, monitoring and test coverage for MediaWiki Platform team authentication extensions.Oct 23 2023, 2:09 AM
taavi awarded a token.Dec 25 2023, 12:16 PM
Reedy mentioned this in T404818: Create dedicated phab project for WebAuthn?.Sep 17 2025, 7:57 AM
Reedy moved this task from Backlog to Features/Improvements on the MediaWiki-extensions-OATHAuth board.Sep 17 2025, 9:31 AM
Mstyles added a project: FY2025-26 WE 4.6 - Account Security (WE 4.6.4 - 2FA improvements and passkey support).Oct 2 2025, 6:12 PM
Catrope moved this task from Inbox to Backlog on the FY2025-26 WE 4.6 - Account Security (WE 4.6.4 - 2FA improvements and passkey support) board.Oct 2 2025, 6:22 PM
gerritbot added a comment.Dec 27 2025, 7:03 PM

Change #1221160 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/WebAuthn@master] Empty extension to noop

https://gerrit.wikimedia.org/r/1221160

gerritbot added a project: Patch-For-Review.Dec 27 2025, 7:03 PM

Change #1221161 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/OATHAuth@master] Merge WebAuthn into OATHAuth

https://gerrit.wikimedia.org/r/1221161

Reedy mentioned this in T413541: CI fails on noop for WebAuthn.Dec 27 2025, 7:21 PM
Reedy added a project: translatewiki.net.Dec 27 2025, 7:25 PM

Will need to decide how to handle the message files for twn purposes...

Nikerabbit moved this task from Backlog to Configuration changes on the translatewiki.net board.Jan 8 2026, 8:20 AM
Nikerabbit added a subscriber: Raymond.Jan 8 2026, 8:23 AM
In T303495#11485595, @Reedy wrote:

Will need to decide how to handle the message files for twn purposes...

Depends on what you want as an end result. Probably first easy step is to move en/qqq.json as separate files to the other extension and remove from the other. Later those can be renamed and files merged if needed. Whether or not BC is needed we would likely drop the other extension completely from translatewiki.

TBurmeister subscribed.Jan 15 2026, 8:56 PM
TBurmeister awarded a token.Jan 20 2026, 4:44 PM
gerritbot added a comment.Jan 26 2026, 10:34 PM

Change #1233299 had a related patch set uploaded (by Reedy; author: Reedy):

[translatewiki@master] mediawiki-extensions.txt: Move WebAuthn message files to point to OATHAuth

https://gerrit.wikimedia.org/r/1233299

Reedy changed the task status from Open to In Progress.Jan 26 2026, 10:37 PM
Reedy claimed this task.
Bugreporter2 awarded a token.Jan 27 2026, 5:52 AM
CodeReviewBot added a comment.Jan 27 2026, 11:38 AM

reedy opened https://gitlab.wikimedia.org/repos/releng/release/-/merge_requests/232

settings.yaml: Stop branching WebAuthn

gerritbot added a comment.Jan 27 2026, 11:42 AM

Change #1233679 had a related patch set uploaded (by Reedy; author: Reedy):

[operations/mediawiki-config@master] CommonSettings.php: Stop loading WebAuthn

https://gerrit.wikimedia.org/r/1233679

gerritbot added a comment.Jan 27 2026, 11:42 AM

Change #1233680 had a related patch set uploaded (by Reedy; author: Reedy):

[operations/mediawiki-config@master] wmf-config: Remove $wmgUseWebAuthn and extension from extension-list

https://gerrit.wikimedia.org/r/1233680

gerritbot added a comment.Jan 27 2026, 12:36 PM

Change #1221160 merged by jenkins-bot:

[mediawiki/extensions/WebAuthn@master] Empty extension to noop

https://gerrit.wikimedia.org/r/1221160

gerritbot added a comment.Jan 27 2026, 12:36 PM

Change #1221161 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@master] Merge WebAuthn into OATHAuth

https://gerrit.wikimedia.org/r/1221161

gerritbot added a comment.Jan 27 2026, 12:38 PM

Change #1233686 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/OATHAuth@master] Cleanup post merge of WebAuthn into OATHAuth

https://gerrit.wikimedia.org/r/1233686

gerritbot added a comment.Jan 27 2026, 12:38 PM

Change #1233687 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/OATHAuth@master] i18n: Remove webauthn-desc message

https://gerrit.wikimedia.org/r/1233687

gerritbot added a comment.Jan 27 2026, 12:55 PM

Change #1233691 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/OATHAuth@master] Re-namespace WebAuthn into OATHAuth

https://gerrit.wikimedia.org/r/1233691

ReleaseTaggerBot added a project: MW-1.46-notes (1.46.0-wmf.14; 2026-02-03).Jan 27 2026, 1:00 PM
gerritbot added a comment.Jan 27 2026, 1:27 PM

Change #1233299 merged by jenkins-bot:

[translatewiki@master] mediawiki-extensions.txt: Move WebAuthn message files to point to OATHAuth

https://gerrit.wikimedia.org/r/1233299

Reedy added a comment.Jan 27 2026, 1:51 PM

I think the main outstanding things (patches still to be made) is to decide what we want to do about the i18n files going forward.

Do we want to merge the WebAuthn files into the OATHAuth ones? And if so, do we want to rename the message keys?

I don't think it's necessarily a bad thing for them to be different prefixed, nor necessarily in different files. But no strong feelings either way.

Reedy added a parent task: T415665: Merge Extension:WebAuthn documentation into Extension:OATHAuth on mediawikiwiki.Jan 27 2026, 1:52 PM
gerritbot added a comment.Jan 27 2026, 1:53 PM

Change #1233708 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/WebAuthn@master] Delete more files/turn CI things off

https://gerrit.wikimedia.org/r/1233708

Jdforrester-WMF subscribed.Jan 27 2026, 2:33 PM
In T303495#11557873, @Reedy wrote:

I think the main outstanding things (patches still to be made) is to decide what we want to do about the i18n files going forward.

Do we want to merge the WebAuthn files into the OATHAuth ones? And if so, do we want to rename the message keys?

I don't think it's necessarily a bad thing for them to be different prefixed, nor necessarily in different files. But no strong feelings either way.

Historically we've moved the i18n over, then renamed a bit later, to make sure it doesn't break TWN.

Raymond added a comment.Jan 27 2026, 5:21 PM
In T303495#11557873, @Reedy hat geschrieben:

I think the main outstanding things (patches still to be made) is to decide what we want to do about the i18n files going forward.

Do we want to merge the WebAuthn files into the OATHAuth ones? And if so, do we want to rename the message keys?

I don't think it's necessarily a bad thing for them to be different prefixed, nor necessarily in different files. But no strong feelings either way.

A consistent prefix would have the advantage, that a wiki user could find all messages of this extension onwiki: https://de.wikipedia.org/wiki/Spezial:MediaWiki-Systemnachrichten?prefix=oath&filter=all&lang=de&limit=50

Different files are no problem.

In case of a prefix change please change en.json and qqq.json only. The rename of all translations would be done by translatewiki automatically during sync.

gerritbot added a comment.Jan 27 2026, 7:57 PM

Change #1233686 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@master] Cleanup post merge of WebAuthn into OATHAuth

https://gerrit.wikimedia.org/r/1233686

gerritbot added a comment.Jan 27 2026, 8:26 PM

Change #1233687 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@master] i18n: Remove webauthn-desc message

https://gerrit.wikimedia.org/r/1233687

Tgr awarded a token.Jan 27 2026, 8:38 PM
gerritbot added a comment.Jan 28 2026, 5:43 PM

Change #1233708 merged by jenkins-bot:

[mediawiki/extensions/WebAuthn@master] Delete more files/turn CI things off

https://gerrit.wikimedia.org/r/1233708

gerritbot added a comment.Jan 28 2026, 6:07 PM

Change #1233691 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@master] Re-namespace WebAuthn into OATHAuth

https://gerrit.wikimedia.org/r/1233691

gerritbot added a comment.Jan 28 2026, 9:19 PM

Change #1234502 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/OATHAuth@master] i18n: Rename webauthn messages to have common prefix with oathauth

https://gerrit.wikimedia.org/r/1234502

Reedy mentioned this in T415832: Remove https://doc.wikimedia.org/cover-extensions/WebAuthn/.Jan 28 2026, 9:24 PM
Bugreporter added a parent task: T415867: Archive the WebAuthn extension.Jan 29 2026, 7:32 AM
gerritbot added a comment.Jan 30 2026, 4:56 PM

Change #1234502 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@master] i18n: Rename webauthn messages to have common prefix with oathauth

https://gerrit.wikimedia.org/r/1234502

gerritbot added a comment.Feb 5 2026, 11:28 AM

Change #1237188 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/OATHAuth@master] HTMLForm: Fix double oathauth- prefix in sections

https://gerrit.wikimedia.org/r/1237188

gerritbot added a comment.Feb 5 2026, 10:50 PM

Change #1237188 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@master] HTMLForm: Fix double oathauth- prefix in sections

https://gerrit.wikimedia.org/r/1237188

Nikerabbit mentioned this in T416660: Stop loading WebAuthn extension on translatewiki.Feb 6 2026, 8:21 AM
Nikerabbit added a comment.Feb 6 2026, 8:27 AM

https://www.mediawiki.org/wiki/Extension:OATHAuth doesn't mention the requirement of gmp or bcmatch php extension that is mentioned in https://www.mediawiki.org/wiki/Extension:WebAuthn. Should it be added or is it outdated?

Reedy added a comment.Feb 6 2026, 5:06 PM
In T303495#11590396, @Nikerabbit wrote:

https://www.mediawiki.org/wiki/Extension:OATHAuth doesn't mention the requirement of gmp or bcmatch php extension that is mentioned in https://www.mediawiki.org/wiki/Extension:WebAuthn. Should it be added or is it outdated?

T415665: Merge Extension:WebAuthn documentation into Extension:OATHAuth on mediawikiwiki

One of them is needed

gerritbot added a comment.Feb 17 2026, 12:27 PM

Change #1233679 merged by jenkins-bot:

[operations/mediawiki-config@master] CommonSettings.php: Stop loading WebAuthn

https://gerrit.wikimedia.org/r/1233679

gerritbot added a comment.Feb 17 2026, 12:28 PM

Change #1233680 merged by jenkins-bot:

[operations/mediawiki-config@master] wmf-config: Remove $wmgUseWebAuthn and extension from extension-list

https://gerrit.wikimedia.org/r/1233680

Stashbot added a comment.Feb 17 2026, 12:29 PM

Mentioned in SAL (#wikimedia-operations) [2026-02-17T12:29:23Z] <reedy@deploy2002> Started scap sync-world: Backport for [[gerrit:1233679|CommonSettings.php: Stop loading WebAuthn (T303495)]], [[gerrit:1233680|wmf-config: Remove $wmgUseWebAuthn and extension from extension-list (T303495)]]

Stashbot added a comment.Feb 17 2026, 12:33 PM

Mentioned in SAL (#wikimedia-operations) [2026-02-17T12:33:54Z] <reedy@deploy2002> reedy: Backport for [[gerrit:1233679|CommonSettings.php: Stop loading WebAuthn (T303495)]], [[gerrit:1233680|wmf-config: Remove $wmgUseWebAuthn and extension from extension-list (T303495)]] synced to the testservers (see https://wikitech.wikimedia.org/wiki/Mwdebug). Changes can now be verified there.

CodeReviewBot added a comment.Feb 17 2026, 12:38 PM

reedy merged https://gitlab.wikimedia.org/repos/releng/release/-/merge_requests/232

settings.yaml: Stop branching WebAuthn

Stashbot added a comment.Feb 17 2026, 12:40 PM

Mentioned in SAL (#wikimedia-operations) [2026-02-17T12:40:21Z] <reedy@deploy2002> Finished scap sync-world: Backport for [[gerrit:1233679|CommonSettings.php: Stop loading WebAuthn (T303495)]], [[gerrit:1233680|wmf-config: Remove $wmgUseWebAuthn and extension from extension-list (T303495)]] (duration: 10m 58s)

Maintenance_bot removed a project: Patch-For-Review.Feb 17 2026, 1:30 PM
Catrope moved this task from WE 4.6.4 - 2FA improvements and passkey support to WE 4.6.9 (Passwordless login and passkey promotion) on the FY2025-26 WE 4.6 - Account Security board.Feb 19 2026, 7:01 PM
Catrope edited projects, added FY2025-26 WE 4.6 - Account Security (WE 4.6.9 (Passwordless login and passkey promotion)); removed FY2025-26 WE 4.6 - Account Security (WE 4.6.4 - 2FA improvements and passkey support).
Legoktm awarded a token.Feb 25 2026, 12:04 AM
Restricted Application added a project: Product Safety and Integrity. · View Herald TranscriptFeb 25 2026, 12:04 AM
TBurmeister mentioned this in T415867: Archive the WebAuthn extension.Feb 25 2026, 8:55 PM
Reedy closed this task as Resolved.Wed, Mar 18, 9:47 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits