Page MenuHomePhabricator
Create Task
Maniphest T320807

Implement OAuth account validation for linking an account to a wiki account
Closed, ResolvedPublic
Actions

Description

Once a user has been created (or when editing users) we want to offer to link it to an existing wiki account (this could be either a wikitech account or a wiki-wide SUL account). To validate that they are in control of the wiki account, we use the OAuth federation to authenticate against the OAuth provider deployed to the wikis (either the main wikis for SUL or wikitech).

Details

SubjectRepoBranchLines +/-
SUL account linkingoperations/software/bitumaster+210 -8
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
 OpenNoneT189531 All Wikimedia developer services should use single sign-on
 OpenNoneT363125 sustainability of wikitech.wikimedia.org
 OpenNoneT161859 Make Wikitech an SUL wiki
 OpenSLyngshede-WMFT163478 Allow viewing/searching LDAP account creations including date
 ResolvedNoneT153821 wikitech.wikimedia.org missing from pageviews API
 OpenNoneT237773 Move Wikitech onto the production MW cluster
 Resolved MarosteguiT167973 Move database for wikitech (labswiki) to a main cluster section
 ResolvedAndrewT188029 Move labswiki database to m5
Resolved MarosteguiT282074 Audit labswiki grants
 ResolvedAndrewT282209 Enable connection from labweb1001/labweb1002 to s6
 DeclinedAndrewT282573 Move labweb/cloudweb hosts to private IPs
 ResolvedAndrewT284106 Replicate & sanitize wikitech data
 ResolvedAndrewT284108 Bring labswiki database tables up to date
 ResolvedLadsgroupT269348 wikitech database has almost all of its varbinary fields wrong
 DuplicateNoneT284736 Create views on labswiki on clouddb* hosts
 Resolved BstormT287442 Create views for labswiki (wikitech)
 DeclinedNoneT237889 Install php-ldap on all MW appservers
 ResolvedtaaviT237890 Remove and empty useless user groups
 ResolvedJdforrester-WMFT196466 Remove 'shell user' right on wikitech
 DeclinedNoneT246405 On wikitech, make sysops unable to edit site JS, and then retire contentadmin
 OpenjijikiT292707 Migrate Wikitech to Kubernetes
 OpenNoneT359551 Replace wikitech as source of two-factor auth protection for developer accounts
 OpenFeatureNoneT359554 Use IDP for authentication in Striker
 StalledFeatureNoneT359590 Use IDP for authentication in Horizon
 OpenFeatureSLyngshede-WMFT359552 Enable self-service IDP two-factor authentication management
 OpenNoneT359820 Add developer account (un)blocking support to Bitu
 OpenAndrewT360795 Set up a bitu instance for codfw1dev
 OpenSLyngshede-WMFT362128 Site: 1 VM for codfw1dev bitu deployment
 OpenABran-WMFT362619 Database request for Bitu Cloud DEV installation
 ResolvedtaaviT360883 Disable email address changes in Wikitech
 ResolvedPRODUCTION ERRORTgrT195253 Special:Notifications gives a consistent PHP exception on load ("The trash icon is not registered") for users with OpenStackManager notifications
 OpenNoneT106123 Extensions needing to be removed from Wikimedia wikis
 Resolvedbd808T53642 Get rid of SemanticMediaWiki/SRF/SF from wikitech.wikimedia.org
 ResolvedyuvipandaT103995 Build a simple tool to query which instances have which roles / puppet variables
 Resolvedbd808T161662 Replace SMW data on project instances with a tool using the OpenStack APIs
 Resolvedbd808T162508 Implement Tool Labs membership application and processing in Striker
 Resolvedbd808T164787 Keystone permissions exception when trying to approve Tool Labs membership request via Striker
 OpentaaviT161553 Remove OpenStackManager from Wikitech
 ResolvedtaaviT196171 Developer account creation without OpenStackManager
 DeclinedNoneT179463 Create a single application to provision and manage developer (LDAP) accounts
 OpenNoneT319405 Create an IDM for Wikimedia developer accounts
 ResolvedSLyngshede-WMFT320603 IDM milestone 2 "Initial limited deployment"
 ResolvedSLyngshede-WMFT320807 Implement OAuth account validation for linking an account to a wiki account
 OpenNoneT148048 Store Wikimedia unified account name (SUL) in LDAP directory
 OpentaaviT359428 Striker should use ID instead of username to identify SUL accounts

Event Timeline

MoritzMuehlenhoff created this task.Oct 14 2022, 12:42 PM
bd808 subscribed.Dec 17 2022, 12:05 AM

an existing wiki account (this could be either a wikitech account or a wiki-wide SUL account).

A Wikitech account is itself a realization of an LDAP Developer account record. There would be no benefit in using OAuth to prove that the Wikitech account and the LDAP account are correlated.

I would actually recommend that you strongly consider using OAuth with metawiki as the primary authn for the IDM.

Tgr subscribed.Dec 17 2022, 5:16 AM
In T320807#8475306, @bd808 wrote:

I would actually recommend that you strongly consider using OAuth with metawiki as the primary authn for the IDM.

One thing to keep in mind is that SUL has a rather large attack surface. In a glorious future where we would use a narrowly scoped standalone application for SUL authentication and OAuth, this wouldn't be a concern; today, though, authentication happens in every Wikimedia wiki with no process or DB or web origin separation, so any SQL or XSS injection vulnerability in any extension deployed on any Wikimedia SUL wiki, or any XSS vulnerability in any community-maintained on-wiki script, or any takeover of a sufficiently privileged volunteer account (or a number of more obscure but similarly wide-ranging avenues of attack) could be escalated into takeover of any specific SUL account with relative ease.

The presence of a non-trivial risk of SUL account takeover is not great, but ultimately there is a pretty low limit on how much value an attacker can get out of a SUL account, and pretty much anything they can use it for leaves a public trace and will soon be noticed and reverted. How comfortable are you saying the same about developer accounts? They don't get you any production access, so maybe it is a similar situation, but I wouldn't be entirely sure about that.

BTullis subscribed.Dec 17 2022, 10:15 AM
SLyngshede-WMF changed the task status from Open to In Progress.Feb 6 2023, 3:44 PM
SLyngshede-WMF changed the task status from In Progress to Open.
SLyngshede-WMF changed the task status from Open to In Progress.
gerritbot added a comment.Feb 9 2023, 1:41 PM

Change 888003 had a related patch set uploaded (by Slyngshede; author: Slyngshede):

[operations/software/bitu@master] SUL account linking

https://gerrit.wikimedia.org/r/888003

gerritbot added a project: Patch-For-Review.Feb 9 2023, 1:41 PM
gerritbot added a comment.Mar 7 2023, 1:05 PM

Change 888003 merged by Slyngshede:

[operations/software/bitu@master] SUL account linking

https://gerrit.wikimedia.org/r/888003

Maintenance_bot removed a project: Patch-For-Review.Mar 7 2023, 1:10 PM
SLyngshede-WMF closed this task as Resolved.Mar 15 2023, 10:47 AM
SLyngshede-WMF claimed this task.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL