Page MenuHomePhabricator
Create Task
Maniphest T325235

Support Github login in Gitlab
Closed, DeclinedPublic
Actions

Description

Supporting authentication via Github as an OAuth identity provider in Wikimedia Gitlab would allow tying Gitlab accounts to Github accounts in a reliable way, which would allow things like importing patches (see T325106: Import Merge Requests from GitHub read-only mirrored repos into GitLab). See Gitlab documentation on Github login and external login in general.

There are two ways to configure an external login method in Gitlab: as an SSO (in which case it will act as an identity provider and logging in with your Github username will result in the creation of a new Gitlab account with the same name when you do it for the first time) and as a secondary authentication method (in which case you need to create a Gitlab account first, and then you either need to manually associate it with the Github account in your user preferences, or you need to use the same email address if Gitlab is configured to allow that). Wikimedia Gitlab already integrates into an SSO system, and you can't have two SSO systems (not without serious self-harm, anyway) so we'd want to use the non-SSO approach.

T215046: RfC: Use Github login for mediawiki.org has some generic considerations about the security, privacy and usability aspects of using an (optional) third-party login.

Related Objects
Search...

StatusSubtypeAssignedTask
 DeclinedFeatureNoneT325106 Import Merge Requests from GitHub read-only mirrored repos into GitLab
 DeclinedNoneT325235 Support Github login in Gitlab

Event Timeline

Tgr created this task.Dec 14 2022, 7:12 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 14 2022, 7:12 PM
Tgr added a comment.Dec 14 2022, 7:20 PM

Tagged as Security because the Gitlab doc on Github has a security notice about the Github integration being vulnerable to covert redirect attacks using a subdomain (ie. an attacker being able to issue browser redirects from a some-subdomain.gitlab.wikimedia.org page can send to user to the login/authorization page at Github and intercept the resulting access token). That does not sound like a serious issue to me but probably someone from Security should evaluate it if we decide to support Github logins.

Tgr mentioned this in T325106: Import Merge Requests from GitHub read-only mirrored repos into GitLab.Dec 14 2022, 7:21 PM
Aklapper added a parent task: T325106: Import Merge Requests from GitHub read-only mirrored repos into GitLab.Dec 16 2022, 11:36 AM
brennen edited projects, added Release-Engineering-Team, GitLab (Auth & Access); removed GitLab.Dec 16 2022, 4:43 PM
brennen subscribed.

I'm not sure if I can say persuasively why this sounds like a huge can of worms to me, but at first glance it really does. Tagging for better visibility.

bd808 subscribed.Dec 16 2022, 10:20 PM

Wikimedia Gitlab already integrates into an SSO system, and you can't have two SSO systems (not without serious self-harm, anyway) so we'd want to use the non-SSO approach.

What is the expected benefit with this constraint in place? The workflow for a brand new contributor using this would look something like:

  1. Click "sign in" at https://gitlab.wikimedia.org/
  2. Be redirected to https://idp.wikimedia.org/
  3. Click "Need to create a Wikimedia developer account?"
  4. Read https://wikitech.wikimedia.org/wiki/Help:Create_a_Wikimedia_developer_account
  5. Decide to create a SUL account via https://www.mediawiki.org/w/index.php?title=Special:CreateAccount
  6. Create a Developer account via https://toolsadmin.wikimedia.org/ or https://wikitech.wikimedia.org/
  7. Remember that they really wanted to login at https://gitlab.wikimedia.org/
  8. Go back to https://gitlab.wikimedia.org/
  9. Click "sign in"
  10. Be redirected to https://idp.wikimedia.org/
  11. Authenticate with their Developer account username and password
  12. Be redirected to https://gitlab.wikimedia.org/explore
  13. Find the link to https://gitlab.wikimedia.org/-/profile
  14. Realize that the "Account" sub-navigation includes a button to connect their GitHub account to gitlab.wikimedia.org
  15. Make that association by approving the OAuth application integration at GitHub
  16. Profit??

What utility did the hypothetical contributor gain if they passed the gauntlet of doing all of this? Presumably something that makes implementing T325106: Import Merge Requests from GitHub read-only mirrored repos into GitLab more exciting, but at the moment I'm not sure what. They now have a Developer account that has been connected to our GitLab so contributing drive-by patches via non-standard GitHub pull requests is no longer a benefit for them. Or is it somehow that I'm missing?

Tgr added a comment.Dec 16 2022, 10:40 PM

Toolsadmin should redirect back to the source of registration after step 7, but that's a separate story.

Yeah, it's more or less as you say, except if the user has the primary email address in Github and Gitlab, they can just click on the "login with Github" button in step 9 and skip the rest. But the main benefit would be the ability to correlate accounts, which is useful for security reasons (e.g. ensuring the Github user with the same nick is really the same user when responding to some request on Github - many MediaWiki extensions are developed on Github), statistics, looking up users' contributions, probably anti-abuse features (treat the user as somewhat trusted if they have some amount of not very recent Github contributions - the CI allowlist will go away with the migration but there might be other use cases where a trusted status is useful), and yes, automation like importing pull requests from Github.

Tgr added a comment.Dec 16 2022, 10:46 PM

Strictly from the contributor's POV it's 1) easier login (if they are logged into Github most of the time, but not logged into Wikimedia IDP most of the time) and 2) indicating your contributions elsewhere (ie. basically gamification - the "I added one more badge to my profile" feeling).

Also, I'd hope that one day signup happens via Apereo and not Toolsadmin / Wikitech and then the user can really get from "I have no developer account and click on the login-with-github button" to "I am at gitlab.wikimedia.org, logged in with my account connected" in one single seamless signup flow.

bd808 added a comment.Dec 17 2022, 12:58 AM
In T325235#8475274, @Tgr wrote:

Also, I'd hope that one day signup happens via Apereo and not Toolsadmin / Wikitech and then the user can really get from "I have no developer account and click on the login-with-github button" to "I am at gitlab.wikimedia.org, logged in with my account connected" in one single seamless signup flow.

T319405: Create an IDM for Wikimedia developer accounts is the active project that will replace Wikitech as a Developer account creation source. Striker will be updated to integrate with that system once it exists.

In T325235#8475268, @Tgr wrote:

But the main benefit would be the ability to correlate accounts, which is useful for security reasons (e.g. ensuring the Github user with the same nick is really the same user when responding to some request on Github - many MediaWiki extensions are developed on Github), statistics, looking up users' contributions, probably anti-abuse features (treat the user as somewhat trusted if they have some amount of not very recent Github contributions - the CI allowlist will go away with the migration but there might be other use cases where a trusted status is useful), and yes, automation like importing pull requests from Github.

That really seems like a use case for the IDM to fulfill rather than trying to use the opaque internals of GitLab to store correlated data that as you say we would like to reuse for other workflows.

hashar subscribed.Mar 15 2023, 11:08 AM

We had discussions for Phabricator about supporting GitHub has a third party authentication:

We had one about allowing Facebook login on Wikimedia wikis T61631: Enable Facebook login on Wikimedia wikis.

A RfC to use GitHub login for mediawiki.org T215046: RfC: Use Github login for mediawiki.org

And another one still open to use Google account for Wiki authentication T138695: Allow registration and login with a Google account.

If the issue is a new comer has a long jounrney to create an account and participate (see tasks at T325235) I guess we can work on making the experience easier and more pleasant? I am inclined to decline this request to support GitHub or any other third party in order to authenticate to our Gitlab.

Peachey88 moved this task from Backlog to config on the Wikimedia-GitHub board.May 19 2023, 9:03 PM
brennen closed this task as Declined.Apr 1 2024, 9:24 PM

That really seems like a use case for the IDM to fulfill rather than trying to use the opaque internals of GitLab to store correlated data that as you say we would like to reuse for other workflows.

Apart from any concerns I might have about adding coupling to GitHub specifically, I think that is the crux of this question.

Based on our current experience of administering GitLab and integrating it with other services, I don't think this is complexity we should take on. If someone feels very strongly here, this can obviously be reopened, but for now I'm going to mark as declined rather than have it sit in limbo indefinitely.

Bugreporter mentioned this in T368641: Track Github usernames associated with developer accounts.Jun 28 2024, 2:58 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits