Page MenuHomePhabricator
Create Task
Maniphest T326281

Attempt top-level central autologin when visiting the login page (to allow autologin when the browser blocks third-party cookies)
Closed, ResolvedPublic
Actions

Description

CentralAuth attempts central autologin when first visiting the wiki, and also when vising the login page. These attempts happen via embedded page elements (a script, or a tracking pixel); modern browsers increasingly prevent or cripple cookie access in such a context. This results in T226797: CentralAuth login session and auto-login no longer work across wikis in Safari and Firefox, T257803: Chrome's "Block third-party cookies" option breaks CentralAuth edge login / autologin, T202028: CentralAuth fails when using "site isolation" in Google Chrome and Chromium or "first-party isolation" in Firefox and probably any number of similar issues.

We should instead attempt central autologin via top-level navigation, which is usually not subject to such cookie restrictions. Since a top-level redirect is potentially disruptive, this is only feasible when visiting the login page. The cross-wiki login experience will remain somewhat broken but at least users won't need to reauthenticate, only click login, so it will be much less inconvenient.

Details

SubjectRepoBranchLines +/-
Clean up centralautologin.js after top-level autologin patchmediawiki/extensions/CentralAuthmaster+12 -11
Try central autologin via redirects on login pagemediawiki/extensions/CentralAuthmaster+292 -13
Customize query in gerrit

Related Objects
Search...

Event Timeline

Tgr created this task.Jan 5 2023, 12:48 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 5 2023, 12:48 AM
Tgr claimed this task.Jan 5 2023, 12:48 AM
Tgr moved this task from Incoming to In Progress on the Growth-Team (Sprint 0 (Growth Team)) board.
Tgr added a comment.Jan 5 2023, 12:53 AM

From another discussion:

In T226797#8458653, @Tgr wrote:

I think the minimum-effort temporary fix would be to send the user to Special:CentralAutoLogin/checkLoggedIn when they visit the login page and the CentralAuthAnon localStorage / cookie key is not set (ext.centralauth.centralautologin.js does that already, but via AJAX so it gets subjected to TCP state partitioning while a top-level redirect would not) and make Special:CentralAutoLogin add an extra query parameter on an unsuccessful return to avoid an infinite redirect cycle. That's just a few lines of code changes and enough to unbreak privacy sandbox type issues which limit cookie access on embedded navigation but not top-level navigation, and the change should be mostly invisible to the user, I think (other than the login page loading a little slower when they are not logged in centrally + if something breaks in CentralAuth they might end up on an error page on loginwiki which is confusing but hopefully very rare).

We'll need a new key alongside CentralAuthAnon since there is no reason not to keep attempting autologin embedded as a script (right now that still works on default, non-incognito Chrome, so it should still work for most users) but we need to track the failure of that separately from the hopefully-more-successful top-level autologin. But other than that, this is the plan.

Tgr mentioned this in T226797: CentralAuth login session and auto-login no longer work across wikis in Safari and Firefox.Jan 5 2023, 12:54 AM
AntiCompositeNumber subscribed.Jan 5 2023, 1:01 AM
JJMC89 subscribed.Jan 5 2023, 1:17 AM
Tgr mentioned this in T300271: [IP Masking] Temporary Account Expiration.Jan 11 2023, 8:02 AM
gerritbot added a comment.Jan 12 2023, 8:13 AM

Change 877987 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/extensions/CentralAuth@master] [WIP] Try central autologin via redirects on login page

https://gerrit.wikimedia.org/r/877987

gerritbot added a project: Patch-For-Review.Jan 12 2023, 8:13 AM
Tgr moved this task from In Progress to Code Review on the Growth-Team (Sprint 0 (Growth Team)) board.EditedJan 13 2023, 5:53 AM

Testing notes:

  • Needs a CentralAuth setup with $wgCentralAuthLoginWiki set and a wiki that is not in $wgCentralAuthAutoLoginWikis (not mandatory but makes testing simpler), e.g. dev.wiki and login.wiki on Vagrant with the CentralAuth role and $wgCentralAuthAutoLoginWikis = []; in settings.d.
  • Scenarios tested:
    • centrally logged in, locally logged out: when visiting Special:Userlogin, you get logged in via top-level autologin; returnto/returntoquery parameters are honored
      • (note that that you would get logged in without this patch as well, via the old mechanism; you can break it in ext.centralauth.centralautologin.js by commenting out the mw.loader.load line)
      • also works when the account does not exist locally
    • not centrally logged in: login via Special:Userlogin works, including multistep login
    • not centrally logged in: when visiting Special:Userlogin twice, it only attempts top-level autologin once
    • not centrally logged in: when visiting Special:Userlogin, logging in, logging out, and visiting Special:Userlogin again, it attempts top-level autologin again (ie. failure cookie is cleared after successful login)
    • manually crafted returnUrlToken (e.g. http://<login wiki>/wiki/Special:CentralAutoLogin/checkLoggedIn?type=redirect&returnUrlToken=123&wikiid=wiki&proto=http) fails with a reasonably-looking error page
    • logs to CentralAuth channel as expected
  • I could not reproduce the actual browser limitations this is supposed to work around, just tested that the top-level autologin works. Typically 3rd-party browser limitations are only triggered by requests across different second-level domains, so I figured it will be easier to test that in production.
Tgr added a comment.Jan 13 2023, 6:02 AM

We should probably figure out what metrics we can use (or need to add) to see how much effect this has. (We might want to review authentication-related metrics anyway for the introduction of temp users via T300263 & co). There are some authevents log events for central autologin, although not present on the authentication-metrics or authentications dashboards; that could be a start.

Tgr mentioned this in T327046: Improve (or identify) monitoring for CentralAuth autologins on Wikimedia wikis.Jan 16 2023, 5:16 AM
In T326281#8522536, @Tgr wrote:

We should probably figure out what metrics we can use (or need to add) to see how much effect this has. (We might want to review authentication-related metrics anyway for the introduction of temp users via T300263 & co). There are some authevents log events for central autologin, although not present on the authentication-metrics or authentications dashboards; that could be a start.

Filed as T327046: Improve (or identify) monitoring for CentralAuth autologins on Wikimedia wikis.

Trizek-WMF added a project: User-notice.Jan 16 2023, 1:30 PM
Quiddity moved this task from To Triage to Not ready to announce on the User-notice board.Jan 20 2023, 12:38 AM
Quiddity subscribed.

If I understand correctly, this is not yet ready for any Tech News announcements. I will move it to the appropriate workboard column. When it is ready (estimates appreciated), please change the column again, or comment here, or ping me. Please also suggest some draft wording for the Tech News entry. Thank you!

Quiddity unsubscribed.Jan 20 2023, 12:38 AM
Tgr added a comment.Jan 20 2023, 3:31 AM

It will be ready when the patch is merged. Draft wording: When you are logged in on one Wikimedia and visit a different one, the system tries to log you in there automatically. The way this is done was changed to make it more reliable. If you feel it's working better or worse than it used to, your feedback is appreciated. [https://phabricator.wikimedia.org/T326281]

BTullis subscribed.Jan 24 2023, 9:40 AM
ThurnerRupert mentioned this in T257803: Chrome's "Block third-party cookies" option breaks CentralAuth edge login / autologin.Feb 1 2023, 3:38 AM
kostajh added a project: Platform Engineering.Mar 22 2023, 8:53 PM
kostajh added subscribers: daniel, kostajh.

Platform Engineering (cc @daniel) could we please have some of your time to review the patch for this task?

MShilova_WMF subscribed.Apr 14 2023, 6:30 PM

Platform Engineering (CC @daniel) tagging you to check if you saw Kosta's last comment and if you have a response.

daniel added a comment.EditedApr 17 2023, 9:02 AM

@MShilova_WMF @kostajh: I'm not very knowledgable about this topic. I will try to find time to learn about it. Unfortunately, we don't have anyone with deep knowledge of SSO on the team.

Considering that this is critical functionality, my priority is to get it right, rather do it fast. I have asked our EMs to get this onto the roadmap.

kostajh changed the task status from Open to In Progress.Apr 28 2023, 10:31 AM
kostajh triaged this task as Medium priority.
matmarex renamed this task from Attempt top-level central autologin when visiting the login page to Attempt top-level central autologin when visiting the login page (to allow autologin when the browser blocks third-party cookies).Jun 2 2023, 12:27 AM
matmarex subscribed.

Adding some keywords to make this task easier to find. I've had the same idea and I'm glad someone is already working on it.

Tgr moved this task from Code Review to Blocked / Needs work on the Growth-Team (Sprint 0 (Growth Team)) board.Jun 8 2023, 5:44 PM
larissagaulia added a project: MediaWiki-Platform-Team.Jul 14 2023, 3:07 PM
MShilova_WMF unsubscribed.Jul 14 2023, 3:35 PM
Hokwelum subscribed.Jul 17 2023, 1:37 PM
larissagaulia moved this task from Inbox, needs triage to Current Sprint on the MediaWiki-Platform-Team board.Aug 1 2023, 4:48 PM
Krinkle added a parent task: T226797: CentralAuth login session and auto-login no longer work across wikis in Safari and Firefox.Aug 28 2023, 1:56 PM
Novem_Linguae subscribed.Aug 28 2023, 2:00 PM
Tgr mentioned this in T345249: Mitigate phase-out of third-party cookies in CentralAuth.Aug 30 2023, 1:37 PM
tstarling subscribed.Sep 1 2023, 5:47 AM

I could not reproduce the actual browser limitations this is supposed to work around, just tested that the top-level autologin works. Typically 3rd-party browser limitations are only triggered by requests across different second-level domains, so I figured it will be easier to test that in production.

To reproduce state partitioning, you do need more than one "registrable domain", although the domains do not actually have to be registered. My CentralAuth test setup has multiple registrable domains in /etc/hosts, with a shared self-signed certificate for HTTPS.

gerritbot added a comment.Sep 4 2023, 12:02 AM

Change 877987 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@master] Try central autologin via redirects on login page

https://gerrit.wikimedia.org/r/877987

Maintenance_bot removed a project: Patch-For-Review.Sep 4 2023, 12:10 AM
ReleaseTaggerBot added a project: MW-1.41-notes (1.41.0-wmf.25; 2023-09-05).Sep 4 2023, 1:00 AM
Quiddity added a comment.Sep 7 2023, 8:49 PM
In T326281#8542466, @Tgr wrote:

It will be ready when the patch is merged. Draft wording: When you are logged in on one Wikimedia and visit a different one, the system tries to log you in there automatically. The way this is done was changed to make it more reliable. If you feel it's working better or worse than it used to, your feedback is appreciated. [https://phabricator.wikimedia.org/T326281]

I've added this to https://meta.wikimedia.org/wiki/Tech/News/2023/37 -- if any changes are needed, please edit it there within the next ~24 hours. Thanks again for the draft!

Quiddity moved this task from Not ready to announce to In current Tech/News draft on the User-notice board.Sep 7 2023, 8:49 PM
Tgr added a comment.EditedSep 9 2023, 9:55 PM

Tested by logging in on en.wikipedia.org, then visiting www.mediawiki.org (without "Keep me logged in" option):

Instant (<script>) autologinSpecial:UserLogin (top-level) autologin
Chrome 116 / Win 11 & Ubuntuworks
Chrome 116 / Win 11 & Ubuntu (incognito mode)failsworks
Brave 1.57.62 / Win 11failsworks
Firefox 117 / Win 11 & Ubuntufailsworks
Firefox 117 / Win 11 & Ubuntu (private mode)failsworks
Edge 116 / Win 11works
Edge 116 / Win 11 (InPrivate window)works
Edge 116 / Win 11 (with "Block third-party cookies" option)failsworks
Opera 102 / Win 11works
Opera 102 / Win 11 (private mode)failsworks
Epiphany 44.6 / Ubuntu (as an approximation of Safari 16.4)failsworks
Epiphany 44.6 / Ubuntu (private mode)failsworks

I think we can call that a victory (for now; as noted in T345245, browser vendors are actively thinking about bounce tracking mitigations).

Tgr added a comment.Sep 9 2023, 9:56 PM

We don't really have useful logs (I did not get T327046 done in time); total autologins went up by ~10-20% but it's hard to know if that's related:

hive (event)> SELECT day, count(*) FROM centralauth WHERE year=2023 AND month=9 AND event.action='sul2-autologin-fallbacklogin' GROUP BY day;
day	_c1
1	12579
2	11507
3	12159
4	12335
5	12144
6	12989
7	14076
8	14041
9	10917
Tgr closed this task as Resolved.Sep 10 2023, 8:59 AM
Tgr added a comment.Sep 10 2023, 9:02 AM

Caused T345700: TypeError: Argument 1 passed to MediaWiki\Extension\CentralAuth\CentralAuthUtilityService::detokenize() must be of the type string, null given, called in /srv/mediawiki/php-1.41.0-wmf.25/extensions/CentralAuth/includes/Special/ but it seems very minor (manual tampering with the URL?).

TheDJ awarded a token.Sep 10 2023, 12:08 PM
DAlangi_WMF awarded a token.Sep 10 2023, 2:41 PM
matmarex awarded a token.Sep 11 2023, 1:18 PM
DMburugu removed a project: Growth-Team (Sprint 0 (Growth Team)).Sep 12 2023, 6:24 AM
Quiddity moved this task from In current Tech/News draft to Already announced/Archive on the User-notice board.Sep 14 2023, 4:17 PM
Guycn2 subscribed.Sep 15 2023, 2:47 AM
This comment was removed by Guycn2.
Guycn2 awarded a token.Sep 15 2023, 2:47 AM
kostajh awarded a token.Sep 15 2023, 7:50 AM
Nux subscribed.Sep 16 2023, 2:35 PM
This comment was removed by Nux.
Nux mentioned this in T346475: Long pages are loaded with default skin instead of using prefered skin.Sep 16 2023, 2:41 PM
Ammarpad mentioned this in T346669: PHP Notice: Trying to access array offset on value of type bool (in MobileContext.php).Sep 22 2023, 5:50 AM
taavi mentioned this in T347116: Address MediaWiki\Auth\AuthManager::autoCreateUser Logstash PHP error.Sep 22 2023, 7:42 AM
Maintenance_bot edited projects, added User-notice-archive; removed User-notice.Oct 2 2023, 8:32 AM
matmarex mentioned this in T348166: Erratic logout behavior.Oct 6 2023, 1:34 AM
Tgr added a parent task: T345249: Mitigate phase-out of third-party cookies in CentralAuth.Oct 7 2023, 6:58 PM
gerritbot added a comment.Oct 9 2023, 6:09 AM

Change 964312 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/extensions/CentralAuth@master] Clean up centralautologin.js after top-level autologin patch

https://gerrit.wikimedia.org/r/964312

gerritbot added a project: Patch-For-Review.Oct 9 2023, 6:09 AM
gerritbot added a comment.Oct 9 2023, 6:01 PM

Change 964312 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@master] Clean up centralautologin.js after top-level autologin patch

https://gerrit.wikimedia.org/r/964312

Maintenance_bot removed a project: Patch-For-Review.Oct 9 2023, 6:10 PM
ReleaseTaggerBot edited projects, added MW-1.41-notes (1.41.0-wmf.30; 2023-10-10); removed MW-1.41-notes (1.41.0-wmf.25; 2023-09-05).Oct 9 2023, 7:00 PM
Guycn2 rescinded a token.Oct 13 2023, 12:49 AM
Guycn2 unsubscribed.
matmarex mentioned this in T349014: Remove unused Special:CentralLogin/status.Oct 17 2023, 7:08 PM
Tgr mentioned this in T296349: Session not created on VoteWiki when using desktop site with a mobile user agent.Nov 30 2023, 5:26 PM
Tgr mentioned this in T355280: Try to connect to central session before temp user creation.Jan 18 2024, 3:59 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL