Move credentials change to central domain
Open, Needs TriagePublic
Actions

Description

As part of T348388: SUL3: Use a dedicated domain for login and account creation, the login and signup forms would be moved to the central login wiki. It would make sense to move the credentials change forms (password change, 2FA change) as well. This doesn't block rollout of the other SUL3 work, and could be done much later, apart from WebAuthn where we'd have to disable the local form at least (T354701: Enable migration of WebAuthn credentials to central domain).

In the simplest form, this could just mean changing the various Special:Preferences buttons to be simple links, and adding returnto support to credentials change pages (the various AuthManagerSpecialPage subpages + OATH/WebAuthn).

Details

Subject	Repo	Branch	Lines +/-
Override for CentralAuth SUL3 notice about WebAuthn domains	mediawiki/extensions/WikimediaMessages	master	+7 -0
Hide sitenotices on the central domain and show WebAuthn notice	mediawiki/extensions/CentralAuth	master	+167 -0
Remove WebAuthn message overrides	mediawiki/extensions/WikimediaMessages	master	+0 -8
Do not throw an exception after shared-domain login with no token	mediawiki/extensions/CentralAuth	master	+7 -6
Do not start central login from the shared domain	mediawiki/extensions/CentralAuth	master	+1 -0
Redirect credentials change pages to central domain	mediawiki/extensions/CentralAuth	master	+57 -6
Redirect credentials change pages to central domain	mediawiki/extensions/CentralAuth	wmf/1.44.0-wmf.21	+57 -6
Do not start central login from the shared domain	mediawiki/extensions/CentralAuth	wmf/1.44.0-wmf.21	+1 -0
Do not throw an exception after shared-domain login with no token	mediawiki/extensions/CentralAuth	wmf/1.44.0-wmf.21	+7 -6
Move Special:ChangeCredentials to shared domain	mediawiki/extensions/CentralAuth	master	+30 -2
specials: Adapt SpecialChangeCredentials to redirect flow	mediawiki/core	master	+31 -16
Enable credentials change special pages on SUL3 shared domain	mediawiki/extensions/CentralAuth	wmf/1.44.0-wmf.20	+7 -2
Enable credentials change special pages on SUL3 shared domain	mediawiki/extensions/CentralAuth	master	+7 -2

Related Objects
Search...

Status	Assigned	Task
Open	None	T345245 Mitigate phase-out of third-party cookies in Wikimedia production
Resolved	Tgr	T345249 Mitigate phase-out of third-party cookies in CentralAuth
Open	None	T348388 SUL3: Use a dedicated domain for login and account creation
Resolved	Tgr	T384219 SUL3 Phase 4: Staged rollout for all existing users
Open	Tgr	T362715 Move credentials change to central domain
Resolved	matmarex	T42050 Allow password reset requests to be handled centrally for unified users
Resolved	matmarex	T151012 CentralAuth should have its own temporary password handling
Resolved	matmarex	T371340 It should be possible to look up global preference for central users without local accounts
Resolved	matmarex	T149003 TemporaryPasswordPrimaryAuthenticationProvider does not work with non-DB-based passwords
Open	Tgr	T376021 Migrate WebAuthn on Wikimedia wikis to central domain
Resolved	pmiazga	T378402 Disallow setting up new WebAuthn passkeys on Wikimedia wikis
Resolved	Tgr	T389064 Notify WebAuthn users about SUL3 changes
Resolved	ArielGlenn	T354701 Enable migration of WebAuthn credentials to central domain
Resolved	None	T248339 Decide how to deal with WebAuthn login/registration flow on Wikimedia wikis in future
Resolved	Reedy	T248367 Update messages to notify WebAuthn users that they need to login on the same wiki they registered

Event Timeline

Tgr created this task.Apr 16 2024, 7:44 PM

Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptApr 16 2024, 7:44 PM

Restricted Application added a subscriber: Aklapper. · View Herald Transcript

Tgr added a parent task: T348388: SUL3: Use a dedicated domain for login and account creation.Apr 16 2024, 7:44 PM

ArielGlenn subscribed.Apr 16 2024, 9:25 PM

Tgr added a project: SUL3.May 14 2024, 12:59 PM

Tgr moved this task from Backlog to Blocked / External on the SUL3 board.May 14 2024, 1:03 PM

Tgr moved this task from Blocked / External to Future on the SUL3 board.May 14 2024, 2:23 PM

Tgr added a subtask: T354701: Enable migration of WebAuthn credentials to central domain.May 19 2024, 10:48 AM

larissagaulia moved this task from Inbox, needs triage to Next on the MediaWiki-Platform-Team board.May 27 2024, 2:26 PM

Bugreporter added a subtask: T42050: Allow password reset requests to be handled centrally for unified users.Jun 24 2024, 3:52 AM

Tgr closed subtask T354701: Enable migration of WebAuthn credentials to central domain as Resolved.Jun 25 2024, 8:48 PM

Reedy moved this task from Backlog to External on the MediaWiki-extensions-OATHAuth board.Aug 31 2024, 4:23 PM

matmarex closed subtask T42050: Allow password reset requests to be handled centrally for unified users as Resolved.Sep 26 2024, 5:27 PM

Tgr mentioned this in T376021: Migrate WebAuthn on Wikimedia wikis to central domain.Sep 30 2024, 10:04 AM

Will also need to update T263800: Implement .well-known/change-password redirect on Wikimedia sites when we do this.

Tgr added a parent task: T384219: SUL3 Phase 4: Staged rollout for all existing users.Jan 20 2025, 2:48 PM

Tgr removed a subtask: T368125: Clean up existing unattached accounts.

Tgr mentioned this in T384232: QA for SUL3 on testwikis.Feb 5 2025, 2:57 PM

Tgr updated the task description. (Show Details)Mar 4 2025, 2:07 PM

DAlangi_WMF claimed this task.Mar 6 2025, 1:07 PM

DAlangi_WMF moved this task from Next to In progress on the MediaWiki-Platform-Team board.

Change #1125166 had a related patch set uploaded (by D3r1ck01; author: Derick Alangi):

[mediawiki/core@master] specials: Adapt SpecialChangeCredentials to redirect flow

https://gerrit.wikimedia.org/r/1125166

Change #1125168 had a related patch set uploaded (by D3r1ck01; author: Derick Alangi):

[mediawiki/extensions/CentralAuth@master] Move Special:ChangeCredentials to shared domain

https://gerrit.wikimedia.org/r/1125168

Change #1127682 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/extensions/CentralAuth@master] Enable credentials change special pages on SUL3 shared domain

https://gerrit.wikimedia.org/r/1127682

I feel like maybe we should redirect to the shared domain in onSpecialPageBeforeExecute for these special pages or something. It seems weird to allow them to be accessed in both ways.

We need to keep the old URLs working for disabling WebAuthn, at a minimum. But in the long term, yeah, there should be exactly one domain where they are accessible.

Change #1127682 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@master] Enable credentials change special pages on SUL3 shared domain

https://gerrit.wikimedia.org/r/1127682

ReleaseTaggerBot added a project: MW-1.44-notes (1.44.0-wmf.21; 2025-03-18).Mar 14 2025, 7:00 PM

Change #1127965 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/extensions/CentralAuth@wmf/1.44.0-wmf.20] Enable credentials change special pages on SUL3 shared domain

https://gerrit.wikimedia.org/r/1127965

One tricky aspect here is that after credentials change we reset the session ID and invalidate all other sessions, for security reasons (the idea being that often people change passwords because they think their account has been compromised, and then we don't want the attacker's account to continue working). That means that the user will stay logged in on the domain where the credentials change happens, but will get logged out in the home domain. We could just do a top-level autologin to log them in again, but it isn't obvious when and how to intercept the control flow to do that.

It mostly works out in practice though because usually people get to credentials change from Special:Preferences, and Special:Preferences will redirect to login (and eventually do a top-level autologin) when the returning user is not logged in.

OATHAuth/WebAuthn always just returns to its manage form after a change so there it's more disruptive.

Change #1128044 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/extensions/CentralAuth@master] Redirect credentials change pages to central domain

https://gerrit.wikimedia.org/r/1128044

In T362715#10639784, @Tgr wrote:

OATHAuth/WebAuthn always just returns to its manage form after a change so there it's more disruptive.

I guess we could schedule an edge login in SessionProvider::sessionIdWasReset(). We'd have to go back on rECAU8b7bb772f9ba: Do not trigger edge login on the shared domain then (but there wasn't a strong rationale for it so that's fine).

Change #1127965 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@wmf/1.44.0-wmf.20] Enable credentials change special pages on SUL3 shared domain

https://gerrit.wikimedia.org/r/1127965

Mentioned in SAL (#wikimedia-operations) [2025-03-17T13:23:01Z] <tgr@deploy2002> Started scap sync-world: Backport for [[gerrit:1127965|Enable credentials change special pages on SUL3 shared domain (T362715)]]

Mentioned in SAL (#wikimedia-operations) [2025-03-17T13:27:33Z] <tgr@deploy2002> tgr: Backport for [[gerrit:1127965|Enable credentials change special pages on SUL3 shared domain (T362715)]] synced to the testservers (https://wikitech.wikimedia.org/wiki/Mwdebug)

Mentioned in SAL (#wikimedia-operations) [2025-03-17T13:48:44Z] <tgr@deploy2002> Finished scap sync-world: Backport for [[gerrit:1127965|Enable credentials change special pages on SUL3 shared domain (T362715)]] (duration: 25m 42s)

ReleaseTaggerBot edited projects, added MW-1.44-notes (1.44.0-wmf.20; 2025-03-11); removed MW-1.44-notes (1.44.0-wmf.21; 2025-03-18).Mar 17 2025, 2:01 PM

Change #1125166 abandoned by Bartosz Dziewoński:

[mediawiki/core@master] specials: Adapt SpecialChangeCredentials to redirect flow

Reason:

Superseded by https://gerrit.wikimedia.org/r/1128044

https://gerrit.wikimedia.org/r/1125166

Change #1125168 abandoned by Bartosz Dziewoński:

[mediawiki/extensions/CentralAuth@master] Move Special:ChangeCredentials to shared domain

Reason:

Superseded by https://gerrit.wikimedia.org/r/1128044

https://gerrit.wikimedia.org/r/1125168

Change #1128044 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@master] Redirect credentials change pages to central domain

https://gerrit.wikimedia.org/r/1128044

ReleaseTaggerBot edited projects, added MW-1.44-notes (1.44.0-wmf.22; 2025-03-25); removed MW-1.44-notes (1.44.0-wmf.20; 2025-03-11).Fri, Mar 21, 10:00 PM

matmarex reassigned this task from DAlangi_WMF to Tgr.Fri, Mar 21, 10:09 PM

matmarex added a subscriber: DAlangi_WMF.

Change #1130319 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/extensions/CentralAuth@wmf/1.44.0-wmf.21] Redirect credentials change pages to central domain

https://gerrit.wikimedia.org/r/1130319

Change #1130526 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/extensions/CentralAuth@master] Do not throw an exception after shared-domain login with no token

https://gerrit.wikimedia.org/r/1130526

Change #1130528 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/extensions/CentralAuth@master] Do not start central login from the shared domain

https://gerrit.wikimedia.org/r/1130528

Change #1130528 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@master] Do not start central login from the shared domain

https://gerrit.wikimedia.org/r/1130528

Change #1130526 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@master] Do not throw an exception after shared-domain login with no token

https://gerrit.wikimedia.org/r/1130526

Change #1130560 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/extensions/CentralAuth@wmf/1.44.0-wmf.21] Do not throw an exception after shared-domain login with no token

https://gerrit.wikimedia.org/r/1130560

Change #1130561 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/extensions/CentralAuth@wmf/1.44.0-wmf.21] Do not start central login from the shared domain

https://gerrit.wikimedia.org/r/1130561

Change #1130560 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@wmf/1.44.0-wmf.21] Do not throw an exception after shared-domain login with no token

https://gerrit.wikimedia.org/r/1130560

Change #1130561 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@wmf/1.44.0-wmf.21] Do not start central login from the shared domain

https://gerrit.wikimedia.org/r/1130561

Mentioned in SAL (#wikimedia-operations) [2025-03-24T13:33:27Z] <tgr@deploy1003> Started scap sync-world: Backport for [[gerrit:1130343|Turn on Parsoid fragment support everywhere (take 2) (T374661 T380758 T389545 T387608)]], [[gerrit:1130560|Do not throw an exception after shared-domain login with no token (T362715)]], [[gerrit:1130561|Do not start central login from the shared domain (T362715)]]

Stashbot mentioned this in T374661: Charts are not compatible with Parsoid - show as raw SVG.Mon, Mar 24, 1:33 PM

Mentioned in SAL (#wikimedia-operations) [2025-03-24T13:37:04Z] <tgr@deploy1003> tgr, cscott: Backport for [[gerrit:1130343|Turn on Parsoid fragment support everywhere (take 2) (T374661 T380758 T389545 T387608)]], [[gerrit:1130560|Do not throw an exception after shared-domain login with no token (T362715)]], [[gerrit:1130561|Do not start central login from the shared domain (T362715)]] synced to the testservers (https://wikitech.wikimedia.org/wiki/Mwdebug)

Mentioned in SAL (#wikimedia-operations) [2025-03-24T13:54:09Z] <tgr@deploy1003> Finished scap sync-world: Backport for [[gerrit:1130343|Turn on Parsoid fragment support everywhere (take 2) (T374661 T380758 T389545 T387608)]], [[gerrit:1130560|Do not throw an exception after shared-domain login with no token (T362715)]], [[gerrit:1130561|Do not start central login from the shared domain (T362715)]] (duration: 20m 42s)

ReleaseTaggerBot edited projects, added MW-1.44-notes (1.44.0-wmf.21; 2025-03-18); removed MW-1.44-notes (1.44.0-wmf.22; 2025-03-25).Mon, Mar 24, 2:00 PM

Change #1130319 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@wmf/1.44.0-wmf.21] Redirect credentials change pages to central domain

https://gerrit.wikimedia.org/r/1130319

Mentioned in SAL (#wikimedia-operations) [2025-03-24T14:31:52Z] <tgr@deploy1003> Started scap sync-world: Backport for [[gerrit:1130319|Redirect credentials change pages to central domain (T362715)]], [[gerrit:1130607|Fix clearing stuck cookies: $wgCookiePrefix defaults to false, not null (T389796)]]

Mentioned in SAL (#wikimedia-operations) [2025-03-24T14:36:49Z] <tgr@deploy1003> matmarex, tgr: Backport for [[gerrit:1130319|Redirect credentials change pages to central domain (T362715)]], [[gerrit:1130607|Fix clearing stuck cookies: $wgCookiePrefix defaults to false, not null (T389796)]] synced to the testservers (https://wikitech.wikimedia.org/wiki/Mwdebug)

Mentioned in SAL (#wikimedia-operations) [2025-03-24T14:51:31Z] <tgr@deploy1003> Finished scap sync-world: Backport for [[gerrit:1130319|Redirect credentials change pages to central domain (T362715)]], [[gerrit:1130607|Fix clearing stuck cookies: $wgCookiePrefix defaults to false, not null (T389796)]] (duration: 19m 38s)

Tgr mentioned this in T348388: SUL3: Use a dedicated domain for login and account creation.Mon, Apr 7, 9:18 PM

matmarex renamed this task from Move credentials change to central login wiki to Move credentials change to central domain.Tue, Apr 8, 6:55 PM

matmarex removed a subtask: T354701: Enable migration of WebAuthn credentials to central domain.

matmarex added a subtask: T376021: Migrate WebAuthn on Wikimedia wikis to central domain.Tue, Apr 8, 6:57 PM

What's left here:

Make the OATH credentials management special page redirect to the central domain. We can't do this right now because WebAuthn users need to be able to remove old passkeys, and that only works on the same domain where you registered it.
- For now, we could make the 2FA management button point to the central domain (but let users manually navigate to the local domain).
- Alternatively, we could use usesul3= like for many other things. But it's tricky because it needs to be preserved over form submits.
  - Maybe we could make the AuthPreserveQueryParams hook more generic and have OATHAuth call it. But it feels like a lot of work for a one-off use case. (Although I guess some kind of redirecting-to-another-domain workflow would make sense for the WebAuthn extension, even when it's not used with CentralAuth?)
- In any case, we'll probably want to add some explanatory text on the page.
- Or we can just assess how many WebAuthn keys have been updated (by looking at the date), and if it's almost all of them, just accept that the remaining users are locked out and need to approach T&S. (It was only ~100 passkeys to start with.)
Update T263800: Implement .well-known/change-password redirect on Wikimedia sites to use the new URL. This is a bit trickier now because it includes the wiki ID now. If it's difficult, maybe not worth doing at all (the old URL will still redirect).
Test what happens after a password change or OATH change in terms of the session ID reset affecting the user's login state on the home wiki. Maybe do an edge login, per T362715#10639947.

Tgr closed subtask T376021: Migrate WebAuthn on Wikimedia wikis to central domain as Resolved.Tue, Apr 8, 7:12 PM

Change #1135091 had a related patch set uploaded (by Bartosz Dziewoński; author: Bartosz Dziewoński):

[mediawiki/extensions/WikimediaMessages@master] Remove WebAuthn message overrides

https://gerrit.wikimedia.org/r/1135091

Tgr moved this task from Future to In progress on the SUL3 board.Tue, Apr 8, 9:03 PM

Bugreporter reopened subtask T376021: Migrate WebAuthn on Wikimedia wikis to central domain as Open.Wed, Apr 9, 2:21 AM

matmarex moved this task from In progress to Blocked / External on the SUL3 board.Wed, Apr 9, 10:27 PM

Change #1136096 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/extensions/CentralAuth@master] Hide sitenotices on the central domain and show WebAuthn notice

https://gerrit.wikimedia.org/r/1136096

Change #1136097 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/extensions/WikimediaMessages@master] Override for CentralAuth SUL3 notice about WebAuthn domains

https://gerrit.wikimedia.org/r/1136097

Tgr moved this task from Blocked / External to In progress on the SUL3 board.Sun, Apr 13, 11:35 AM

Change #1136096 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@master] Hide sitenotices on the central domain and show WebAuthn notice

https://gerrit.wikimedia.org/r/1136096

Change #1136097 merged by jenkins-bot: