Page MenuHomePhabricator
Create Task
Maniphest T363695

Create a Wikimedia login domain that can be served by any wiki
Open, Needs TriagePublic
Actions

Description

This is a brainstorming-stage proposal. Don't take it too seriously yet.

For Wikimedia's central login system (SUL), we want to have a a single domain for storing a central session cookie that other domains (wikis) can rely on for authentication; and we want to do interactive login on that domain (T348388: Use central login wiki for login (SUL3) - because browsers increasingly require user interaction with the cookie-storing domain before giving access to cookies); but we want the interaction on that domain to be similar to the interaction on the wiki where the user is logging in (in terms of i18n customizations, AbuseFilter/SpamBlacklist username rules etc).

One way to do this would be for the central login wiki's login page to fetch the relevant information from the origin wiki in a bunch of API calls and customize itself accordingly. This seems like a lot of effort with a long tail of small inconsistencies that will take forever to squash. An alternative approach would be to use a new domain, say https://sso.wikimedia.org/<wikiID>/, which would to resolve to the wiki specified in <wikiID> (ie. this page would be served by the same wiki from which the user started the login process, but under a different domain). We would limit what URLs can be accessed on this new domain, and add a bunch of config/hook overrides, like limiting what pages can be viewed and limiting user rights to only those needed for login, and maybe splitting some caches.

This would hugely simplify how displaying the central login page would work, although it would complicate the configuration system. I think (although I am not very sure) it would be a simpler approach on the net. It would also be a mixed change in terms of security - the login domain would be very much locked down compared to login.wikimedia.org (a real wiki), which is good, but it could be served by any wiki, ie. any backend code deployed in the Wikimedia cluster could potentially run on it, which is bad.

See also: T120484: Create password-authentication service for use by CentralAuth (replace loginwiki entirely with a small dedicated app)

Related Objects
Search...

Event Timeline

Tgr created this task.Mon, Apr 29, 1:22 PM
Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptMon, Apr 29, 1:22 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Tgr added a parent task: T348388: Use central login wiki for login (SUL3).Mon, Apr 29, 1:22 PM
Tgr updated the task description. (Show Details)Mon, Apr 29, 1:24 PM
taavi subscribed.Mon, Apr 29, 1:28 PM
Tgr added a comment.Mon, Apr 29, 1:28 PM

This would be an alternative to T363411: Run cancreateaccount checks in the context of another wiki (and a number of other potential tasks related to i18n, the SpecialCreateAccountBenefits hook, language variant conversion, and probably some more things).

Bugreporter updated the task description. (Show Details)Mon, Apr 29, 4:26 PM
Tgr mentioned this in T354701: Migrate WebAuthn credentials to loginwiki.Tue, Apr 30, 9:47 PM
CDanis subscribed.Wed, May 1, 3:15 PM
EBernhardson subscribed.Wed, May 1, 4:47 PM
sbassett subscribed.Wed, May 1, 6:54 PM
dr0ptp4kt subscribed.Wed, May 1, 7:43 PM
Tgr mentioned this in T363411: Run cancreateaccount checks in the context of another wiki.Thu, May 2, 10:26 AM
pmiazga subscribed.Wed, May 8, 11:46 AM
Tgr mentioned this in T364829: Update Wikimedia apps to use central login domain.Tue, May 14, 9:44 AM
BBlack subscribed.Tue, May 14, 11:53 AM

T215071 <- throwing this in here for semi-related context. Maybe we can align on a potential common future URI scheme anyways, while not actually yet tackling that one.

BBlack added a comment.Tue, May 14, 11:54 AM

Also similarly T214998

Tgr added a project: SUL3.Tue, May 14, 12:59 PM
Tgr moved this task from Backlog to Ready on the SUL3 board.Tue, May 14, 1:04 PM
Tgr mentioned this in T364862: Render central login page with customizations from starting wiki.Tue, May 14, 1:57 PM
Tgr added a project: Security.Tue, May 14, 5:59 PM

There are two implementation strategies I can think of for such a shared domain:

  1. At the traffic level: ATS redirects sso.wikimedia.org/foowiki/path to foo.wikipedia.org/path so the target wiki mostly doesn't even notice what's going on (to some extent MediaWiki needs to be aware so I imagine we'd set a custom header).
  2. At the configuration level: CommonSettings.php applies some special logic when it determines from the hostname what DB name / wiki ID to use.

The first feels less messy, but I don't have a strong sense of pros/cons.

Either way, when a wiki is reached via sso.wikimedia.org, that would have to override some configuration settings: fail hard for non-SUL wikis (just in case, to avoid privacy leaks, although in theory there should not be any risk even without that), limit access to a predefined set of special pages (Special:Userlogin, Special:CreateAccount, in the future maybe things like change email, change password, change 2FA) and APIs (the APIs required for login/signup - meta=token, list=userinfo, list=globaluserinfo, meta=authmanagerinfo, action=clientlogin, action=createaccount, action=webauthn). The cookies we output would have to be different, not sure if that's a config-level change or an application-level change.

Tgr added a comment.Tue, May 14, 6:15 PM

secure.wikimedia.org used to work in a similar way until it was replaced by T22643: Serve SSL/HTTPS sites out of same domain names as HTTP access: https://en.wikipedia.org/ (in 2013, I think?). It was implemented as an Apache proxy (still is, to some extent, to support old links).

Tgr added a project: Traffic.Tue, May 14, 6:16 PM
Tgr moved this task from Ready to In progress on the SUL3 board.Wed, May 15, 1:29 PM
kostajh subscribed.Thu, May 16, 9:07 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL