Page MenuHomePhabricator
Create Task
Maniphest T365162

Set up sso.wikimedia.beta.wmflabs.org with config-layer routing to other wikis
Closed, ResolvedPublic
Actions

Description

To explore implementing T363695: Create a Wikimedia login domain that can be served by any wiki in the configuration layer, create the sso.wikimedia.beta.wmflabs.org domain and add routing logic to CommonsSettings-labs.php (or some similar file) such that https://sso.wikimedia.beta.wmflabs.org/<wiki-domain>/<path> gets loaded as https://<wiki-domain>/<path> (e.g. https://sso.wikimedia.beta.wmflabs.org/en.wikipedia.beta.wmflabs.org/wiki/Special:Userlogin gets loaded as https://en.wikipedia.beta.wmflabs.org/wiki/Special:Userlogin), with a global flag that can be used elsewhere in the configuration to alter how the logic works.

Now live in beta: https://sso.wikimedia.beta.wmflabs.org/en.wikipedia.beta.wmflabs.org/wiki/Special:Userlogin
With simplified interface: https://sso.wikimedia.beta.wmflabs.org/en.wikipedia.beta.wmflabs.org/wiki/Special:Userlogin?display=popup

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
SUL3: Make restrictions on the SSO domain optionalmediawiki/extensions/CentralAuthmaster+24 -3
SUL3: Expand ResourceLoader URLsmediawiki/extensions/CentralAuthmaster+32 -2
resourceloader: Add ResourceLoaderModifyStartupSourceUrls hookmediawiki/coremaster+97 -1
SUL3: Fix URL handling for the SSO domainoperations/mediawiki-configmaster+1 -1
SUL3: Fix cookie names on the SSO domainoperations/mediawiki-configmaster+1 -0
SUL3: Allow-list some more APIs and special pagesmediawiki/extensions/CentralAuthmaster+11 -3
Add SSO domain handlingmediawiki/extensions/CentralAuthmaster+191 -0
Handle sso.wikimedia.org domainoperations/mediawiki-configmaster+123 -21
[beta] Add rewrite rule for sso.wikimedia.beta.wmflabs.orgoperations/puppetproduction+8 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

Tgr created this task.May 16 2024, 2:37 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 16 2024, 2:37 PM
Tgr added a parent task: T363695: Create a Wikimedia login domain that can be served by any wiki.May 16 2024, 2:37 PM
Tgr edited projects, added MediaWiki-Platform-Team, SUL3; removed MediaWiki-Platform-Team (SUL3).
Tgr moved this task from Backlog to Ready on the SUL3 board.
Tgr claimed this task.May 20 2024, 10:01 PM
Tgr moved this task from Ready to In progress on the SUL3 board.
Tgr updated the task description. (Show Details)May 21 2024, 7:35 AM
gerritbot added a comment.May 27 2024, 10:26 AM

Change #1036230 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[operations/puppet@production] [POC][beta] Add rewrite rule for sso.wikimedia.beta.wmflabs.org

https://gerrit.wikimedia.org/r/1036230

gerritbot added a project: Patch-For-Review.May 27 2024, 10:26 AM
gerritbot added a comment.May 27 2024, 11:47 AM

Change #1036245 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[operations/mediawiki-config@master] [WIP][POC] Handle sso.wikimedia.org domain

https://gerrit.wikimedia.org/r/1036245

Tgr moved this task from Inbox, needs triage to In progress (DO NOT USE) on the MediaWiki-Platform-Team board.May 27 2024, 1:57 PM
gerritbot added a comment.Jun 3 2024, 1:42 PM

Change #1038331 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/extensions/CentralAuth@master] [WIP][POC] Add SSO domain handling

https://gerrit.wikimedia.org/r/1038331

Tgr updated the task description. (Show Details)Jun 12 2024, 7:10 PM
ArielGlenn subscribed.Jun 17 2024, 9:50 AM
Tgr mentioned this in T367995: Security Preview for shared login domain.Jun 19 2024, 8:47 PM
Tgr mentioned this in T365298: Design request: Central Login Design Review and Recommendations.Jun 20 2024, 12:33 PM
gerritbot added a comment.Jun 27 2024, 4:03 PM

Change #1036230 merged by JHathaway:

[operations/puppet@production] [beta] Add rewrite rule for sso.wikimedia.beta.wmflabs.org

https://gerrit.wikimedia.org/r/1036230

gerritbot added a comment.Jul 15 2024, 4:24 PM

Change #1038331 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@master] Add SSO domain handling

https://gerrit.wikimedia.org/r/1038331

ReleaseTaggerBot added a project: MW-1.43-notes (1.43.0-wmf.14; 2024-07-16).Jul 15 2024, 5:00 PM
gerritbot added a comment.Jul 16 2024, 1:19 PM

Change #1036245 merged by jenkins-bot:

[operations/mediawiki-config@master] Handle sso.wikimedia.org domain

https://gerrit.wikimedia.org/r/1036245

Stashbot added a comment.Jul 16 2024, 1:20 PM

Mentioned in SAL (#wikimedia-operations) [2024-07-16T13:20:15Z] <tgr@deploy1002> Started scap sync-world: Backport for [[gerrit:1036245|Handle sso.wikimedia.org domain (T365162)]]

Stashbot added a comment.Jul 16 2024, 1:22 PM

Mentioned in SAL (#wikimedia-operations) [2024-07-16T13:22:44Z] <tgr@deploy1002> tgr: Backport for [[gerrit:1036245|Handle sso.wikimedia.org domain (T365162)]] synced to the testservers (https://wikitech.wikimedia.org/wiki/Mwdebug)

Maintenance_bot removed a project: Patch-For-Review.Jul 16 2024, 1:30 PM
Stashbot added a comment.Jul 16 2024, 1:39 PM

Mentioned in SAL (#wikimedia-operations) [2024-07-16T13:39:22Z] <tgr@deploy1002> Finished scap: Backport for [[gerrit:1036245|Handle sso.wikimedia.org domain (T365162)]] (duration: 19m 07s)

Tgr added a comment.EditedJul 16 2024, 1:46 PM

Per (1), smaller bugs that still need to be fixed:

  • captcha images don't load
  • ResourceLoader mostly works, but there are a few requests to load.php which don't use the SSO prefix (and fail).
  • not all allow-listed action API endpoints work, we probably need to allow-list the query module itself too.
Tgr added a comment.Jul 16 2024, 5:01 PM

FIXMEs from rECAU925a6ff9b95f: Add SSO domain handling that we should follow up on if we are confident we are going to use this in production:

  • when using the restricted shared domain, rest.php just throws a RuntimeException. There should probably be a hook like ApiCheckCanExecute where one can disable REST endpoints.
  • some errors that can be triggered by a user (although not as part of normal behavior) go to production error channels
  • the list of API endpoints etc. that are allowed on the shared domain is currently hardcoded, there should be a way for other extensions to add things
Tgr added a comment.Jul 16 2024, 8:43 PM

Harmless but weird: API parameter checks run before ApiCheckCanExecute so something like https://sso.wikimedia.beta.wmflabs.org/en.wikipedia.beta.wmflabs.org/w/api.php?action=edit&token=123 will give an error that makes one think the module is not disabled (even though actually it is).

Tgr updated the task description. (Show Details)Jul 16 2024, 8:44 PM
Tgr added a comment.EditedJul 16 2024, 9:10 PM
  • Logging in works but results in an error page "The provided authentication token is either expired or invalid."
  • Not strictly related to this task but we should take the opportunity to Host-prefix cookies.
  • non-traffic cookies: loginnotify_prevlogins, centralauth_Session, centralauth_User, ssoUserID, ssoUserName, enwikiSession - what's up with that last one?
  • there are a zillion links that go to sso... and so don't work. We knew this would be the case, but will have to fix it somehow.
  • source maps don't load. The URLs look legit (Chrome doesn't let me copy them, but they use the normal domain) so not sure if it's related.

ResourceLoader mostly works, but there are a few requests to load.php which don't use the SSO prefix (and fail).

The issue seems to be with the sources array passed to ResourceLoader's loader script.

captcha images don't load

These use Special:Captcha so either we whitelist that or we need to point these back to the original wiki.

gerritbot added a comment.Jul 17 2024, 3:38 PM

Change #1054900 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/extensions/CentralAuth@master] SUL3: Allow-list some more APIs and special pages

https://gerrit.wikimedia.org/r/1054900

gerritbot added a project: Patch-For-Review.Jul 17 2024, 3:38 PM

Change #1054901 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[operations/mediawiki-config@master] SUL3: Fix cookie names on the SSO domain

https://gerrit.wikimedia.org/r/1054901

gerritbot added a comment.Jul 17 2024, 4:01 PM

Change #1054900 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@master] SUL3: Allow-list some more APIs and special pages

https://gerrit.wikimedia.org/r/1054900

gerritbot added a comment.Jul 17 2024, 4:33 PM

Change #1054911 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[operations/mediawiki-config@master] SUL3: Fix URL handling for the SSO domain

https://gerrit.wikimedia.org/r/1054911

ReleaseTaggerBot edited projects, added MW-1.43-notes (1.43.0-wmf.15; 2024-07-23); removed MW-1.43-notes (1.43.0-wmf.14; 2024-07-16).Jul 17 2024, 5:00 PM
gerritbot added a comment.Jul 17 2024, 7:48 PM

Change #1054931 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/core@master] resourceloader: Support cross-domain load.php requests

https://gerrit.wikimedia.org/r/1054931

Tgr added a comment.Jul 17 2024, 7:54 PM

Logging in works but results in an error page "The provided authentication token is either expired or invalid."

That is centralauth-error-badtoken. So this is from the new RedirectingLoginHookHandler which should handle a valid local login more gracefully. Can be handled as part of T363699: Determine and implement SUL 3 login handshake mechanism.

gerritbot added a comment.Jul 17 2024, 8:04 PM

Change #1054901 merged by jenkins-bot:

[operations/mediawiki-config@master] SUL3: Fix cookie names on the SSO domain

https://gerrit.wikimedia.org/r/1054901

Stashbot added a comment.Jul 17 2024, 8:04 PM

Mentioned in SAL (#wikimedia-operations) [2024-07-17T20:04:57Z] <tgr@deploy1002> Started scap sync-world: Backport for [[gerrit:1054901|SUL3: Fix cookie names on the SSO domain (T365162)]]

Stashbot added a comment.Jul 17 2024, 8:07 PM

Mentioned in SAL (#wikimedia-operations) [2024-07-17T20:07:35Z] <tgr@deploy1002> tgr: Backport for [[gerrit:1054901|SUL3: Fix cookie names on the SSO domain (T365162)]] synced to the testservers (https://wikitech.wikimedia.org/wiki/Mwdebug)

Stashbot added a comment.Jul 17 2024, 8:14 PM

Mentioned in SAL (#wikimedia-operations) [2024-07-17T20:14:20Z] <tgr@deploy1002> Finished scap: Backport for [[gerrit:1054901|SUL3: Fix cookie names on the SSO domain (T365162)]] (duration: 09m 23s)

gerritbot added a comment.Jul 17 2024, 8:18 PM

Change #1054911 merged by jenkins-bot:

[operations/mediawiki-config@master] SUL3: Fix URL handling for the SSO domain

https://gerrit.wikimedia.org/r/1054911

Stashbot added a comment.Jul 17 2024, 8:18 PM

Mentioned in SAL (#wikimedia-operations) [2024-07-17T20:18:29Z] <tgr@deploy1002> Started scap sync-world: Backport for [[gerrit:1054911|SUL3: Fix URL handling for the SSO domain (T365162)]]

Stashbot added a comment.Jul 17 2024, 8:53 PM

Mentioned in SAL (#wikimedia-operations) [2024-07-17T20:53:31Z] <tgr@deploy1002> tgr: Backport for [[gerrit:1054911|SUL3: Fix URL handling for the SSO domain (T365162)]] synced to the testservers (https://wikitech.wikimedia.org/wiki/Mwdebug)

Tgr updated the task description. (Show Details)Jul 17 2024, 8:58 PM
Stashbot added a comment.Jul 17 2024, 9:01 PM

Mentioned in SAL (#wikimedia-operations) [2024-07-17T21:01:03Z] <tgr@deploy1002> Finished scap: Backport for [[gerrit:1054911|SUL3: Fix URL handling for the SSO domain (T365162)]] (duration: 42m 33s)

gerritbot added a comment.Jul 25 2024, 7:36 PM

Change #1057005 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/extensions/CentralAuth@master] SUL3: Expand ResourceLoader URLs

https://gerrit.wikimedia.org/r/1057005

gerritbot added a comment.Aug 1 2024, 3:25 AM

Change #1054931 merged by jenkins-bot:

[mediawiki/core@master] resourceloader: Add ResourceLoaderModifyStartupSourceUrls hook

https://gerrit.wikimedia.org/r/1054931

gerritbot added a comment.Aug 1 2024, 1:57 PM

Change #1057005 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@master] SUL3: Expand ResourceLoader URLs

https://gerrit.wikimedia.org/r/1057005

Maintenance_bot removed a project: Patch-For-Review.Aug 1 2024, 2:31 PM
gerritbot added a comment.Aug 6 2024, 1:25 PM

Change #1060093 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@master] SUL3: Make restrictions on the SSO domain optional

https://gerrit.wikimedia.org/r/1060093

ReleaseTaggerBot edited projects, added MW-1.43-notes (1.43.0-wmf.18; 2024-08-13); removed MW-1.43-notes (1.43.0-wmf.15; 2024-07-23).Aug 6 2024, 2:00 PM
Krinkle closed this task as Resolved.Aug 19 2024, 2:40 PM
Krinkle subscribed.

Left to do in setting up the sso domain, but in their own tasks:

Tgr mentioned this in T377187: Set up auth.wikimedia.org.Oct 15 2024, 9:52 AM
Tgr added a subtask: T379811: Update URL structure for SUL3 shared domain.Nov 13 2024, 7:44 PM
matmarex closed subtask T379811: Update URL structure for SUL3 shared domain as Resolved.Nov 19 2024, 7:57 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits