For the AuthManager integration in SUL3 (T348388: SUL3: Use a dedicated domain for login and account creation), we'll use a REDIRECT response in the local wiki that sends them to the login form on the central wiki. To make that smooth, we need to meet the conditions in LoginSignupSpecialPage::canBypassForm() so that the user is not shown a pointless interstitial page on the local wiki, ie. no authentication provider (other than the CentralAuth primary provider doing the redirect) should return an AuthenticationRequest from getAuthenticationRequests( ACTION_LOGIN ), unless it is marked skippable. Chances are this is already the case, but we'll need to review authentication extensions used on Wikimedia wikis to make sure.
Description
Description
Details
Details
Related Changes in Gerrit:
Customize query in gerrit
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Open | None | T345245 Mitigate phase-out of third-party cookies in Wikimedia production | |||
| Resolved | Tgr | T345249 Mitigate phase-out of third-party cookies in CentralAuth | |||
| Resolved | OWresch-WMF | T348388 SUL3: Use a dedicated domain for login and account creation | |||
| Resolved | Tgr | T362713 Implement the new login process which redirects to the central login wiki for showing the login/signup form | |||
| Resolved | Tgr | T369180 Ensure no AuthenticationRequests are added to the local login flow in SUL3 mode | |||
| Resolved | PRODUCTION ERROR | Tgr | T373504 Wikimedia\NormalizedException\NormalizedException: Authentication failed because of inconsistent provider array | ||
| Resolved | Tgr | T377142 Improve code quality for SUL3 shared domain logic |
Event Timeline
Comment Actions
Change #1056174 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):
[mediawiki/extensions/CentralAuth@master] SUL3: Don't show local login page in SUL3 mode
Comment Actions
Change #1057413 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):
[mediawiki/core@master] Add AuthManagerFilterProviders hook
Comment Actions
Change #1057413 merged by jenkins-bot:
[mediawiki/core@master] auth: Add AuthManagerFilterProviders hook
Comment Actions
Change #1056174 merged by jenkins-bot:
[mediawiki/extensions/CentralAuth@master] SUL3: Don't show local login page in SUL3 mode
Comment Actions
We might need to tweak what providers to filter in the future, but that will only require changing a list.
The status quo is:
| Provider | Filtered | Comment |
|---|---|---|
| ThrottlePreAuthenticationProvider | ? | |
| SpamBlacklistPreAuthenticationProvider | ? | |
| TitleBlacklistPreAuthenticationProvider | ? | |
| CaptchaPreAuthenticationProvider | yes | |
| AntiSpoofPreAuthenticationProvider | ? | |
| CentralAuthSsoPreAuthenticationProvider | used during SUL3 | |
| CentralAuthIpReputationPreAuthenticationProvider | ? | |
| AbuseFilterPreAuthenticationProvider | ? | |
| AccountCreationEventProvider | logging only, account creation only | |
| TemporaryPasswordPrimaryAuthenticationProvider | yes | |
| LocalPasswordPrimaryAuthenticationProvider | yes | |
| CentralAuthPrimaryAuthenticationProvider | ? | |
| CentralAuthRedirectingPrimaryAuthenticationProvider | used during SUL3 | |
| CheckBlocksSecondaryAuthenticationProvider | ? | |
| ResetPasswordSecondaryAuthenticationProvider | needs to be triggered by primary | |
| EmailNotificationSecondaryAuthenticationProvider | account creation only | |
| CentralAuthSecondaryAuthenticationProvider | ? | |
| CampaignsSecondaryAuthenticationProvider | logging only (see T370810) | |
| OATHSecondaryAuthenticationProvider | yes | ? |
The ones with a question mark (ThrottlePreAuthenticationProvider, SpamBlacklistPreAuthenticationProvider, TitleBlacklistPreAuthenticationProvider, AntiSpoofPreAuthenticationProvider, CentralAuthIpReputationPreAuthenticationProvider, AbuseFilterPreAuthenticationProvider, CheckBlocksSecondaryAuthenticationProvider and CentralAuthSecondaryAuthenticationProvider) all follow the same pattern: they require no user interaction (some offer a "skip check" checkbox for privileged users, but that doesn't prevent automatic redirection from the login form) and just prevent authentication in various situations. (CentralAuthSecondary users undergoing global rename, the rest should be obvious.) We can filter them and let them run on the shared domain, or run them on both ends. Filtering is probably less confusing for the user as that means the error will be shown on the central login form, rather than a local login form being generated. (Although the local login form wouldn't contain anything other than the "remember me" checkbox and a "central login" button that redirects, so still not super confusing.)
There are some secret providers in PrivateSettings but those follow the same pattern as well.
Comment Actions
One consequence of this is that the local password reset and password change forms don't work anymore. Password reset checks AuthManager::allowsAuthenticationDataChange( TemporaryPasswordAuthenticationRequest ) which was only implemented by TemporaryPasswordPrimaryAuthenticationProvider which is now filtered. (This will be fixed by T42050: Allow password reset requests to be handled centrally for unified users.) Password change checks if PasswordAuthenticationRequest is present in the requests returned by AuthManager::getAuthenticationRequests( ACTION_CHANGE ), and since we now don't return any authentication requests from CentralAuthPrimaryAuthenticationProvider in SUL3 mode, that fails. We should probably fix that, at least in the short term.
Comment Actions
Change #1069679 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):
[mediawiki/extensions/CentralAuth@master] SUL3: Handle password change / removal in primary provider in SUL3 mode
Comment Actions
Change #1069679 merged by jenkins-bot:
[mediawiki/extensions/CentralAuth@master] SUL3: Handle password change / removal in primary provider in SUL3 mode
Comment Actions
so we should filter ThrottlePreAuthenticationProvider at least, and probably the rest too, so let's circle back to this.
One unexpected consequence of the SUL3 workflow is that merely visiting the login page is counted as a login attempt on the local wiki (because from its perspective, the login has started by issuing a redirect) so visiting it several times results in something like this:
so we should filter ThrottlePreAuthenticationProvider at least, and probably the rest too, so let's circle back to this.
Comment Actions
T377142: Improve code quality for SUL3 shared domain logic should come first, though, we don't want to hard-code a ton of class names from other extensions into CentralAuth code just because Wikimedia happens to use them.
Comment Actions
Change #1105303 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):
[mediawiki/extensions/IPReputation@master] Make AuthManagerAutoConfig configuration key more distinctive
Comment Actions
Change #1083341 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):
[mediawiki/extensions/CentralAuth@master] SUL3: Disable more auth providers in the local leg of SUL3 login
Comment Actions
Change #1105303 merged by jenkins-bot:
[mediawiki/extensions/IPReputation@master] Make AuthManagerAutoConfig configuration key more distinctive
Comment Actions
Change #1083341 merged by jenkins-bot:
[mediawiki/extensions/CentralAuth@master] SUL3: Disable more auth providers in the local leg of SUL3 login
Comment Actions
The private part is in commit 95517e85 in PrivateSettings. I'll apply that at the same time when the two patches above get deployed, to minimize disruption.
Comment Actions
Change #1105735 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):
[mediawiki/extensions/IPReputation@wmf/1.44.0-wmf.8] Make AuthManagerAutoConfig configuration key more distinctive
Comment Actions
Change #1105739 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):
[mediawiki/extensions/CentralAuth@wmf/1.44.0-wmf.8] SUL3: Disable more auth providers in the local leg of SUL3 login
Comment Actions
Change #1105742 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):
[operations/mediawiki-config@master] [noop] Update private/readme.php
Comment Actions
Change #1105735 merged by jenkins-bot:
[mediawiki/extensions/IPReputation@wmf/1.44.0-wmf.8] Make AuthManagerAutoConfig configuration key more distinctive
Comment Actions
Change #1105742 merged by jenkins-bot:
[operations/mediawiki-config@master] [noop] Update private/readme.php
Comment Actions
Change #1105739 merged by jenkins-bot:
[mediawiki/extensions/CentralAuth@wmf/1.44.0-wmf.8] SUL3: Disable more auth providers in the local leg of SUL3 login
Comment Actions
Mentioned in SAL (#wikimedia-operations) [2024-12-19T21:31:30Z] <tgr@deploy2002> Started scap sync-world: Backport for [[gerrit:1105735|Make AuthManagerAutoConfig configuration key more distinctive (T369180)]], [[gerrit:1105739|SUL3: Disable more auth providers in the local leg of SUL3 login (T369180)]], [[gerrit:1105742|[noop] Update private/readme.php (T369180)]], [[gerrit:1105367|Enable $wgWMEStatsBeaconUri (T355837)]]
Comment Actions
Mentioned in SAL (#wikimedia-operations) [2024-12-19T21:37:35Z] <tgr@deploy2002> krinkle, tgr: Backport for [[gerrit:1105735|Make AuthManagerAutoConfig configuration key more distinctive (T369180)]], [[gerrit:1105739|SUL3: Disable more auth providers in the local leg of SUL3 login (T369180)]], [[gerrit:1105742|[noop] Update private/readme.php (T369180)]], [[gerrit:1105367|Enable $wgWMEStatsBeaconUri (T355837)]] synced to the testservers (https://wikitech.wikimedia.org/wiki/Mwdebug)
Comment Actions
Mentioned in SAL (#wikimedia-operations) [2024-12-19T21:53:04Z] <tgr@deploy2002> Finished scap sync-world: Backport for [[gerrit:1105735|Make AuthManagerAutoConfig configuration key more distinctive (T369180)]], [[gerrit:1105739|SUL3: Disable more auth providers in the local leg of SUL3 login (T369180)]], [[gerrit:1105742|[noop] Update private/readme.php (T369180)]], [[gerrit:1105367|Enable $wgWMEStatsBeaconUri (T355837)]] (duration: 21m 34s)