Page MenuHomePhabricator
Create Task
Maniphest T376021

Migrate WebAuthn on Wikimedia wikis to central domain
Open, Needs TriagePublic
Actions

Description

WebAuthn is enabled on Wikimedia wikis but only works if you log in on the same wiki where you have enabled it (T244088: Logging in at another wiki than WebAuth was set up fails). As part of SUL3 (T348388: SUL3: Use a dedicated domain for login and account creation) we are moving login to a new dedicated domain, meaning WebAuthn would never work. We need to tell its current users to either disable it (and switch to OATH presumably) or migrate it to new domain (ie. disable their current WebAuthn keys and create new ones on the new domain - WebAuthn keys are domain-bound so there is no way to reuse them). Fortunately, only a handful of people use it.

For migration, we would first need to deploy T363695: Create a Wikimedia login domain that can be served by any wiki to production, and implement T362715: Move credentials change to central domain at least for WebAuthn. Disabling has no dependencies, we could start that conversation any time. It would of course result in loss of functionality, but WebAuthn is kinda broken for other reasons too (see T242031: Allow multiple different 2FA devices, T244348: Recovery option for WebAuthn, T363652: publicKey.pubKeyCredParams is missing at least one of the default algorithm identifiers: ES256 and RS256, T358771: Unable to login on iPhone with Passkey Enabled, and soon T363639: web-auth/webauthn-lib must be upgraded to 4+ for PHP 8.2+ support) so probably that's not a big deal.

Related Objects
Search...

StatusSubtypeAssignedTask
 OpenNoneT345245 Mitigate phase-out of third-party cookies in Wikimedia production
 ResolvedTgrT345249 Mitigate phase-out of third-party cookies in CentralAuth
 ResolvedOWresch-WMFT348388 SUL3: Use a dedicated domain for login and account creation
 StalledNoneT399839 Update the Patch demo `tarball` preset to reflect changes to the list of bundled extensions/skins made with MediaWiki 1.45
 OpenNoneT392080 Expand the set of bundled extensions and skins in MediaWiki 1.45
 DeclinedNoneT258007 Bundle WebAuthn extension with MediaWiki
 ResolvedTgrT244088 Logging in at another wiki than WebAuth was set up fails
 ResolvedTgrT384219 SUL3 Phase 4: Staged rollout for all existing users
 ResolvedTgrT362715 Move credentials change to central domain
 OpenNoneT399644 FY2025-26 WE4.6.2 Multiple Authenticators
 ResolvedMstylesT401773 Always redirect 2FA management special page to auth domain on SUL wikis, so that WebAuthn setup can be offered
 OpenNoneT391535 Remove top-level autologin (once SUL2 support is dropped)
 OpenNoneT402423 Remove &usesul3= URL parameter
 OpenNoneT376021 Migrate WebAuthn on Wikimedia wikis to central domain
 ResolvedpmiazgaT378402 Disallow setting up new WebAuthn passkeys on Wikimedia wikis
 ResolvedTgrT389064 Notify WebAuthn users about SUL3 changes
 ResolvedArielGlennT354701 Enable migration of WebAuthn credentials to central domain
 ResolvedNoneT248339 Decide how to deal with WebAuthn login/registration flow on Wikimedia wikis in future
 ResolvedReedyT248367 Update messages to notify WebAuthn users that they need to login on the same wiki they registered
 OpenNoneT405553 Email users to tell them to re-enable WebAuth on central domain (SUL3)
Restricted Task

Event Timeline

Tgr created this task.Sep 30 2024, 10:04 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 30 2024, 10:04 AM
Tgr added a parent task: T375954: Create SUL3 rollout plan for Wikimedia production.Sep 30 2024, 10:04 AM
Tgr moved this task from Backlog to Blocked / External on the SUL3 board.
Tgr moved this task from Blocked / External to Backlog on the SUL3 board.Sep 30 2024, 10:06 AM
pmiazga moved this task from Inbox, needs triage to Needs refinement on the MediaWiki-Platform-Team board.Sep 30 2024, 2:55 PM
Reedy mentioned this in T358771: Unable to login on iPhone with Passkey Enabled.Oct 3 2024, 5:07 PM
acooper subscribed.Oct 8 2024, 12:51 PM
Tonymetz subscribed.Oct 11 2024, 2:58 AM

applying the patch in T358771 could fix a large part of this issue and enable webauthn to work across domains.

acooper added a subscriber: Reedy.Oct 11 2024, 1:40 PM
ReaperDawn subscribed.Oct 14 2024, 11:18 AM
Tgr moved this task from Backlog to Blocked / External on the SUL3 board.Oct 14 2024, 7:15 PM
Tgr moved this task from Blocked / External to Blocked on shared domains on the SUL3 board.
Tgr mentioned this in T378402: Disallow setting up new WebAuthn passkeys on Wikimedia wikis.Oct 28 2024, 6:35 PM
Tgr added a subtask: T378402: Disallow setting up new WebAuthn passkeys on Wikimedia wikis.
Reedy moved this task from Backlog to External on the MediaWiki-extensions-OATHAuth board.Nov 2 2024, 3:46 PM
Tgr moved this task from Blocked on shared domains to Ready on the SUL3 board.Nov 13 2024, 7:45 PM
Tgr added a comment.Jan 20 2025, 2:50 PM

We might end up doing T362715: Move credentials change to central domain instead of this.

Bugreporter subscribed.Jan 20 2025, 5:23 PM

But as task description says, the current WebAuthn keys are bound to a specific wiki domain so they should eventually be removed since they can not be migrated to auth domain.

Tgr mentioned this in T384232: QA for SUL3 on testwikis.Feb 5 2025, 2:57 PM
pmiazga closed subtask T378402: Disallow setting up new WebAuthn passkeys on Wikimedia wikis as Resolved.Feb 6 2025, 2:30 PM
RhinosF1 subscribed.Mar 3 2025, 1:27 PM
Tgr mentioned this in T389064: Notify WebAuthn users about SUL3 changes.Mar 17 2025, 1:17 PM
Tgr added a subtask: T389064: Notify WebAuthn users about SUL3 changes.
Wellverywell subscribed.Mar 19 2025, 3:06 PM
Reedy reopened subtask T378402: Disallow setting up new WebAuthn passkeys on Wikimedia wikis as Open.Mar 19 2025, 4:33 PM
Tgr closed subtask T378402: Disallow setting up new WebAuthn passkeys on Wikimedia wikis as Resolved.Mar 19 2025, 10:32 PM
BlankEclair subscribed.Mar 23 2025, 1:13 AM

Is there a way to reenable WebAuthn on auth.wikimedia.org right now? Or is it something to be planned in the future

Tgr added a comment.Mar 23 2025, 12:00 PM

It is enabled, just confusing to use because of a bug that tries to send you back to a normal wiki. You can go to https://auth.wikimedia.org/metawiki/wiki/Special:Manage_Two-factor_authentication, and any time you get an error message, just go to that URL again. After 3-4 attempts it will work. And if you already have a WebAuthn passkey for auth.wikimedia.org, that works fine as far as I can tell.

I'll deploy a fix for the bug on Monday.

Tgr closed subtask T389064: Notify WebAuthn users about SUL3 changes as Resolved.Mar 25 2025, 9:37 PM
Tgr reopened subtask T389064: Notify WebAuthn users about SUL3 changes as Open.Mar 26 2025, 12:02 AM
Xaosflux subscribed.Mar 28 2025, 4:25 PM
Tgr closed subtask T389064: Notify WebAuthn users about SUL3 changes as Resolved.Mar 28 2025, 8:27 PM
MacFan4000 subscribed.Apr 4 2025, 8:59 PM
matmarex renamed this task from Migrate or disable WebAuthn on Wikimedia wikis to Migrate WebAuthn on Wikimedia wikis to central domain.Apr 8 2025, 6:55 PM
matmarex added a subtask: T354701: Enable migration of WebAuthn credentials to central domain.
matmarex edited parent tasks, added: T362715: Move credentials change to central domain; removed: T375954: Create SUL3 rollout plan for Wikimedia production.
matmarex added a subtask: T248339: Decide how to deal with WebAuthn login/registration flow on Wikimedia wikis in future.Apr 8 2025, 7:00 PM
matmarex added a parent task: T244088: Logging in at another wiki than WebAuth was set up fails.
matmarex closed subtask T248339: Decide how to deal with WebAuthn login/registration flow on Wikimedia wikis in future as Resolved.Apr 8 2025, 7:04 PM
matmarex mentioned this in T248339: Decide how to deal with WebAuthn login/registration flow on Wikimedia wikis in future.
Tgr closed this task as Resolved.Apr 8 2025, 7:12 PM
Tgr claimed this task.

In the end, we didn't migrate or disable it, just asked the (very few) existing WebAuthn users to migrate (T389064: Notify WebAuthn users about SUL3 changes). Also ensured that the WebAuthn special page works both locally and on the central domain, but locally it's not possible to add new passkeys (but possible to remove existing ones).

Nothing else left to do here I think.

matmarex mentioned this in T244088: Logging in at another wiki than WebAuth was set up fails.Apr 8 2025, 7:13 PM
Bugreporter reopened this task as Open.EditedApr 9 2025, 2:21 AM

Reopen. Once SUL2 is fully disabled (or in another word, support of &usesul3=0 is dropped), existing WebAuthn users who do not migrate will no longer be able to login, so we need to remove 2FA from them.

matmarex subscribed.Apr 9 2025, 2:43 AM
Tgr moved this task from Ready to In progress on the SUL3 board.Apr 9 2025, 9:15 PM
matmarex moved this task from In progress to Blocked / External on the SUL3 board.Apr 9 2025, 10:27 PM
matmarex mentioned this in T387861: Remove SUL3 opt-in code from CentralAuth.Apr 11 2025, 2:31 AM
Tgr moved this task from Blocked / External to In progress on the SUL3 board.Apr 13 2025, 11:35 AM
Tgr mentioned this in T391784: Gradually isolate mediawiki authentication code and infrastructure.Apr 14 2025, 8:26 PM
TheGreatGreenStar subscribed.Jul 18 2025, 6:25 PM
matmarex moved this task from Needs refinement to Inbox, needs triage on the MediaWiki-Platform-Team board.Jul 26 2025, 1:49 AM
DAlangi_WMF subscribed.EditedAug 8 2025, 5:27 PM
In T376021#10724403, @Bugreporter wrote:

Reopen. Once SUL2 is fully disabled (or in another word, support of &usesul3=0 is dropped), existing WebAuthn users who do not migrate will no longer be able to login, so we need to remove 2FA from them.

It seems like that could be a separate task @Bugreporter? Sounds like a post-cleanup task after dropping support for SUL2 (which may not happen soon).

If you agree, I can file one, and we can close this?

JTweed-WMF moved this task from Inbox, needs triage to Needs refinement on the MediaWiki-Platform-Team board.Aug 11 2025, 2:47 PM
Tgr added a subscriber: EMill-WMF.Aug 17 2025, 5:00 PM

@EMill-WMF will decide how to handle those users, based on data from {T401742}.

Tgr moved this task from Needs refinement to Waiting on the MediaWiki-Platform-Team board.Aug 17 2025, 5:00 PM
Tgr mentioned this in T402423: Remove &usesul3= URL parameter.Aug 21 2025, 1:40 PM
Mstyles mentioned this in T401773: Always redirect 2FA management special page to auth domain on SUL wikis, so that WebAuthn setup can be offered.Sep 23 2025, 5:49 PM
Reedy added a parent task: T401773: Always redirect 2FA management special page to auth domain on SUL wikis, so that WebAuthn setup can be offered.Sep 25 2025, 8:19 AM
Tgr removed Tgr as the assignee of this task.Dec 1 2025, 11:35 AM
Tgr added a parent task: T402423: Remove &usesul3= URL parameter.Dec 1 2025, 12:58 PM
Tonymetz unsubscribed.Wed, Jan 28, 12:31 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits