Currently there are no documentation of SUL3 at https://www.mediawiki.org/wiki/Extension:CentralAuth yet.

Also, for 3rd party wikifarm, we can alternatively redirect every login page to one central wiki. This will have some difference including potentially disadvantage (most obviously, all new accounts will have same homewiki), but this will not require user to set up a dedicated auth domain (instead they can use existing SUL2 central login wiki).

Also note SUL3 is likely not the final state of Wikimedia log-in system which currently still runs MediaWiki. The final state may be a dedicated web application hosted only on the current auth domain (instead of the current implementation of auth domain which routes requests to individual production wikis), "invoked" by MediaWiki. This is described by T120484: Store CentralAuth password hashes outside the main database cluster.

After T387861, we'll have the following config options affecting SUL3:

• CentralAuthSharedDomainCallback – defaults to false (SUL3 unavailable)
• CentralAuthEnableSul3 – defaults to false (SUL3 disabled by default)
• CentralAuthSul3SharedDomainRestrictions – defaults are complex, defined in SharedDomainHookHandler::DEFAULT_RESTRICTIONS (see Codesearch for the most current values)
• CentralAuthRestrictSharedDomain – defaults to true

WMF config changes CentralAuthSharedDomainCallback and CentralAuthEnableSul3 to make SUL3 available and enabled by default. That can't be done in CentralAuth, since it requires careful server configuration to work.

I believe we also add some custom restrictions to CentralAuthSul3SharedDomainRestrictions in private config, that's obviously not suitable for CentralAuth code either.

These defaults seem right to me. Is there anything you want to change, @Tgr?

In T391270#10718777, @Bugreporter wrote:

Currently there are no documentation of SUL3 at https://www.mediawiki.org/wiki/Extension:CentralAuth yet.

That's T391406: Update CentralAuth documentation page after SUL3. One of us will write it once we're done removing some obsolete configs in T387861.

One thing we could do is default CentralAuthSharedDomainCallback to something like fn() => WikiMap::getWiki( $wgCentralAuthLoginWiki )->getCanonicalServer() (plus handling for various edge cases). Then at some point we can just make SUL3 the default, as long as you have a central domain configured.

The other thing I'm unsure about - CentralAuthRestrictSharedDomain makes sense for a shared domain, but not for a central wiki (which is all third party setups at this point, and most developer setups too). I think either we should flip that, or have it figure out automatically which of those are being used (not sure if that's possible)?.

In T391270#10734915, @Tgr wrote:

One thing we could do is default CentralAuthSharedDomainCallback to something like fn() => WikiMap::getWiki( $wgCentralAuthLoginWiki )->getCanonicalServer() (plus handling for various edge cases).

Actually probably a bad idea, since we use a null check on that variable as a way to test whether the wiki supports to SUL3.

Then at some point we can just make SUL3 the default, as long as you have a central domain configured.

At some point maybe we should. That's outside the scope of this task though.

The other thing I'm unsure about - CentralAuthRestrictSharedDomain makes sense for a shared domain, but not for a central wiki (which is all third party setups at this point, and most developer setups too). I think either we should flip that, or have it figure out automatically which of those are being used (not sure if that's possible)?.

This would still make sense I think. We could either just pin it in Wikimedia config and default it to false, or set it dynamically based on maybe whether CentralAuthSharedDomainCallback is set?
Probably better to just set it to false.

Change #1146013 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[operations/mediawiki-config@master] [noop] Set $wgCentralAuthRestrictSharedDomain

https://gerrit.wikimedia.org/r/1146013

Change #1146013 merged by jenkins-bot:

[operations/mediawiki-config@master] [noop] Set $wgCentralAuthRestrictSharedDomain

https://gerrit.wikimedia.org/r/1146013

Mentioned in SAL (#wikimedia-operations) [2025-05-19T20:44:24Z] <tgr@deploy1003> Started scap sync-world: Backport for [[gerrit:1146013|[noop] Set $wgCentralAuthRestrictSharedDomain (T391270)]]

Mentioned in SAL (#wikimedia-operations) [2025-05-19T20:49:14Z] <tgr@deploy1003> tgr: Backport for [[gerrit:1146013|[noop] Set $wgCentralAuthRestrictSharedDomain (T391270)]] synced to the testservers (see https://wikitech.wikimedia.org/wiki/Mwdebug). Changes can now be verified there.

Mentioned in SAL (#wikimedia-operations) [2025-05-19T20:57:49Z] <tgr@deploy1003> Finished scap sync-world: Backport for [[gerrit:1146013|[noop] Set $wgCentralAuthRestrictSharedDomain (T391270)]] (duration: 13m 24s)

Change #1147888 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/extensions/CentralAuth@master] Make $wgCentralAuthRestrictSharedDomain default to false

https://gerrit.wikimedia.org/r/1147888

Change #1147888 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@master] Make $wgCentralAuthRestrictSharedDomain default to false

https://gerrit.wikimedia.org/r/1147888