Page MenuHomePhabricator
Create Task
Maniphest T393327

Yubikey check during login fails first time, works second time
Closed, ResolvedPublic
Actions

Description

Seen on @Mehman97's account. The yubikey check failed, then after clicking the refresh button it worked.

Related Objects

Event Timeline

Tgr created this task.May 4 2025, 11:50 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 4 2025, 11:50 AM
Tgr added a comment.Aug 1 2025, 12:46 AM

Maybe related to T393256: mw.Api using the wrong URL on auth.wikimedia.org in some OATHAuth workflows?

Tgr moved this task from Backlog to Bugs on the MediaWiki-extensions-OATHAuth board.Aug 1 2025, 3:51 PM
matmarex added a project: MediaWiki-Platform-Team.Oct 2 2025, 7:20 PM
matmarex subscribed.
In T393327#11052661, @Tgr wrote:

Maybe related to T393256: mw.Api using the wrong URL on auth.wikimedia.org in some OATHAuth workflows?

That's fixed, someone should re-test this.

Aklapper added a project: TestMe.Oct 4 2025, 11:57 AM
pmiazga assigned this task to DAlangi_WMF.Oct 6 2025, 2:55 PM
pmiazga moved this task from Inbox, needs triage to Next (DO NOT USE) on the MediaWiki-Platform-Team board.
pmiazga subscribed.

Lets retest this in production.

DAlangi_WMF moved this task from Next (DO NOT USE) to In progress (DO NOT USE) on the MediaWiki-Platform-Team board.Oct 6 2025, 5:09 PM
DAlangi_WMF added a comment.EditedOct 7 2025, 11:00 AM

Step 1
Created an account: T393327YubikeyTest

Step 2
Added the user to the oathauth-tester global group (on testwiki).

mwscript-k8s --comment="T393327" --follow -- extensions/CentralAuth/maintenance/addToGlobalGroup.php --wiki=testwiki --reason "Testing T393327" T393327YubikeyTest oathauth-tester

Step 3
Verified on testwiki that the user was added to oathauth-tester group, which enables them to use 2FA.

Step 4
Added the security key via a YubiKey, and it just worked (on first try) with no errors!

Screenshot 2025-10-07 at 1.44.40 PM.png (658×1 px, 116 KB)
Screenshot 2025-10-07 at 1.46.13 PM.png (532×1 px, 86 KB)

Step 5
Logged out and logged in with the credentials. Verified that the login also triggered a 2FA on the shared domain (which works).

Step 6
Cleaned up the test account (disabled 2FA) and removed this user from the group added in step 2.

mwscript-k8s --comment="T393327" --follow -- extensions/CentralAuth/maintenance/addToGlobalGroup.php --wiki=testwiki --remove --reason "cleanup: Done testing T393327" T393327YubikeyTest oathauth-tester

Screenshot 2025-10-07 at 1.52.04 PM.png (390×1 px, 59 KB)

Conclusion
It appears that the feature is working as expected. Perhaps a random error occurred with the request that caused an error on the first attempt? In that case, we may need to either locate the exact request in Logstash and determine what happened (if anything) or wait for a similar situation to occur again, allowing us to identify the cause. But at the moment, this seems to work as expected. If this were a persistent real problem, we would likely have had multiple users reporting it.

@Tgr / @matmarex, any additional thoughts?

Reedy triaged this task as Low priority.Oct 7 2025, 11:03 AM
Tgr closed this task as Resolved.Oct 7 2025, 12:47 PM
Tgr reassigned this task from DAlangi_WMF to matmarex.
Tgr added a subscriber: DAlangi_WMF.

What was failing (sometimes) was login, not adding the key (probably because the login 2FA check happens close to page load time but adding the key doesn't). Anyway, if it was caused by T393256 we have every reason to believe it is fixed, and if it was caused by something else then we'd need someone to reproduce it and provide more information (this is a frontend error and frontend error logging is not that reliable, so there's probably no Logstash entry), so the task is not actionable. Let's just assume it's fixed by @matmarex's patch (which seems likely) and if it's not and someone runs into it, they can just file a new task.

Tgr added a comment.Oct 7 2025, 12:55 PM

I guess there's one potentially actionable thing - maybe WebAuthn should log API errors. (That's what we think happened here: mw.config ended up with the wrong API URL so the API request was a 404.) Filed that as T406581: WebAuthn JS code should log frontend API errors.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits