Page MenuHomePhabricator
Create Task
Maniphest T393459

Warn users when they get redirected from a logged-in local page to a logged-out auth.wikimedia.org page
Closed, ResolvedPublic
Actions

Description

Previously, login/signup happened on the same domain so if you were logged in when clicking the login link, you were logged in on the login form as well. (There is no login link on the UI when you are logged in, but there are help pages etc. with links. Both the login and signup page are meaningful while logged in - for switching to another account, and for creating an account for another user, respectively.) With SUL3 this is not the case anymore, and this is causing confusion, e.g.:
T391862: 'change password' link does not allow user to find the password reset page
T391324: Missing "send temporary password through email" option in Wikimedia SUL account creation

We should let the central domain know (probably via a URL parameter) that the user is expected to be logged in; when that is the case, there should be some warning message (and we should probably add an extra login redirection, ie. send them to the login page and set returnto / returntoquery to the login or signup page, and make sure RedirectingLoginHookHandler doesn't redirect them back).

See also:
T392359: Visiting Special:UserLogin to switch accounts doesn't work in SUL3
T389064: Notify WebAuthn users about SUL3 changes (T389064#10960666)

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
SUL3: Show expiry message only if user isn't logged-in centrallymediawiki/extensions/CentralAuthmaster+4 -1
SUL3: Show warning upon redirect when logged-in locally but logged-out centrallymediawiki/extensions/CentralAuthmaster+45 -4
Customize query in gerrit

Related Objects
Search...

Event Timeline

Tgr created this task.May 6 2025, 12:40 PM
Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptMay 6 2025, 12:40 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Tgr added subtasks: T391862: 'change password' link does not allow user to find the password reset page, T391324: Missing "send temporary password through email" option in Wikimedia SUL account creation.May 6 2025, 12:41 PM
Tgr mentioned this in T392359: Visiting Special:UserLogin to switch accounts doesn't work in SUL3.May 6 2025, 12:53 PM
Tgr updated the task description. (Show Details)
JTweed-WMF moved this task from Inbox, needs triage to Needs refinement on the MediaWiki-Platform-Team board.May 12 2025, 3:01 PM
Tgr mentioned this in T397244: Private mitigation blocks registration from certain email domains but gives misleading error about rate limits.Jun 18 2025, 11:33 AM
Tgr mentioned this in T389064: Notify WebAuthn users about SUL3 changes.Jun 30 2025, 7:50 PM
Tgr updated the task description. (Show Details)
JTweed-WMF moved this task from Needs refinement to Next (DO NOT USE) on the MediaWiki-Platform-Team board.Aug 28 2025, 2:37 PM
matmarex closed subtask T391862: 'change password' link does not allow user to find the password reset page as Resolved.Sep 12 2025, 10:01 PM
gerritbot added a comment.Sep 19 2025, 2:34 AM

Change #1189618 had a related patch set uploaded (by Bartosz Dziewoński; author: Bartosz Dziewoński):

[mediawiki/extensions/CentralAuth@master] SUL3: Show warning upon redirect when logged-in locally but logged-out centrally

https://gerrit.wikimedia.org/r/1189618

gerritbot added a project: Patch-For-Review.Sep 19 2025, 2:34 AM
matmarex claimed this task.Sep 19 2025, 2:38 AM
matmarex mentioned this in T405054: Improve SUL3 Special:UserLogin and Special:CreateAccount interactions when already logged in or partially logged in.
matmarex moved this task from Next (DO NOT USE) to In progress (DO NOT USE) on the MediaWiki-Platform-Team board.
matmarex added a parent task: T405054: Improve SUL3 Special:UserLogin and Special:CreateAccount interactions when already logged in or partially logged in.
matmarex mentioned this in T391324: Missing "send temporary password through email" option in Wikimedia SUL account creation.Sep 19 2025, 2:42 AM
matmarex merged a task: T391324: Missing "send temporary password through email" option in Wikimedia SUL account creation.
matmarex added subscribers: LuciferianThomas, matmarex, taavi, Stang.
gerritbot added a comment.Oct 24 2025, 12:15 PM

Change #1189618 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@master] SUL3: Show warning upon redirect when logged-in locally but logged-out centrally

https://gerrit.wikimedia.org/r/1189618

Maintenance_bot removed a project: Patch-For-Review.Oct 24 2025, 12:30 PM
ReleaseTaggerBot added a project: MW-1.45-notes (1.45.0-wmf.25; 2025-10-28).Oct 24 2025, 1:00 PM
matmarex closed this task as Resolved.Oct 24 2025, 2:11 PM
Stang unsubscribed.Oct 27 2025, 9:33 PM
gerritbot added a comment.Dec 5 2025, 9:35 AM

Change #1215531 had a related patch set uploaded (by D3r1ck01; author: Derick Alangi):

[mediawiki/extensions/CentralAuth@master] Do not show central session expiry if it hasn't expired

https://gerrit.wikimedia.org/r/1215531

gerritbot added a project: Patch-For-Review.Dec 5 2025, 9:35 AM
gerritbot added a comment.Dec 6 2025, 8:56 PM

Change #1215531 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@master] SUL3: Show expiry message only if user isn't logged-in centrally

https://gerrit.wikimedia.org/r/1215531

ReleaseTaggerBot added a project: MW-1.46-notes (1.46.0-wmf.7; 2025-12-16).Dec 6 2025, 9:00 PM
Maintenance_bot removed a project: Patch-For-Review.Dec 6 2025, 9:30 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits