Page MenuHomePhabricator
Create Task
Maniphest T401773

Always redirect 2FA management special page to auth domain on SUL wikis, so that WebAuthn setup can be offered
Closed, ResolvedPublic
Actions

Description

Currently, visiting e.g. https://en.wikipedia.org/wiki/Special:Manage_Two-factor_authentication when no 2FA methods are set up only displays a button to enable TOTP, but does not display a button to enable WebAuthn. To set up WebAuthn, you have to go to https://auth.wikimedia.org/enwiki/wiki/Special:Manage_Two-factor_authentication , which is not very discoverable (there's banner that links there and sort of explains this, but it's not very clear). This is because the user must be on the auth.wm.o domain for the JS that sets up WebAuthn to work, but this isn't a very user friendly experience.

To make this more user-friendly, we should automatically redirect to the auth domain if the user tries to view this special page on a non-auth domain.

  • When the user tries to view Special:Manage_Two-factor_authentication not on the auth domain, don't display the special page, but redirect to the auth domain
  • Update the link to this special page on the preferences page to point directly to the auth domain, so that we don't link to a page that will then immediately redirect
  • These changes should only be made on SUL wikis; non-SUL wikis should work as they do now, and not redirect to the auth domain

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Force OATHManage to be on central domainmediawiki/extensions/CentralAuthwmf/1.45.0-wmf.22+1 -1
Force OATHManage to be on central domainmediawiki/extensions/CentralAuthwmf/1.45.0-wmf.21+1 -1
Force OATHManage to be on central domainmediawiki/extensions/CentralAuthmaster+1 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

Catrope created this task.Aug 13 2025, 4:50 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 13 2025, 4:50 AM
EMill-WMF added a comment.Aug 14 2025, 2:38 AM

What about (in addition) redirecting https://en.wikipedia.org/wiki/Special:Manage_Two-factor_authentication (and other non-auth domain URLs to this same page on other wikis) to the auth domain version of it at https://auth.wikimedia.org/wiki/Special:Manage_Two-factor_authentication ?

This could cover other edge cases where people end up on the 2FA page through means other than clicking the button in their preferences, and just shuts off the use of these 2FA pages on non-auth domains that are basically vestigial artifacts of how SUL3 works. I think this would more clearly express the idea that the 2FA management page only exists on the auth domain.

Changing the buttons to link directly to the auth domain would still be a good idea, for the performance benefit of avoiding an unnecessary redirect, and because it would be consistent with acting as if those non-auth 2FA management pages don't exist.

Catrope added a comment.Aug 14 2025, 5:34 PM

I think that's a great idea, and it also obviates what the task description asks for. I'll rewrite it to cover that instead.

Catrope renamed this task from Allow WebAuthn setup to be initiated from regular wiki domains, without manually going to auth.wikimedia.org first to Always redirect 2FA management special page to auth domain, so that WebAuthn setup can be offered.Aug 14 2025, 5:37 PM
Catrope updated the task description. (Show Details)
Mstyles moved this task from Backlog to Needed for Beta Deployment on the FY2025-26 WE4.6.2 Multiple Authenticators board.Aug 19 2025, 4:24 PM
Catrope renamed this task from Always redirect 2FA management special page to auth domain, so that WebAuthn setup can be offered to Always redirect 2FA management special page to auth domain on SUL wikis, so that WebAuthn setup can be offered.Aug 20 2025, 6:34 PM
Catrope updated the task description. (Show Details)
Mstyles edited parent tasks, added: T399644: FY2025-26 WE4.6.2 Multiple Authenticators; removed: T242031: Allow multiple different 2FA devices.Aug 20 2025, 7:00 PM
Catrope triaged this task as High priority.Aug 21 2025, 8:25 PM
Catrope mentioned this in T362715: Move credentials change to central domain.Aug 26 2025, 6:35 PM
Catrope added a comment.Aug 26 2025, 6:39 PM

This is blocked on T362715#10723301

Tgr subscribed.Aug 27 2025, 10:06 AM

Update the link to this special page on the preferences page to point directly to the auth domain, so that we don't link to a page that will then immediately redirect

This was done a couple months ago to make the central domain the "default". There is no easy way to hijack direct links on help pages etc. though (we could juggle with query parameters but it's messy, and the management page is not meant to be available locally for long anyway).

Reedy moved this task from Backlog to External on the MediaWiki-extensions-OATHAuth board.Sep 16 2025, 7:50 PM
Catrope added a comment.Sep 18 2025, 11:33 PM
In T401773#11120880, @Catrope wrote:

This is blocked on T362715#10723301

This is no longer the case, because removing old passkeys no longer requires being on the same domain where that passkey was created.

Tgr added a comment.Sep 19 2025, 1:16 PM

If you only have one passkey, it's still the case that you are only able to access the OATH management panel on the domain for which that passkey is valid, because you need to go through security reauthentication.

Mstyles claimed this task.Sep 19 2025, 5:58 PM
Mstyles moved this task from Needed for Beta Deployment to In Progress on the FY2025-26 WE4.6.2 Multiple Authenticators board.
gerritbot added a comment.Sep 20 2025, 12:26 AM

Change #1189937 had a related patch set uploaded (by Mstyles; author: Mstyles):

[mediawiki/extensions/CentralAuth@master] Force OATHManage to be on central domain

https://gerrit.wikimedia.org/r/1189937

gerritbot added a project: Patch-For-Review.Sep 20 2025, 12:26 AM
Mstyles added a comment.Sep 23 2025, 5:49 PM

Currently there are users who still have passkeys on local domains and this patch can't be merged until there are no more "local" webauthn keys. Analysis work is being done in T401742 and the actual migration work in T376021.

Reedy added a subtask: T376021: Migrate WebAuthn on Wikimedia wikis to central domain.Sep 25 2025, 8:19 AM
Mstyles moved this task from In Progress to Backlog on the FY2025-26 WE4.6.2 Multiple Authenticators board.Oct 3 2025, 2:15 PM
Mstyles added a project: FY2025-26 WE 4.6 - Account Security (WE 4.6.4 - 2FA improvements and passkey support).

Shelve until we contact users with keys in local domain via T405553 and have users remove their local webauthn keys.

gerritbot added a comment.Oct 7 2025, 9:56 AM

Change #1189937 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@master] Force OATHManage to be on central domain

https://gerrit.wikimedia.org/r/1189937

ReleaseTaggerBot added a project: MW-1.45-notes (1.45.0-wmf.23; 2025-10-14).Oct 7 2025, 10:00 AM
gerritbot added a comment.Oct 7 2025, 10:01 AM

Change #1194150 had a related patch set uploaded (by Reedy; author: Mstyles):

[mediawiki/extensions/CentralAuth@wmf/1.45.0-wmf.22] Force OATHManage to be on central domain

https://gerrit.wikimedia.org/r/1194150

gerritbot added a comment.Oct 8 2025, 12:04 PM

Change #1194607 had a related patch set uploaded (by D3r1ck01; author: Mstyles):

[mediawiki/extensions/CentralAuth@wmf/1.45.0-wmf.21] Force OATHManage to be on central domain

https://gerrit.wikimedia.org/r/1194607

gerritbot added a comment.Oct 8 2025, 1:50 PM

Change #1194607 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@wmf/1.45.0-wmf.21] Force OATHManage to be on central domain

https://gerrit.wikimedia.org/r/1194607

gerritbot added a comment.Oct 8 2025, 1:50 PM

Change #1194150 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@wmf/1.45.0-wmf.22] Force OATHManage to be on central domain

https://gerrit.wikimedia.org/r/1194150

Stashbot mentioned this in T399631: Deploy JWT cookies to production.Oct 8 2025, 1:56 PM
Stashbot mentioned this in T406621: Session cookie JWTs of SUL and non-SUL wikis conflict.

Mentioned in SAL (#wikimedia-operations) [2025-10-08T13:56:11Z] <lucaswerkmeister-wmde@deploy2002> Started scap sync-world: Backport for [[gerrit:1194605|Temporarily undeploy JWT session cookies (T399631)]], [[gerrit:1194603|jwt: Use core cookie settings (T406621)]], [[gerrit:1194604|jwt: Use core cookie settings (T406621)]], [[gerrit:1194607|Force OATHManage to be on central domain (T401773)]], [[gerrit:1194150|Force OATHManage to be on central domain (T401773)]]

ReleaseTaggerBot edited projects, added MW-1.45-notes (1.45.0-wmf.21; 2025-09-30); removed MW-1.45-notes (1.45.0-wmf.23; 2025-10-14).Oct 8 2025, 2:00 PM
Stashbot added a comment.Oct 8 2025, 2:01 PM

Mentioned in SAL (#wikimedia-operations) [2025-10-08T14:01:12Z] <lucaswerkmeister-wmde@deploy2002> d3r1ck01, lucaswerkmeister-wmde, reedy, tgr: Backport for [[gerrit:1194605|Temporarily undeploy JWT session cookies (T399631)]], [[gerrit:1194603|jwt: Use core cookie settings (T406621)]], [[gerrit:1194604|jwt: Use core cookie settings (T406621)]], [[gerrit:1194607|Force OATHManage to be on central domain (T401773)]], [[gerrit:1194150|Force OATHManage to be on central domain (T401773)

Stashbot added a comment.Oct 8 2025, 2:10 PM

Mentioned in SAL (#wikimedia-operations) [2025-10-08T14:10:11Z] <lucaswerkmeister-wmde@deploy2002> Finished scap sync-world: Backport for [[gerrit:1194605|Temporarily undeploy JWT session cookies (T399631)]], [[gerrit:1194603|jwt: Use core cookie settings (T406621)]], [[gerrit:1194604|jwt: Use core cookie settings (T406621)]], [[gerrit:1194607|Force OATHManage to be on central domain (T401773)]], [[gerrit:1194150|Force OATHManage to be on central domain (T401773)]] (duration: 14m 0

Maintenance_bot removed a project: Patch-For-Review.Oct 8 2025, 2:31 PM
Reedy closed this task as Resolved.Oct 11 2025, 3:46 PM
Catrope moved this task from Backlog to Done on the FY2025-26 WE4.6.2 Multiple Authenticators board.Oct 22 2025, 4:54 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits