Page MenuHomePhabricator
Create Task
Maniphest T416544

New database table for tracking WebAuthn userHandle values (oathauth_user_handles)
Closed, ResolvedPublic
Actions

Description

To support passwordless login with passkeys (T321708), the OATHAuth extension needs to be able to identify which user has a given userHandle value. The userHandle is a 64-byte binary string that is randomly chosen for each user. To support this lookup, we propose adding a simple 1-to-1 mapping table between user IDs and userHandle values.

Like the other oathauth_* tables, there would be one global instance of the oathauth_user_handles table in the centralauth database for all SUL wikis together, and a local instance in each database for non-SUL wikis.

Gerrit patch: https://gerrit.wikimedia.org/r/c/mediawiki/extensions/OATHAuth/+/1236403
Proposed schema: https://gerrit.wikimedia.org/r/c/mediawiki/extensions/OATHAuth/+/1236403/2/sql/tables.json

Checklist from https://wikitech.wikimedia.org/wiki/Creating_new_tables:

  • Should this table be replicated to wiki replicas (does it not contain private data)?
    • No, it should not be replicated, nor should the other oathauth_* tables. They contain data related to user authentication.
  • Will you be doing cross-joins with the wiki metadata?
    • No. We're currently not planning to join this table on anything. In the future I suppose we might want to join it against other oathauth_* tables, but probably not against anything else.
  • Size of the table (number of rows expected).
    • The size of this table will always equal the result of the query select count(distinct oad_user) from oathauth_devices join oathauth_types on oad_type=oat_id where oat_name='webauthn';. If we ran the population script in production today, the table in the centralauth DB would have 1,425 rows. This table will always be smaller than the oathauth_devices table.
  • Expected growth per year (number of rows).
    • We've had relatively high growth recently because we rolled out new WebAuthn-related features, leading to 1100 new users in 2 months. In the long run, growth will probably be less, probably about 5k rows per year.
  • Expected amount of queries, both writes and reads (per minute, per hour...per day, any of those are ok).
    • Writes only happen when a user adds their first WebAuthn-based 2FA key, or deletes their last one. I estimate this happens ~20 times per day.
    • Reads happen when a user who has 2FA tries to log in, or opens the 2FA management UI. I don't have numbers handy on how often this happens, but probably not a huge amount. This table will get the same amount of read traffic as the existing oathauth_devices table (they're usually read together).
  • Examples of queries that will be using the table.
    • SELECT oah_handle FROM oathauth_user_handles WHERE oah_user=N
    • SELECT oah_user FROM oathauth_user_handles WHERE oah_handle='X'
    • Simple inserts of one row at a time
    • DELETE FROM oathauth_user_handles WHERE oah_user=N
  • The release plan for the feature (are there specific wikis you'd like to test first etc).
    • Deploy the code from the attached patch (disabled behind a feature flag)
    • Enable the feature flag
    • Run the maintenance script to populate the table
    • Due to the global nature of authentication, it doesn't make sense to roll this out on a subset of wikis, we'd just deploy it everywhere at once

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Revert "CommonSettings: Temporarily set $wgOATHUserHandlesTable = true"operations/mediawiki-configmaster+0 -3
Drop $wgOATHUserHandlesTablemediawiki/extensions/OATHAuthmaster+8 -25
CommonSettings: Temporarily set $wgOATHUserHandlesTable = trueoperations/mediawiki-configmaster+3 -0
Add a database table to track WebAuthn userHandle valuesmediawiki/extensions/OATHAuthmaster+492 -41
Customize query in gerrit

Related Objects
Search...

Event Timeline

Catrope created this task.Thu, Feb 5, 1:13 AM
Restricted Application added a project: Data-Engineering. · View Herald TranscriptThu, Feb 5, 1:13 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
gerritbot added a comment.Thu, Feb 5, 1:14 AM

Change #1236403 had a related patch set uploaded (by Catrope; author: Catrope):

[mediawiki/extensions/OATHAuth@master] Add a database table to track WebAuthn userHandle values

https://gerrit.wikimedia.org/r/1236403

gerritbot added a project: Patch-For-Review.Thu, Feb 5, 1:14 AM
Reedy updated the task description. (Show Details)Thu, Feb 5, 1:15 AM
Catrope updated the task description. (Show Details)Thu, Feb 5, 1:15 AM
Catrope updated the task description. (Show Details)

Note: as currently designed the oah_handle field is binary and contains binary values. However, we could store a base64-encoded value instead, if that is preferred.

Marostegui edited projects, added Data-Persistence; removed DBA.Thu, Feb 5, 6:42 AM
Marostegui added a subscriber: Ladsgroup.
Ladsgroup added a comment.Thu, Feb 5, 1:02 PM

Two notes:

  • Maybe add unsigned to give yourself more breathing room.
  • If you have the user as unique key, why not making it PK directly and avoid having an extra auto_increment id? See T411433#11584647 onwards
Reedy moved this task from Backlog to Features/Improvements on the MediaWiki-extensions-OATHAuth board.Thu, Feb 5, 4:13 PM
Catrope added a project: Security-Team.Thu, Feb 5, 5:54 PM
Catrope moved this task from Incoming to In Progress on the Security-Team board.
Ahoelzl moved this task from Incoming (new tickets) to Needs Clarification on the Data-Engineering board.Thu, Feb 5, 6:03 PM
Ahoelzl added subscribers: JAllemandou, Ahoelzl.

@JAllemandou can you take a look if DE is impacted?

Catrope claimed this task.Thu, Feb 5, 7:53 PM
In T416544#11587322, @Ladsgroup wrote:

Two notes:

  • Maybe add unsigned to give yourself more breathing room.
  • If you have the user as unique key, why not making it PK directly and avoid having an extra auto_increment id? See T411433#11584647 onwards

Done. I was a bit confused about this, because I've been seeing a lot of new tables with auto_increment IDs even though there is a unique field. But this comment explains that perfectly:

In T411433#11587135, @Ladsgroup wrote:

As a rule of thumb: if the unique field is an integer, it's okay to use it as PK‌ (e.g. in redirect table, the page_id is PK) but if it's string, it's better to have a dedicate auto_increment PK.

JAllemandou added a comment.Fri, Feb 6, 3:03 PM
In T416544#11588802, @Ahoelzl wrote:

@JAllemandou can you take a look if DE is impacted?

New table in the centralauth DB, no cloudDB replication and no need to sqoop into the cluster for now, DE is not impacted.

Catrope moved this task from In Progress to Waiting on the Security-Team board.Fri, Feb 6, 8:11 PM
Ladsgroup added a comment.Fri, Feb 6, 9:00 PM

If it's waiting on DBA signoff, to make it clear that it looks good on our side. Just make sure: 1- to catalog it in table catalog 2- avoid creating it on all wikis (I think it'll be only non sul wikis + one central wiki).

Reedy moved this task from Inbox to Passkey Support on the FY2025-26 WE 4.6 - Account Security (WE 4.6.4 - 2FA improvements and passkey support) board.Mon, Feb 9, 4:20 PM
gerritbot added a comment.Mon, Feb 9, 11:13 PM

Change #1236403 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@master] Add a database table to track WebAuthn userHandle values

https://gerrit.wikimedia.org/r/1236403

Maintenance_bot removed a project: Patch-For-Review.Mon, Feb 9, 11:31 PM
ReleaseTaggerBot added a project: MW-1.46-notes (1.46.0-wmf.15; 2026-02-10).Tue, Feb 10, 12:00 AM
Reedy subscribed.Thu, Feb 12, 10:48 AM

DB table has been created on private.dblist, fishbowl.dblist and in centralauth.

Maintenance script presumably needs running?

gerritbot added a comment.Thu, Feb 12, 10:50 AM

Change #1239023 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/OATHAuth@master] Drop $wgOATHUserHandlesTable

https://gerrit.wikimedia.org/r/1239023

gerritbot added a project: Patch-For-Review.Thu, Feb 12, 10:50 AM
gerritbot added a comment.Thu, Feb 12, 10:56 AM

Change #1239025 had a related patch set uploaded (by Reedy; author: Reedy):

[operations/mediawiki-config@master] CommonSettings: Temporarily set $wgOATHUserHandlesTable = true

https://gerrit.wikimedia.org/r/1239025

gerritbot added a comment.Thu, Feb 12, 10:56 AM

Change #1239026 had a related patch set uploaded (by Reedy; author: Reedy):

[operations/mediawiki-config@master] Revert "CommonSettings: Temporarily set $wgOATHUserHandlesTable = true"

https://gerrit.wikimedia.org/r/1239026

gerritbot added a comment.Thu, Feb 12, 11:04 AM

Change #1239025 merged by jenkins-bot:

[operations/mediawiki-config@master] CommonSettings: Temporarily set $wgOATHUserHandlesTable = true

https://gerrit.wikimedia.org/r/1239025

Stashbot mentioned this in T413211: Allow urlshortener for a selection of third-level domains from wmcloud.org and toolforge.org.Thu, Feb 12, 11:05 AM

Mentioned in SAL (#wikimedia-operations) [2026-02-12T11:05:23Z] <reedy@deploy2002> Started scap sync-world: Backport for [[gerrit:1238291|Allow a selection of third-level wmcloud/toolforge domains for UrlShortener (T413211)]], [[gerrit:1239025|CommonSettings: Temporarily set $wgOATHUserHandlesTable = true (T416544)]]

Stashbot added a comment.Thu, Feb 12, 11:07 AM

Mentioned in SAL (#wikimedia-operations) [2026-02-12T11:07:31Z] <reedy@deploy2002> filippo, reedy: Backport for [[gerrit:1238291|Allow a selection of third-level wmcloud/toolforge domains for UrlShortener (T413211)]], [[gerrit:1239025|CommonSettings: Temporarily set $wgOATHUserHandlesTable = true (T416544)]] synced to the testservers (see https://wikitech.wikimedia.org/wiki/Mwdebug). Changes can now be verified there.

Stashbot added a comment.Thu, Feb 12, 11:12 AM

Mentioned in SAL (#wikimedia-operations) [2026-02-12T11:12:12Z] <reedy@deploy2002> Finished scap sync-world: Backport for [[gerrit:1238291|Allow a selection of third-level wmcloud/toolforge domains for UrlShortener (T413211)]], [[gerrit:1239025|CommonSettings: Temporarily set $wgOATHUserHandlesTable = true (T416544)]] (duration: 06m 48s)

Reedy changed the task status from Open to In Progress.Thu, Feb 12, 11:56 AM
Reedy triaged this task as Medium priority.
In T416544#11610252, @Reedy wrote:

Maintenance script presumably needs running?

That's been done too.

Catrope added a comment.Thu, Feb 12, 7:05 PM

I took a look the tables and everything looks good. Looks like they've been fully populated and continue to update with new users.

All that remains now is to clean up the feature flag.

gerritbot added a comment.Thu, Feb 12, 7:29 PM

Change #1239023 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@master] Drop $wgOATHUserHandlesTable

https://gerrit.wikimedia.org/r/1239023

ReleaseTaggerBot edited projects, added MW-1.46-notes (1.46.0-wmf.16; 2026-02-17); removed MW-1.46-notes (1.46.0-wmf.15; 2026-02-10).Thu, Feb 12, 8:00 PM
Catrope closed this task as Resolved.Thu, Feb 19, 12:37 AM
Catrope moved this task from WE 4.6.4 - 2FA improvements and passkey support to WE 4.6.9 (Passwordless login and passkey promotion) on the FY2025-26 WE 4.6 - Account Security board.
Catrope edited projects, added FY2025-26 WE 4.6 - Account Security (WE 4.6.9 (Passwordless login and passkey promotion)); removed FY2025-26 WE 4.6 - Account Security (WE 4.6.4 - 2FA improvements and passkey support).
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits