Maniphest T420150

Remove SUL2 B/C API behavior
Open, Needs TriagePublic
Actions

Assigned To

None

Authored By

	Tgr
	Mar 15 2026, 6:57 PM

Project Tags

Referenced Files

None

Subscribers

Description

We have moved authentication to a central domain T348388: SUL3: Use a dedicated domain for login and account creation, which would by default mean that authentication-related APIs on the local domains don't work (or at least not as expected). But we have disabled that to avoid B/C breaks: T379816: Disable SUL3 authentication redirect when using the API

We should gradually undo that, to fully get the security benefits of a separate authentication domain. We should probably start with credentials change, which is more sensitive and less relied on by clients, and then continue with login and signup.

Related Objects

Mentioned In: T136101: Rethink AuthManager::securitySensitiveOperationStatus
T402423: Remove &usesul3= URL parameter
Mentioned Here: T348388: SUL3: Use a dedicated domain for login and account creation
T379816: Disable SUL3 authentication redirect when using the API

Event Timeline

Tgr created this task.Mar 15 2026, 6:57 PM

Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptMar 15 2026, 6:57 PM

Restricted Application added a subscriber: Aklapper. · View Herald Transcript

Tgr mentioned this in T402423: Remove &usesul3= URL parameter.Mar 15 2026, 6:58 PM

Tgr mentioned this in T136101: Rethink AuthManager::securitySensitiveOperationStatus.

Wellverywell subscribed.Mar 16 2026, 1:34 AM

Izno subscribed.Mar 16 2026, 3:27 AM

Moving to Needs refinement as it needs prioritization - this clean up should be done within next couple months. @JTweed-WMF can you prioritize this work?

Remove SUL2 B/C API behaviorOpen, Needs TriagePublicActions

Description

Related Objects

Event Timeline

Remove SUL2 B/C API behavior
Open, Needs TriagePublic
Actions