Page MenuHomePhabricator
Create Task
Maniphest T86869

Support a nice sso experience with MediaWiki's OAuth
Open, MediumPublic
Actions

Description

was https://www.mediawiki.org/wiki/Wikimedia_MediaWiki_Core_Team/Backlog#OpenID_connect

The major use case for OpenID Connect is to have an OAuth compatible authentication scheme that gives strong assertions about the user's identity.

Related Objects
Search...

Event Timeline

csteipp created this task.Jan 15 2015, 1:15 AM
csteipp raised the priority of this task from to Needs Triage.
csteipp updated the task description. (Show Details)
csteipp added projects: MediaWiki-Core-Team, Epic.
csteipp subscribed.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 15 2015, 1:15 AM
csteipp added a subtask: T598: MediaWiki OAuth dialog text is unclear and sounds more scary than it is.Jan 15 2015, 5:22 PM
csteipp added a project: MediaWiki-extensions-OAuth.
csteipp set Security to None.
csteipp added a subtask: T74469: OAuth: Authorisation should not fail because you don't have an account on central wiki.Jan 20 2015, 6:33 PM
csteipp added a subtask: T71232: Provide "authenticate" endpoint for regular users.Jan 22 2015, 10:32 PM
csteipp added a subtask: T87395: Make "bot" or "personal use" apps a better experience.Jan 22 2015, 10:49 PM
csteipp added subtasks: T64686: Replace link to WMF privacy policy with link to app's privacy policy on OAuth authorize dialog, T64687: Add warning for user on /authorize about privacy policy, T59457: Split privacy policy message into link and display text, T68493: Special:OAuth doesn't provide a grant to access to private info of users, T75062: OAuth permission screen needs redesign for better usability and comprehension, T74654: Returning to OAuth url and clicking Allow again generates confusing error message, T62131: Unclear phrasing on OAuth help page.Jan 22 2015, 10:53 PM
Ragesoss subscribed.Jan 23 2015, 7:05 PM
bd808 triaged this task as Medium priority.Feb 18 2015, 5:41 AM
bd808 subscribed.
csteipp closed subtask T62131: Unclear phrasing on OAuth help page as Resolved.Feb 18 2015, 6:18 PM
Eloquence moved this task from Tag to March 2015: Platform on the Epic board.Feb 25 2015, 5:02 AM
Eloquence subscribed.EditedFeb 25 2015, 5:08 AM

(In case anyone's confused by the above, see: https://lists.wikimedia.org/pipermail/teampractices/2015-February/000637.html - just experimenting with a roadmap view.)

bd808 added a subtask: T88757: Add way for OAuth apps to only authenticate (no other valid rights).Feb 25 2015, 10:56 PM
bd808 mentioned this in T90925: General authentication improvements for MediaWiki.Feb 26 2015, 8:47 PM
bd808 added a parent task: T90925: General authentication improvements for MediaWiki.Feb 26 2015, 8:53 PM
Tgr added a subtask: T91584: MediaWiki OAuth panel could be more clear in Phabricator.Mar 4 2015, 10:55 PM
bd808 added a subtask: T64763: keyboard Tab order in OAuth Confirm dialog starts with Cancel.Mar 6 2015, 1:40 AM
bd808 closed subtask T74654: Returning to OAuth url and clicking Allow again generates confusing error message as Resolved.Mar 6 2015, 7:20 PM
Liuxinyu970226 subscribed.Mar 7 2015, 11:15 PM
Eloquence moved this task from March 2015: Platform to Tag on the Epic board.Mar 10 2015, 5:43 AM
bd808 mentioned this in T93835: Reading Infrastructure Roadmap April - June 2015 (Q4 2014/2015).Mar 25 2015, 1:05 AM
bd808 edited projects, added Reading-Infrastructure-Team-Old (Don't use); removed MediaWiki-Core-Team.Mar 30 2015, 7:26 PM
bd808 added a project: Roadmap.
Restricted Application added a project: Notice. · View Herald TranscriptMar 30 2015, 7:28 PM
bd808 moved this task from Unscheduled to August 2015 on the Roadmap board.Mar 30 2015, 7:29 PM
bd808 removed a subtask: T91584: MediaWiki OAuth panel could be more clear in Phabricator.Mar 30 2015, 7:40 PM
gpaumier moved this task from Backlog to Triaged on the Notice board.Apr 2 2015, 7:05 PM
gpaumier moved this task from Triaged to Archive on the Notice board.Apr 9 2015, 5:45 PM
Slaporte subscribed.Apr 16 2015, 11:48 PM
bd808 moved this task from Backlog to Ready on the Reading-Infrastructure-Team-Old (Don't use) board.May 6 2015, 4:23 PM
Tgr closed subtask T59457: Split privacy policy message into link and display text as Resolved.May 11 2015, 1:04 PM
Tgr removed a subtask: T64763: keyboard Tab order in OAuth Confirm dialog starts with Cancel.May 12 2015, 3:25 PM
Tgr removed a subtask: T64687: Add warning for user on /authorize about privacy policy.
Tgr removed a subtask: T64686: Replace link to WMF privacy policy with link to app's privacy policy on OAuth authorize dialog.
Tgr subscribed.

Removed tasks that already block the auth dialog design subtask (T75062).

Anomie closed subtask T88757: Add way for OAuth apps to only authenticate (no other valid rights) as Resolved.May 12 2015, 8:47 PM
Jdforrester-WMF moved this task from August 2015 to June 2015 on the Roadmap board.Jun 4 2015, 4:30 PM
greg moved this task from June 2015 to Unscheduled on the Roadmap board.Jun 25 2015, 4:11 PM
Jdforrester-WMF added a project: User-notice.Jun 29 2015, 10:38 PM
gpaumier removed a project: User-notice.Jul 2 2015, 8:12 PM
Tgr closed subtask T74469: OAuth: Authorisation should not fail because you don't have an account on central wiki as Resolved.Jul 7 2015, 12:41 AM
Tgr reopened subtask T74469: OAuth: Authorisation should not fail because you don't have an account on central wiki as Open.Sep 24 2015, 11:57 PM
Tgr closed subtask T74469: OAuth: Authorisation should not fail because you don't have an account on central wiki as Resolved.Sep 25 2015, 12:03 AM
Ragesoss added a subtask: T121287: Clicking 'Allow' multiple times quickly causes auth to fail.Dec 11 2015, 11:32 PM
Ragesoss added a subtask: T121898: Auth dialog does not pop up after login on mobile devices.Dec 18 2015, 6:41 PM
Anomie closed subtask T87395: Make "bot" or "personal use" apps a better experience as Resolved.Dec 28 2015, 11:08 PM
Mholloway subscribed.Mar 18 2016, 4:38 PM
tom29739 added a parent task: T134004: Confirmation dialog for 'OAuth authenticate only (no api access)' right is not needed.Apr 29 2016, 8:52 PM
Tgr removed a parent task: T134004: Confirmation dialog for 'OAuth authenticate only (no api access)' right is not needed.Apr 29 2016, 11:25 PM
Ragesoss closed subtask T121287: Clicking 'Allow' multiple times quickly causes auth to fail as Resolved.Jul 11 2016, 8:46 PM
Anomie closed subtask T68493: Special:OAuth doesn't provide a grant to access to private info of users as Resolved.Aug 15 2016, 8:46 PM
Tgr removed a project: Reading-Infrastructure-Team-Old (Don't use).May 2 2017, 1:27 PM
Mitar subscribed.Mar 24 2021, 7:58 PM
Mmm1100 updated the task description. (Show Details)Dec 27 2022, 2:51 PM
Mitar added a comment.Dec 27 2022, 3:35 PM

So what is the plan about this? Is this something a community contribution could help with?

Aklapper updated the task description. (Show Details)Dec 27 2022, 7:47 PM
Tgr added a comment.Dec 28 2022, 2:52 AM
In T86869#8490520, @Mitar wrote:

So what is the plan about this? Is this something a community contribution could help with?

T254063: OAuth extension should support OpenID Connect and especially T254063#8081810 has some specifics. IMO the most useful thing would be to support the display parameter and figure out a way for for the OAuth authorization dialog to show up in a popup window, without being wrapped in a MediaWiki skin. But then, given it already sort of works, it would be great to hear from people trying to use it and whether they found any of the limitations problematic.

Tgr added a comment.Dec 28 2022, 2:55 AM

Or someone could take a bunch of common OIDC client frameworks and see how well they are supported by MediaWiki today. (Would implementing the .well-known endpoint make the client much easier to configure, for example?)

Sj subscribed.Jan 24 2023, 12:30 AM

A related task seems to be "Write up a short guide for a tool provider to include Wikimedia OAuth as an option for to let users log in w/ their Wikimedia user account." (which is what T15631 was really asking for, I suspect.)

bd808 added a comment.Jan 24 2023, 12:50 AM
In T86869#8551767, @Sj wrote:

A related task seems to be "Write up a short guide for a tool provider to include Wikimedia OAuth as an option for to let users log in w/ their Wikimedia user account." (which is what T15631 was really asking for, I suspect.)

https://wikitech.wikimedia.org/wiki/Help:Toolforge/My_first_Flask_OAuth_tool is one framework specific attempt at that sort of documentation. https://www.mediawiki.org/wiki/OAuth/For_Developers has quite a bit of information on the general usage.

Sj awarded a token.Jan 24 2023, 12:54 AM
Mitar closed subtask T71232: Provide "authenticate" endpoint for regular users as Declined.Feb 15 2023, 8:18 AM
Frostly subscribed.Jan 7 2024, 11:50 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL