Page MenuHomePhabricator
Create Task
Maniphest T348388

SUL3: Use a dedicated domain for login and account creation
Open, HighPublic
Actions

Description

The current version of Single User Login (SUL2) provides central authentication that ensures users have a single identity across all Wikimedia projects, including the ability to log in on one wiki and be automatically logged in across all wikis. SUL3 will move authentication to a dedicated domain, to improve security and ensure compatibility with browser anti-tracking measures.

Objective

This work is part of:

  • WE 5: Evolve the MediaWiki platform and its interfaces to better meet Wikipedia's core needs
  • KR 5.1: Increase sustainability of the platform
Context

Currently users enter their credentials and login on a particular wiki. A series of redirects are then used to create a central session, which is used to authenticate the user on other wikis. This has the benefit that users never leave the wiki they are on and the wiki's community can customize the login and account creation pages to fit their needs.

However, it also causes the following issues:

  • To a web browser, the redirects used for central login are indistinguishable from cross-site user tracking and browsers are increasingly rolling out anti-tracking measures that break central login.
  • As users might need to enter their password on any wiki, a XSS vulnerability on any wiki can potentially lead to password theft. This is compounded by the level of customisation provided by extensions, site-wide Javascript and gadgets on individual wikis.
  • Browsers store authentication-related data per-domain, so per-wiki login degrades the user experience, privacy and security of authentication, by making it harder to manage cookies, passwords and WebAuthn passkeys.

Disabling local login and moving authentication to a dedicated domain requires users to directly interact with the domain that is setting the central session cookies. This will ensure compatibility with browser anti-tracking features, which are increasingly blocking cookies set by domains that the user has not directly interacted with.

It will also allow us to improve account security by limiting authentication to a single domain, which can be locked down to a greater extent than individual wikis to further prevent XSS vulnerabilities.

Scope and constraints

In scope:

  • Moving login, account creation, password change and reset to a dedicated domain
  • Ensuring that autologin still functions as today, requiring users to sign in only once
  • Full compatibility with existing CheckUser workflows, including cross-wiki on loginwiki
  • Full compatibility with temporary accounts and supporting their rollout

Out of scope:

  • Changes to the clientlogin API, which must remain as-is to ensure compatibility
  • Improvements to WebAuthn support, e.g. to support multiple passkeys

Constraints:

  • Minimise non-essential changes to user experience, by preserving the current flexibility and customisation provided to individual wikis
  • Maintain account security and minimise potential vulnerabilities by supporting only required functionality on the authentication domain
  • Consider long-term platform sustainability and the impact of introducing new authentication mechanisms
Success measures
  • Central login works in all browsers with tracking prevention
  • Phased rollout to 100% account creation and login on web
See also

https://www.mediawiki.org/wiki/MediaWiki_Platform_Team/SUL3

Related Objects
Search...

StatusSubtypeAssignedTask
 OpenNoneT345245 Mitigate phase-out of third-party cookies in Wikimedia production
 ResolvedTgrT345249 Mitigate phase-out of third-party cookies in CentralAuth
 OpenNoneT348388 SUL3: Use a dedicated domain for login and account creation
 DeclinedNoneT354482 Clean up login.wikimedia.org ahead of SUL3 login
 InvalidNoneT356614 Do not do central login after security reauthentication
 ResolvedTgrT362713 Implement the new login process which redirects to the central login wiki for showing the login/signup form
 DeclinedNoneT363411 Run cancreateaccount checks in the context of another wiki
 ResolvedDAlangi_WMFT363483 Split CentralAuth primary authentication provider into loginwiki and non-loginwiki version
 ResolvedDAlangi_WMFT369650 Tokenize sensitive parameters in SUL3 URLs
 DeclinedNoneT364862 Render central login page with customizations from starting wiki
 ResolvedTgrT363699 Determine and implement SUL 3 login handshake mechanism
 OpenNoneT369467 SUL3: Consider adding interstitial when the user is already logged in centrally
 ResolvedDAlangi_WMFT369668 Figure out how to handle "remember me" flag in SUL3 login flow
 OpenNoneT372703 Set central session ID on the local wiki during SUL3 login
 ResolvedPRODUCTION ERRORTgrT373507 TypeError: Argument 1 passed to MediaWiki\Extension\CentralAuth\CentralAuthTokenManager::consume() must be of the type string, null given
 ResolvedTgrT364866 Adapt to changes in post-login/signup hooks after switching to a central login wiki
 ResolvedBUG REPORTTgrT385574 LoginNotify and SUL3: Two emails are sent for a new device login when logging in on a SUL3 wiki
 ResolvedBUG REPORTTgrT385572 SUL3: CheckUser is told about two successful logins with different IP addresses for one successful login on a SUL3 enabled wiki
 ResolvedTgrT369180 Ensure no AuthenticationRequests are added to the local login flow in SUL3 mode
 ResolvedPRODUCTION ERRORTgrT373504 Wikimedia\NormalizedException\NormalizedException: Authentication failed because of inconsistent provider array
 ResolvedDAlangi_WMFT370810 Forward "campaign" parameter during SUL3 account creation
 ResolvedDAlangi_WMFT370813 Support signup mode in SUL3 local login
 ResolvedDAlangi_WMFT375788 Implement SUL3 central autologin
 ResolvedDAlangi_WMFT380646 Centralize SUL2 and SUL3 device detection
 ResolvedDAlangi_WMFT376488 Implement SUL3 central login for temp users
 OpenNoneT377561 "Keep me logged in" flag unreliable on the central domain
 DuplicateNoneT377141 Enable SUL3 central login for temporary accounts
 ResolvedDAlangi_WMFT375796 Synchronize SUL2 and SUL3 central browser state
 OpenTgrT362715 Move credentials change to central domain
 ResolvedmatmarexT42050 Allow password reset requests to be handled centrally for unified users
 ResolvedmatmarexT151012 CentralAuth should have its own temporary password handling
 ResolvedmatmarexT371340 It should be possible to look up global preference for central users without local accounts
 ResolvedmatmarexT149003 TemporaryPasswordPrimaryAuthenticationProvider does not work with non-DB-based passwords
 OpenTgrT376021 Migrate WebAuthn on Wikimedia wikis to central domain
 ResolvedpmiazgaT378402 Disallow setting up new WebAuthn passkeys on Wikimedia wikis
 ResolvedTgrT389064 Notify WebAuthn users about SUL3 changes
 ResolvedArielGlennT354701 Enable migration of WebAuthn credentials to central domain
 ResolvedNoneT248339 Decide how to deal with WebAuthn login/registration flow on Wikimedia wikis in future
 ResolvedReedyT248367 Update messages to notify WebAuthn users that they need to login on the same wiki they registered
 ResolvedTgrT363695 Create a Wikimedia login domain that can be served by any wiki
 ResolvedTgrT365162 Set up sso.wikimedia.beta.wmflabs.org with config-layer routing to other wikis
 ResolvedsbassettT367995 Security Preview for shared login domain
 ResolvedTgrT373738 Audit special pages used on the SUL3 shared login domain for disallowing user JS
 DeclinedTgrT373737 Disable irrelevant extensions on SUL3 login domain
 ResolvedTgrT373732 Audit SUL3 shared-domain i18n messages for XSS
 ResolvedSecurityTgrT379677 FancyCaptcha uses unescaped i18n messages
 ResolvedmatmarexT45646 "MediaWiki:Copyright" message allows raw HTML
 ResolvedmatmarexT371530 Support cross-domain $wgLoadScript URLs in ResourceLoader
 ResolvedArielGlennT371267 Create a script to backfill missing local accounts on loginwiki/metawiki for new global accounts
 OpenBUG REPORTNoneT394732 backfillLocalAccounts.php does not (always?) copy checkuser data
 OpenNoneT394733 Consider ignoring permission checks in backfillLocalAccounts.php
 ResolvedArielGlennT368230 Investigate missing loginwiki accounts
 ResolvedmatmarexT371596 Preserve mobile domain when using the shared login domain
 ResolvedmatmarexT371609 Rewrite URLs when using the shared login domain
 ResolvedArielGlennT378401 Start running backfillLocalAccounts.php
 OpenArielGlennT381128 backfillLocalAccounts.php should fill Client Hints
 DeclinedNoneT363706 Register Wikimedia wikis as a Related Website Set
 OpenNoneT364829 Update Wikimedia apps to use central login domain
 ResolvedDAlangi_WMFT379816 Disable SUL3 authentication redirect when using the API
 DeclinedNoneT364867 Determine SUL3 cookie exchange mechanism
 ResolvedJTweed-WMFT359926 Test cross-domain cookie access with the Storage Access API and Related Website Sets
 DeclinedNoneT360104 Test cross-domain cookie access with OAuth-style popup + redirect workflow
 ResolvedNoneT364941 Decide on the login flow in MediaWiki under SUL3
 ResolvedmatmarexT364939 Provide a JavaScript library for logging in / signing up to MediaWiki via a popup
 ResolvedmatmarexT362706 Permit displaying the login / signup page in a popup or iframe
 ResolvedmatmarexT366486 Compare experimental login types on the beta cluster
 ResolvedmatmarexT366508 Compare our login popup to other sites
 ResolvedJTweed-WMFT367911 Explore full-page navigation as the default login flow in MediaWiki under SUL3
 ResolvedlarissagauliaT367912 Explore a popup window as the default login flow in MediaWiki under SUL3
 ResolvedTgrT367913 Explore an iframe overlay as the default login flow in MediaWiki under SUL3
 ResolvedpmiazgaT355281 Set up some beta cluster wikis with different registrable domain
 DeclinedNoneT368037 Estimate impact of SUL3 on bots
 ResolvedJTweed-WMFT375954 Create SUL3 rollout plan for Wikimedia production
 ResolvedDAlangi_WMFT375787 Cookie-based feature flag for SUL3
 OpenNoneT376561 Improve CentralAuth authentication PHPUnit tests
 OpenDAlangi_WMFT380694 Split controller and business logic in CentralAuth central login and central autologin classes
 OpenNoneT376562 Improve CentralAuth authentication browser tests
 DeclinedFeatureTgrT377140 Adapt user experience to expose the progressive rollout with a fallback link
 ResolvedDAlangi_WMFT377924 [SUL3] Make the `usesul3=0` query parameter work as the inverse of `usesul3=1`
 ResolvedTgrT377142 Improve code quality for SUL3 shared domain logic
 ResolvedArielGlennT377144 Create method for deterministically opting new users into SUL3 rollout
 ResolvedArielGlennT384549 Create a per-user flag for enabling SUL3
 ResolvedTgrT365586 Measure user impact of using a central login / signup page
 ResolvedpmiazgaT375955 Add a SUL3 flag to Statsd / Prometheus authentication metrics
 ResolvedDAlangi_WMFT377253 Add SUL3 flag to authentication-related event schemas
 ResolvedTgrT377261 Track the number of interrupted SUL3 logins / signups
 OpenTgrT377258 Write mediawiki.org documentation for SUL3
 OpenmatmarexT391406 Update CentralAuth documentation page after SUL3
 ResolvedTgrT391270 Determine CentralAuth SUL3 defaults
 ResolvedTgrT390329 SharedDomainHookHandler::DISALLOWED_LOCAL_PROVIDERS is hard to maintain
 ResolvedmatmarexT387861 Remove SUL3 opt-in code from CentralAuth
 DeclinedNoneT391358 SUL3 login broken when the local wiki and the central domain are in the same $wgCentralAuthCookieDomain set
 ResolvedmatmarexT370692 Review mobile login UX for SUL3
 ResolvedTgrT383729 SUL3 Phase 0: Account creation and login on test wikis
 ResolvedTgrT377187 Set up auth.wikimedia.org
 ResolvedmatmarexT379811 Update URL structure for SUL3 shared domain
 ResolvedsbassettT378722 Application Security Review Request : SUL3
 ResolvedTgrT380574 Add SUL3 authentication domain to deploy canary checks
 ResolvedKrinkleT384844 Ensure auth.wikimedia.org is added to shared-credentials list in password managers

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
Tgr added a subtask: T365586: Measure user impact of using a central login / signup page.May 22 2024, 12:50 PM
pmiazga closed subtask T355281: Set up some beta cluster wikis with different registrable domain as Resolved.Jun 10 2024, 6:09 PM
Tgr mentioned this in T367995: Security Preview for shared login domain.Jun 19 2024, 8:47 PM
Bugreporter added a comment.Jun 20 2024, 4:09 AM

As I said T367968#9908254, there may be accounts currently unattached to SUL. We need to handle them before switching to SUL3.

Tgr added a comment.Jun 20 2024, 11:50 AM
In T348388#9908262, @Bugreporter wrote:

As I said T367968#9908254, there may be accounts currently unattached to SUL. We need to handle them before switching to SUL3.

I don't see why. They will remain available via the action=login API which we probably won't remove anytime soon as it would probably cause a huge fallout for bots.

Tgr mentioned this in T368037: Estimate impact of SUL3 on bots.Jun 20 2024, 11:56 AM
Tgr added a subtask: T368037: Estimate impact of SUL3 on bots.
Bugreporter added a comment.EditedJun 20 2024, 12:10 PM

They will remain available via the action=login API

This will only applies to API login. But there are unattached accounts that is neither bot nor system user, and they will not be able to log in using normal way.

Even for bots, manual login is useful to modify password or 2FA settings (which will be moved to loginwiki, so will not work for unattached local accounts).

Bugreporter mentioned this in T368125: Clean up existing unattached accounts.Jun 21 2024, 7:03 AM
Tgr mentioned this in T316303: Check global rights during autocreation.Jun 23 2024, 8:44 PM
Tgr added a comment.Jun 23 2024, 9:10 PM

Actually, I don't think unattached accounts can log in at all. That was disabled way back in rOMWC165ecbfaba66: Set $wgCentralAuthStrict = true;.

Bugreporter added a comment.Jun 24 2024, 3:02 AM
In T348388#9916155, @Tgr wrote:

Actually, I don't think unattached accounts can log in at all. That was disabled way back in rOMWC165ecbfaba66: Set $wgCentralAuthStrict = true;.

So it would be the time to remove support for unattached accounts (i.e. assume all accounts are mergable) in CentralAuth.

Bugreporter mentioned this in T368235: Remove support for unattached accounts in CentralAuth.Jun 24 2024, 3:10 AM
ArielGlenn added a comment.Jun 24 2024, 7:51 AM
In T348388#9916271, @Bugreporter wrote:
In T348388#9916155, @Tgr wrote:

Actually, I don't think unattached accounts can log in at all. That was disabled way back in rOMWC165ecbfaba66: Set $wgCentralAuthStrict = true;.

So it would be the time to remove support for unattached accounts (i.e. assume all accounts are mergable) in CentralAuth.

We are not the only user of CentralAuth. While this functionality may not be tailored to third party use, I think we should allow for some basic differences in configuration, setup, and migration/merges of existing accounts on other sites.

Bugreporter added a comment.EditedJun 24 2024, 8:45 AM
In T348388#9916455, @ArielGlenn wrote:
In T348388#9916271, @Bugreporter wrote:
In T348388#9916155, @Tgr wrote:

Actually, I don't think unattached accounts can log in at all. That was disabled way back in rOMWC165ecbfaba66: Set $wgCentralAuthStrict = true;.

So it would be the time to remove support for unattached accounts (i.e. assume all accounts are mergable) in CentralAuth.

We are not the only user of CentralAuth. While this functionality may not be tailored to third party use, I think we should allow for some basic differences in configuration, setup, and migration/merges of existing accounts on other sites.

First, currently CentralAuth migration code is buggy (T288906: Remove or rewrite CentralAuth SUL migration code); Second, unattached accounts not only do not work with SUL3 (and already not work well for other features requiring SUL finalization), it also results in issues like T275931. Third, the codes that deals with locally unattached users and SUL migration is complex and there are currently three database tables for it (localnames, globalnames, users_to_rename) and multiple configuration options and user rights. They are not well tested and maintained.

Currently we do not recommend third party users to use CentralAuth (partly) due to its complexity and difficulty to install, and such changes (plus T359116: Split up CentralAuth into smaller extensions) will make it easier for 3rd wikis to use and maintain (though existing wiki farms using CentralAuth must complete an SUL finalization process similar to Wikimedia). In my proposal, it is still able to install CentralAuth in an existing wiki farm; However, they will need to first manually rename each conflicting user names, since users with same name will always be merged to one single global account.

labster added a comment.Jun 24 2024, 9:26 AM

For what it's worth, Miraheze has had $wgCentralAuthStrict = true; for about 8 months now (and probably should have had it for much longer).

We're actually fairly excited about this project in general because it will mitigate some of our security risks, as well as presumably having less flaky login in general.

Tgr added a comment.Jun 24 2024, 11:33 AM
In T348388#9916271, @Bugreporter wrote:

So it would be the time to remove support for unattached accounts (i.e. assume all accounts are mergable) in CentralAuth.

Given that those accounts are already unusable (via web login, anyway; some of them are used by maintenance scripts, see T214722: Introduce global system users), I don't think the SUL3 project has any bearing on them.

In any case, I'm not sure what "remove support" means. We could remove support for $wgCentralAuthStrict = false; that might or might not be problematic for other CentralAuth users, and the only benefit to us would be getting rid of some code. (Which is definitely valuable, but I hope we can work on T359116: Split up CentralAuth into smaller extensions in the foreseeable future, which would be a better opportunity for B/C breaks.) Beyond that, I don't see what could be done here. CentralAuth should continue verify database consistency and disallow login if the local account is not attached; not doing that just seems unwise. So in that sense I don't think "assume all accounts are mergable" is reasonable.

Bugreporter added a comment.Jun 24 2024, 11:53 AM

disallow login if the local account is not attached

What I proposed is remove a large number of codes dealing with unattached users and SUL merging (see T368235); after then if user try to log in an unattached local account, it will (1) if a global account exists, automatically attach local account to SUL and try to login using global credential (local password is discarded); (2) if one does not exist, create a global account and migrate the credential to SUL, and use it to login.

Bugreporter added a comment.Jun 24 2024, 11:57 AM

those accounts are already unusable

But having an unattached local account for User:Example in enwiki will make Example unable to edit enwiki, so it is still problematic. We may want to prevent it completely.

Tgr added a comment.Jun 24 2024, 3:05 PM
In T348388#9917274, @Bugreporter wrote:

But having an unattached local account for User:Example in enwiki will make Example unable to edit enwiki, so it is still problematic. We may want to prevent it completely.

Yes but that's the status quo, it doesn't have anything to do with this task. No one reported such problems in a long time, and there weren't many unattached accounts when I last checked (that was several weeks ago, but hopefully they only decrease over timew) so this is a marginal issue.

In T348388#9917250, @Bugreporter wrote:

What I proposed is remove a large number of codes dealing with unattached users and SUL merging (see T368235); after then if user try to log in an unattached local account, it will (1) if a global account exists, automatically attach local account to SUL and try to login using global credential (local password is discarded); (2) if one does not exist, create a global account and migrate the credential to SUL, and use it to login.

If we don't care about other users of CentralAuth, we should probably just get rid of all the auto-merge logic, and just fail for unattached accounts and tell the user to ask for help. That would get rid of a fair amount of code in CentralAuthPrimaryAuthenticationProvider.

I have mixed feelings about potentially breaking other wikis just to get rid of code that's not problematic to maintain, although use of CentralAuth by third parties isn't officially supported. (But some major wiki farms like Miraheze do use it.) T359116 will probably involve breaking changes anyway, so that's why I would want to roll this into that project.

Bugreporter added a comment.Jun 24 2024, 4:15 PM

potentially breaking other wikis just to get rid of code that's not problematic to maintain

Note: In my proposal the only drawback is (after running migration script) all unattached accounts will become attached regardless of password and email, so local accounts that should not be merged must be renamed to other unique name first.

Krinkle mentioned this in T242712: Deprecation (if possible) of the #central channel on irc.wikimedia.org.Jun 24 2024, 5:07 PM
akosiaris subscribed.Jun 25 2024, 3:08 PM
Tgr closed subtask T354701: Enable migration of WebAuthn credentials to central domain as Resolved.Jun 25 2024, 8:48 PM
Tgr mentioned this in T369180: Ensure no AuthenticationRequests are added to the local login flow in SUL3 mode.Jul 3 2024, 3:12 PM
Tgr mentioned this in T369467: SUL3: Consider adding interstitial when the user is already logged in centrally.Jul 7 2024, 7:12 PM
Tgr mentioned this in T369668: Figure out how to handle "remember me" flag in SUL3 login flow.Jul 9 2024, 8:56 PM
Tgr mentioned this in T370692: Review mobile login UX for SUL3.Jul 22 2024, 6:33 PM
Tgr changed the status of subtask T354482: Clean up login.wikimedia.org ahead of SUL3 login from Open to Stalled.Jul 31 2024, 10:58 PM
Tsevener mentioned this in T230043: Add WebAuthn support to Mobile apps.Aug 29 2024, 1:02 PM
Sjoerddebruin mentioned this in T372702: editors are repeatedly getting logged out (August 2024).Aug 29 2024, 3:12 PM
Tgr mentioned this in T375787: Cookie-based feature flag for SUL3.Sep 26 2024, 5:47 PM
Tgr added a subtask: T375787: Cookie-based feature flag for SUL3.
DAlangi_WMF changed the status of subtask T375787: Cookie-based feature flag for SUL3 from Open to In Progress.Sep 27 2024, 8:59 AM
DerHexer subscribed.Sep 27 2024, 10:44 AM
Johannnes89 subscribed.Sep 27 2024, 11:16 AM
Tgr mentioned this in T375954: Create SUL3 rollout plan for Wikimedia production.Sep 28 2024, 11:50 AM
Tgr removed a subtask: T375787: Cookie-based feature flag for SUL3.
Tgr added a subtask: T375954: Create SUL3 rollout plan for Wikimedia production.Sep 29 2024, 6:42 PM
Tgr mentioned this in T376021: Migrate WebAuthn on Wikimedia wikis to central domain.Sep 30 2024, 10:04 AM
Tgr added a subtask: T370692: Review mobile login UX for SUL3.Oct 1 2024, 6:31 PM
Yahya subscribed.Oct 3 2024, 10:30 PM
ReaperDawn subscribed.Oct 14 2024, 11:19 AM
Dringsim subscribed.Oct 14 2024, 1:48 PM
JTweed-WMF closed subtask T364941: Decide on the login flow in MediaWiki under SUL3 as Declined.Oct 28 2024, 5:23 PM
JTweed-WMF changed the status of subtask T364941: Decide on the login flow in MediaWiki under SUL3 from Declined to Resolved.
Tgr mentioned this in T378722: Application Security Review Request : SUL3.Oct 31 2024, 2:33 PM
Tgr added a subtask: T378722: Application Security Review Request : SUL3.
revi subscribed.Oct 31 2024, 4:33 PM
JTweed-WMF closed subtask T359926: Test cross-domain cookie access with the Storage Access API and Related Website Sets as Resolved.Nov 13 2024, 1:13 PM
JTweed-WMF closed subtask T360104: Test cross-domain cookie access with OAuth-style popup + redirect workflow as Declined.
JTweed-WMF closed subtask T363706: Register Wikimedia wikis as a Related Website Set as Declined.Nov 13 2024, 1:18 PM
JTweed-WMF closed subtask T370692: Review mobile login UX for SUL3 as Resolved.Nov 13 2024, 1:24 PM
Tgr closed subtask T354482: Clean up login.wikimedia.org ahead of SUL3 login as Declined.Nov 13 2024, 7:48 PM
sbassett changed the status of subtask T378722: Application Security Review Request : SUL3 from Open to In Progress.Nov 22 2024, 5:22 PM
JTweed-WMF closed subtask T375954: Create SUL3 rollout plan for Wikimedia production as Resolved.Nov 27 2024, 2:56 PM
JTweed-WMF renamed this task from Use central login wiki for login (SUL3) to SUL3: Use a dedicated domain for login and account creation.Dec 6 2024, 11:55 AM
JTweed-WMF added a project: Epic.
JTweed-WMF updated the task description. (Show Details)
sbassett closed subtask T378722: Application Security Review Request : SUL3 as Resolved.Dec 20 2024, 5:35 PM
Daimona subscribed.Jan 14 2025, 6:59 PM
Tgr added a subtask: T383729: SUL3 Phase 0: Account creation and login on test wikis.Jan 14 2025, 8:16 PM
Tgr closed subtask T383729: SUL3 Phase 0: Account creation and login on test wikis as Resolved.Jan 15 2025, 5:00 PM
JTweed-WMF triaged this task as High priority.Jan 17 2025, 11:47 AM
JTweed-WMF edited projects, added MediaWiki-Platform-Team (Roadmap); removed MediaWiki-Platform-Team.
JTweed-WMF moved this task from Now to Supporting on the MediaWiki-Platform-Team (Roadmap) board.Jan 17 2025, 12:20 PM
JTweed-WMF edited projects, added Goal; removed Epic.
JTweed-WMF added a project: OKR-Work.
JTweed-WMF removed a project: Goal.Jan 17 2025, 12:30 PM
JTweed-WMF added a project: Goal.
Tgr closed subtask T368037: Estimate impact of SUL3 on bots as Declined.Jan 20 2025, 2:52 PM
TheDJ added a comment.Feb 12 2025, 9:39 AM

I know username policies etc have been discussed in the past wrt this project, but I can't find back where...

Has thought been put into how the centralised system can help with that ? Maybe it is an idea to have some sort of customisable local steps (local pre and post onboarding screens/interstitials or something ?)

Tgr added a comment.Feb 16 2025, 8:08 PM

Original task description, for history and search:

CentralAuth relies on the concept of a central login wiki (e.g. login.wikimedia.org for Wikimedia wikis), but (despite what the terminology might suggest) it's not where login actually happens. Users enter their credentials in their home wiki and get logged in there, and the the central login wiki is used, through an elaborate series of redirects, to create a central session (essentially, a cookie stored on the central login wiki) and look up it to authenticate the user on other wikis.

This has the benefit that the user never leaves the wiki they are familiar with and the wiki community can customize the login and signup page (e.g. indicate username requirements specific to that wiki), and and administrative tools such as blocks and AbuseFilter filters also behave more naturally. But it causes a lot of problems:

  • Since the user expects they might need to enter their password on any wiki (even more so with central login not working reliably), an XSS vulnerability on any wiki can easily be escalated into password theft. It's hard to meaningfully monitor hundreds of wikis, and these wikis are often by design less secure than the central login wiki (more people can deploy sitewide JS, there are more gadgets and so potentially more vulnerabilities etc). A separate wiki that's only used for entering login credentials could easily be locked down to the extent where XSS on another wiki in the same farm cannot be used to interfere with login. ({T190019})
  • The redirects used for central login are indistinguishable from user tracking, from a browser's perspective; and browsers increasingly break it to prevent tracking. (T345249: Mitigate phase-out of third-party cookies in CentralAuth)
  • Related to the previous point, the authentication flows that browser vendors expect all involve a single SSO domain (without the historical baggage of CentralAuth, it's just a much more natural way of doing things) so that's what they build their heuristics on (e.g. they consider it suspicious if a domain wants to set cookies but the user has never interacted with it) and that assumption is built into web APIs (e.g. the concept of a service domain in T345589: Investigate the First-Party Sets / Related Website Sets browser API or the login flow in T335851: Investigate the Federated Credential Management browser API).
  • Various authentication-related data is stored per domain by the browser (e.g. cookies, passwords, WebAuthn T248339: Decide how to deal with WebAuthn login/registration flow on Wikimedia wikis in future) so having many wikis severely degrades the user experience of authentication, and degrades privacy (e.g. there is no practical way to delete your authn cookies on all Wikimedia projects) and security (it's easier to notice you are being phished if you always log in on the same domain, e.g. because you can expect the password to be prefilled).

We need to disable local login and use a central, single location where the user interacts with credentials. This includes at least login, signup, password change, password reset; arguably also bot passwords and OAuth.

There are a couple ways to do this:

  • Minimal-effort version: Have Special:UserLogin etc. redirect to loginwiki, do the user interaction there (if the user is already logged in, probably just show a button to confirm identity, to fulfill interaction requirements for bounce tracking prevention heuristics), redirect back on success or failure and prove to the other wiki what happened. Everything else is kept as-is. (Note: the MediaWiki / CentralAuth code change needed for this is pretty small, but many bots and apps would have to be updated, so on the whole not a small project nevertheless.) Or maybe instead of redirection, embed the relevant loginwiki form as an iframe.
  • Use FedCM (T335851: Investigate the Federated Credential Management browser API) if it becomes available, which is vaguely similar (and requires a non-FedCM fallback in any case, for older browsers and non-browsers) but requires a couple extra APIs and a "popup" layout for the login form.
  • As above, but also rethink session handling (as the half dozen auth cookies used by MediaWiki don't make that much sense when login is happening elsewhere) and use something like JWT cookies (e.g. OAuth 2 access tokens) instead.
  • The same but (taking advantage of using an industry-standard format for sessions) replace loginwiki entirely with a small dedicated app to reduce attack surface (cf T120484: Store CentralAuth password hashes outside the main database cluster). Note that this would affect a number of important steward workflows so it needs careful investigation.

These options could also be done as successive stages (at the cost of some overhead).

Tgr added a comment.Feb 16 2025, 8:10 PM
In T348388#10543403, @TheDJ wrote:

I know username policies etc have been discussed in the past wrt this project, but I can't find back where...

Has thought been put into how the centralised system can help with that ? Maybe it is an idea to have some sort of customisable local steps (local pre and post onboarding screens/interstitials or something ?)

After T363695: Create a Wikimedia login domain that can be served by any wiki the system ended up less centralized than we originally thought; the interaction with username blacklists, abuse filters etc. should be identical to before.

Sdrqaz subscribed.Feb 20 2025, 11:42 AM
TheDJ added a comment.Feb 24 2025, 2:57 PM
In T348388#10555816, @Tgr wrote:
In T348388#10543403, @TheDJ wrote:

I know username policies etc have been discussed in the past wrt this project, but I can't find back where...

Has thought been put into how the centralised system can help with that ? Maybe it is an idea to have some sort of customisable local steps (local pre and post onboarding screens/interstitials or something ?)

After T363695: Create a Wikimedia login domain that can be served by any wiki the system ended up less centralized than we originally thought; the interaction with username blacklists, abuse filters etc. should be identical to before.

Thank you for confirming @Tgr !

Tgr closed subtask T363695: Create a Wikimedia login domain that can be served by any wiki as Resolved.Mar 6 2025, 11:06 PM
Tgr closed subtask T356614: Do not do central login after security reauthentication as Invalid.Apr 7 2025, 9:11 PM
Tgr closed subtask T362713: Implement the new login process which redirects to the central login wiki for showing the login/signup form as Resolved.
Tgr added a comment.Apr 7 2025, 9:18 PM

In scope:

  • Moving login, account creation, password change and reset to a dedicated domain
  • Ensuring that autologin still functions as today, requiring users to sign in only once
  • Full compatibility with existing CheckUser workflows, including cross-wiki on loginwiki
  • Full compatibility with temporary accounts and supporting their rollout

I think this is now done except for two things that are borderline in scope:

I think we can close this and track those two edge cases in their own tasks.

Arendpieter subscribed.Apr 7 2025, 9:57 PM

login.wikimedia.org is currently only used for cross-wiki CheckUser checks, which can also be performed on meta.wikimedia.org. Therefore, can login.wikimedia.org be deprecated? Should an issue be created for this?

Diskdance mentioned this in T321708: MediaWiki should support passwordless login with passkeys.Apr 8 2025, 9:56 AM
matmarex removed a subtask: T354701: Enable migration of WebAuthn credentials to central domain.Apr 8 2025, 6:56 PM
Tgr added a comment.Apr 8 2025, 8:23 PM
In T348388#10719519, @Arendpieter wrote:

login.wikimedia.org is currently only used for cross-wiki CheckUser checks, which can also be performed on meta.wikimedia.org. Therefore, can login.wikimedia.org be deprecated?

Deprecated meaning, deleted? Or not used for CheckUser anymore? I think using meta instead would be nice as it seems like it might fit better into stewards' workflows. But I don't understand those workflows very well so I'd defer to the stewards on this.

Other than CheckUser, it won't be used for anything else. (Right now it's still checked for autologin, since we are migrating existing login sessions from login.wikimedia.org to auth.wikimedia.org. See T391284: Swap order of central autologin lookup for loginwiki and shared domain.

JJMC89 subscribed.Apr 9 2025, 12:12 AM
In T348388#10719519, @Arendpieter wrote:

login.wikimedia.org is currently only used for cross-wiki CheckUser checks, which can also be performed on meta.wikimedia.org.

While true from a technical perspective, it is not true from a policy/social perspective. Without a change in policy, stewards cannot CU on metawiki without also being elected as CUs there since metawiki has local CUs.

In T348388#10723564, @Tgr wrote:

I think using meta instead would be nice as it seems like it might fit better into stewards' workflows. But I don't understand those workflows very well so I'd defer to the stewards on this.

While metawiki would be a better workflow fit, getting policy changed would be the hurtle.

(FYI, the CU data available on metawiki and loginwiki are not the same. The latter only ever has a single entry.)

Bugreporter mentioned this in T120484: Store CentralAuth password hashes outside the main database cluster.Apr 9 2025, 1:55 AM
matmarex closed subtask T384844: Ensure auth.wikimedia.org is added to shared-credentials list in password managers as Resolved.Apr 14 2025, 11:25 AM
Tgr closed subtask T365586: Measure user impact of using a central login / signup page as Resolved.Jul 5 2025, 10:57 AM
matmarex closed subtask T364867: Determine SUL3 cookie exchange mechanism as Declined.Tue, Jul 15, 9:20 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits