Page MenuHomePhabricator
Create Task
Maniphest T376021

Migrate or disable WebAuthn on Wikimedia wikis
Open, Needs TriagePublic
Actions

Description

WebAuthn is enabled on Wikimedia wikis but only works if you log in on the same wiki where you have enabled it (T244088: Logging in at another wiki than WebAuth was set up fails). As part of SUL3 (T348388: Use central login wiki for login (SUL3)) we are moving login to a new dedicated domain, meaning WebAuthn would never work. We need to tell its current users to either disable it (and switch to OATH presumably) or migrate it to new domain (ie. disable their current WebAuthn keys and create new ones on the new domain - WebAuthn keys are domain-bound so there is no way to reuse them). Fortunately, only a handful of people use it.

For migration, we would first need to deploy T363695: Create a Wikimedia login domain that can be served by any wiki to production, and implement T362715: Move credentials change to central login wiki at least for WebAuthn. Disabling has no dependencies, we could start that conversation any time. It would of course result in loss of functionality, but WebAuthn is kinda broken for other reasons too (see T242031: Allow multiple different 2FA devices, T244348: Recovery option for WebAuthn, T363652: publicKey.pubKeyCredParams is missing at least one of the default algorithm identifiers: ES256 and RS256, T358771: Unable to login on iPhone with Passkey Enabled, and soon T363639: web-auth/webauthn-lib must be upgraded to 4+ for PHP 8.2+ support) so probably that's not a big deal.

Related Objects
Search...

Event Timeline

Tgr created this task.Sep 30 2024, 10:04 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 30 2024, 10:04 AM
Tgr added a parent task: T375954: Create SUL 3 rollout plan for Wikimedia production.Sep 30 2024, 10:04 AM
Tgr moved this task from Backlog to Blocked / External on the SUL3 board.
Tgr moved this task from Blocked / External to Backlog on the SUL3 board.Sep 30 2024, 10:06 AM
pmiazga moved this task from Inbox, needs triage to Soon on the MediaWiki-Platform-Team board.Sep 30 2024, 2:55 PM
Reedy mentioned this in T358771: Unable to login on iPhone with Passkey Enabled.Oct 3 2024, 5:07 PM
acooper subscribed.Oct 8 2024, 12:51 PM
Tonymetz subscribed.Oct 11 2024, 2:58 AM

applying the patch in T358771 could fix a large part of this issue and enable webauthn to work across domains.

acooper added a subscriber: Reedy.Oct 11 2024, 1:40 PM
ReaperDawn subscribed.Oct 14 2024, 11:18 AM
Tgr moved this task from Backlog to Blocked / External on the SUL3 board.Oct 14 2024, 7:15 PM
Tgr moved this task from Blocked / External to Blocked on shared domains on the SUL3 board.
Tgr mentioned this in T378402: Disallow setting up new WebAuthn passkeys on Wikimedia wikis.Oct 28 2024, 6:35 PM
Tgr added a subtask: T378402: Disallow setting up new WebAuthn passkeys on Wikimedia wikis.
Reedy moved this task from Backlog to External on the MediaWiki-extensions-OATHAuth board.Nov 2 2024, 3:46 PM
Tgr moved this task from Blocked on shared domains to Ready on the SUL3 board.Wed, Nov 13, 7:45 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits