Page MenuHomePhabricator
Create Task
Maniphest T141474

Automatic start of authentication workflow for link provider (if it's the only available one)
Closed, ResolvedPublic
Actions

Description

Consider the following scenario:
A wiki sysadmin disables all authentication providers except one. This last available provider is a so called "Link provider", which needs to redirect the user to another, external authentication page, e.g. Google. Now, while the login form could probably look something like:

pasted_file (460×332 px, 21 KB)

The sysadmin would maybe want to bypass this confusing and nearly useless form and start the authentication workflow right after the user clicks the "Login" button (in the top right section of the page), or navigates to Special:UserLogin. Renaming the message key used for the login link could indicate, that it will return the user to an external site (e.g. renaming it to "Login with Google").

For this, the UserLogin page would need to check, if there's only one available primary authentication provider and if it's a link provider, that needs a redirect to an external site. It also should be configurable with a feature flag (defaults to false, means disabled).

GoogleLogin provided a similar function in an earlier version (before AuthManager) with the following implementation:

  1. User clicks the link in the top right, which redirects to Special:GoogleLogin
  2. Special:GoogleLogin starts the users session (this would, for AuthManager mean to start an authentication workflow?)
  3. Try to get the user data from Google (will fail, as there's no valid access token)
  4. Redirect the user to Google to authenticate
  5. Redirect back to Special:GoogleLogin -> anything else is the same as if this feature would be disabled

Can we implement such a feature into the AuthManager UI? :)

Details

SubjectRepoBranchLines /-
Show already logged in / security reauth message at the right timemediawiki/coremaster 13 -8
Filter GET data when bypassing the login formmediawiki/coremaster 14 -7
Bypass login page if no user input is required.mediawiki/coreREL1_27 53 -0
Bypass login page if no user input is required.mediawiki/coreREL1_28 53 -0
Bypass login page if no user input is required.mediawiki/coremaster 53 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

Florian created this task.Jul 27 2016, 7:17 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 27 2016, 7:17 PM
Florian added a subtask: T141471: Login button shouldn't be displayed if no input fields are there.Jul 27 2016, 7:17 PM
Tgr added a comment.Jul 27 2016, 7:34 PM

I had some plans to turn GET into POST when the CSRF token is present and then ran into difficulties (which I don't quite remember anymore). The old code is at https://gerrit.wikimedia.org/r/#/c/240052/48/includes/specialpage/AuthManagerSpecialPage.php line 200.

Tgr added a subtask: T141478: "Keep me logged in" checkbox should not be displayed when it has no effect.Jul 27 2016, 8:02 PM
Tgr added a parent task: T110278: Improve interaction between AuthManager and the UI layer.Jul 28 2016, 12:17 AM
Anomie added a comment.Jul 28 2016, 1:44 PM

"link provider" is not accurate here. For example, a generic OpenID-based link provider might need the user to select which of several OpenID services to link to.

What you really mean is "If the only AuthenticationRequest needed contains only a button, don't make the user manually click that button" with some sort of consideration for RememberMeAuthenticationRequest.

Anomie closed subtask T141478: "Keep me logged in" checkbox should not be displayed when it has no effect as Invalid.Jul 28 2016, 2:06 PM
Florian closed subtask T141471: Login button shouldn't be displayed if no input fields are there as Resolved.Aug 22 2016, 10:11 PM
Tgr mentioned this in T110464: Update PluggableAuth to use AuthManager.Sep 17 2016, 10:06 PM
Tgr added a comment.Sep 20 2016, 1:19 AM

Some problems that would have to be considered:

  • do we still require the user to click on the login link, or can login be fully automatic (and triggered by a session provider, or some new mechanism added to AuthManager)? Autologin (if it works by redirecting an arbitrary page, as discussed in T110464) has some usability warts (e.g. the user might lose data if the session times out while they are editing a page). CentralAuth has some nice mechanics (load a special page as a JS file, use that request to log in, use the returned JS script to update the page so that it looks logged in) but that seems a bit too complex for core.
  • do we care about CSRF attacks? Especially if the provider also does autocreation, an attacker can just send the visitor to a wiki and see what user is autocreated to identify them. An alternative would be that autologin only works with a CSRF token in the URL, but that would make logged-out pageviews uncacheable since the login link would have to be manipulated on every page. (Alternatively it could be done from Javascript but eww.)
  • how do you set "remember me" if you don't show it to the user? We must disable it since they might be on a shared computer, but that's annoying for people who use the wiki a lot from their home computer. We might want to find some way to change the session to remembered after login is finished.
  • we are generally trying to do DB writes on POST, to be multi-datacenter-friendly. This is not terribly important because 1) login usually does not write to the DB (but might, if the user token is missing, or a provider decides to update user details from a remote source) and 2) Wikimedia probably won't use auto-login and other sites probably won't use multi-DC. Still, would be nice to do if it's not hard.
gerritbot subscribed.Sep 30 2016, 7:31 PM

Change 312865 had a related patch set uploaded (by Cicalese):
Bypass login page if no user input is required.

https://gerrit.wikimedia.org/r/312865

gerritbot added a project: Patch-For-Review.Sep 30 2016, 7:31 PM
Tgr added subscribers: dpatrick, Bawolff.Sep 30 2016, 7:51 PM

@dpatrick, @Bawolff: the patch above will make a visit to Special:UserLogin result in automatic login if none of the configured authentication providers require user interaction (this typically means that there is a single primary provider and it uses redirect flow). As far as I see there is no way to do this in a CSRF-safe fashion. That seems to be a limited concern in practice; CentralAuth already makes it possible to log someone in on a given wiki via CSRF when they are logged in globally, and although there were some complaints (T21161) we don't plan to do anything about that. So it seems OK to me but I'd like a nod from someone from Security. (Note, this doesn't affect Wikimedia as one would have to disable all password-based login for it to happen.)

cicalese subscribed.Oct 3 2016, 12:37 PM
Florian added a project: acl*security.Nov 4 2016, 9:14 PM

As there's no feedback so far, I add the Security tag (hopefully that is the security team) to bring this up to all security team members :)

dpatrick edited projects, added deprecated-security-team-reviews; removed acl*security.Nov 8 2016, 9:39 PM
gerritbot added a comment.Nov 24 2016, 10:59 PM

Change 312865 merged by jenkins-bot:
Bypass login page if no user input is required.

https://gerrit.wikimedia.org/r/312865

gerritbot added a comment.Nov 26 2016, 3:17 AM

Change 323644 had a related patch set uploaded (by Cicalese):
Bypass login page if no user input is required.

https://gerrit.wikimedia.org/r/323644

gerritbot added a comment.Nov 26 2016, 3:37 AM

Change 323644 merged by jenkins-bot:
Bypass login page if no user input is required.

https://gerrit.wikimedia.org/r/323644

gerritbot added a comment.Nov 26 2016, 3:44 AM

Change 323645 had a related patch set uploaded (by Gergő Tisza):
Filter GET data when bypassing the login form

https://gerrit.wikimedia.org/r/323645

gerritbot added a comment.Nov 26 2016, 3:52 AM

Change 323646 had a related patch set uploaded (by Cicalese):
Bypass login page if no user input is required.

https://gerrit.wikimedia.org/r/323646

gerritbot added a comment.Nov 26 2016, 5:05 AM

Change 323646 merged by jenkins-bot:
Bypass login page if no user input is required.

https://gerrit.wikimedia.org/r/323646

gerritbot added a comment.Nov 28 2016, 12:02 AM

Change 323786 had a related patch set uploaded (by Gergő Tisza):
Show already logged in / security reauth message at the right time

https://gerrit.wikimedia.org/r/323786

dpatrick moved this task from Incoming to In Progress on the deprecated-security-team-reviews board.Feb 7 2017, 5:35 PM
Tgr added a project: User-Tgr.May 2 2017, 12:22 PM
Florian closed this task as Resolved.Jun 14 2017, 3:22 PM
Florian assigned this task to Tgr.

Not sure why, but this seems to be resolved already. It works pretty well (at least with GoogleLogin, if it is the only authentication provider) and all changes are merged :)

Tgr reassigned this task from Tgr to cicalese.Jun 14 2017, 5:04 PM

This was fixed in https://gerrit.wikimedia.org/r/#/c/323646/ . The last change is not merged but I guess not strictly part of the task.

Tgr moved this task from Backlog to Done on the User-Tgr board.Nov 13 2017, 7:19 AM
Anomie mentioned this in T186831: Login page does not link to registration page when a login attempt results in a RESTART response.Feb 8 2018, 10:29 PM
sbassett moved this task from In Progress to Done on the deprecated-security-team-reviews board.Jul 9 2019, 8:15 PM
chasemp removed a project: deprecated-security-team-reviews.Jan 8 2020, 4:13 PM
Aklapper removed subscribers: dpatrick, Anomie.Oct 16 2020, 5:39 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits