Page MenuHomePhabricator
Create Task
Maniphest T378402

Disallow setting up new WebAuthn passkeys on Wikimedia wikis
Closed, ResolvedPublic
Actions

Description

WebAuthn is kinda broken on Wikimedia wikis (T376021: Migrate WebAuthn on Wikimedia wikis to central domain), and during the SUL3 rollout people's login domain will change as they get opted into the experiment, breaking WebAuthn fully. We'll follow up with the few existing users and explain they'll need to switch to OATH for now, but first, let's disallow enabling WebAuthn for more users (using the mechanism created in T354701: Enable migration of WebAuthn credentials to central domain).

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Allow creating new WebAuthn passkeys on private wikisoperations/mediawiki-configmaster+2 -1
Disable new WebAuthn credentials creation on local domainsoperations/mediawiki-configmaster+5 -0
Revert "Disable new WebAuthn credentials creation"operations/mediawiki-configmaster+0 -4
Disable new WebAuthn credentials creationoperations/mediawiki-configmaster+4 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

Tgr created this task.Oct 28 2024, 6:35 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 28 2024, 6:35 PM
Tgr added a parent task: T376021: Migrate WebAuthn on Wikimedia wikis to central domain.Oct 28 2024, 6:36 PM
Tgr added a project: MediaWiki-Platform-Team.
Reedy edited projects, added Wikimedia-Site-requests; removed MediaWiki-extensions-OATHAuth.Oct 28 2024, 7:11 PM
Tgr added a project: User-notice.Oct 30 2024, 12:56 PM

We should probably mention this in Tech News, and only deploy the config change once that mention is out.

UOzurumba subscribed.Oct 30 2024, 7:04 PM

Hello @Tgr,
Tech News - What wording would you suggest as the content, and When should it be included? Thanks!

UOzurumba moved this task from To Triage to Not ready to announce on the User-notice board.Oct 30 2024, 7:57 PM
Tgr added a comment.Oct 30 2024, 8:13 PM

I guess I really should write a wiki page for SUL3 first so there's some context on why we do this that does not require reading Phabricator tickets.

UOzurumba added a comment.Oct 31 2024, 5:29 PM
In T378402#10278881, @Tgr wrote:

I guess I really should write a wiki page for SUL3 first so there's some context on why we do this that does not require reading Phabricator tickets.

Okay, please let me know once you are ready for this to be announced. Thank you!

larissagaulia assigned this task to pmiazga.Nov 19 2024, 4:30 PM
larissagaulia updated Other Assignee, added: pmiazga.
Tgr moved this task from Backlog to In progress on the SUL3 board.Nov 24 2024, 3:56 PM
JTweed-WMF moved this task from Inbox, needs triage to Needs refinement on the MediaWiki-Platform-Team board.Dec 2 2024, 4:03 PM
pmiazga updated Other Assignee, removed: pmiazga.Jan 13 2025, 3:24 PM
pmiazga added a comment.Jan 14 2025, 4:02 PM

We could do a trick and use the maxKeysPerUser config variable - set it to 0.

This would hide the add button and disallow submitting the form. However, if someone knows the URL and visits the new key page manually - the error message would be:

Maximum of 0 keys can be registered

As this is a temporary measure I think it's more than enough and we do not need to create a special message.

pmiazga moved this task from Needs refinement to In progress on the MediaWiki-Platform-Team board.Jan 20 2025, 3:24 PM
pmiazga added a subscriber: ArielGlenn.Jan 21 2025, 1:46 PM

Looks this is already supported via config - T354701. Thanks @ArielGlenn

gerritbot added a comment.Jan 21 2025, 1:49 PM

Change #1113141 had a related patch set uploaded (by Pmiazga; author: Pmiazga):

[operations/mediawiki-config@master] Disable new WebAuthn credentials creation

https://gerrit.wikimedia.org/r/1113141

gerritbot added a project: Patch-For-Review.Jan 21 2025, 1:49 PM
Tgr moved this task from Not ready to announce to Announce in next Tech/News on the User-notice board.Jan 21 2025, 3:36 PM
In T378402#10282148, @UOzurumba wrote:

Okay, please let me know once you are ready for this to be announced. Thank you!

How about

Wikimedia wikis allow WebAuthn checks (such as hardware tokens) during login, but the feature is fragile and has very few users. We are temporarily disabling adding new WebAuthn keys, to avoid interfering with the rollout of SUL3. Existing keys are unaffected.

Quiddity moved this task from Announce in next Tech/News to In current Tech/News draft on the User-notice board.Jan 24 2025, 2:24 AM
Quiddity subscribed.Jan 24 2025, 2:28 AM

@Tgr Thanks! I've added it using this wording. If it needs correcting or any additions, please do so within the next ~18 hours, after which it will be frozen for translation. (Changes from your draft are bolded)

For developers considering using WebAuthn: Wikimedia wikis allow WebAuthn checks (such as hardware tokens) during login, but the feature is fragile and has very few users. The MediaWiki Platform team is temporarily disabling adding new WebAuthn keys, to avoid interfering with the rollout of SUL3 (single user login version 3). Existing keys are unaffected. [2]

Tgr added a comment.Jan 24 2025, 1:31 PM

Thanks @Quiddity! It's a login mechanism (an alternative to TOTP, available to the same group of people, ie. mostly to privileged users), not a developer feature. I updated the wording on the wiki, please check if it makes sense.

Quiddity moved this task from In current Tech/News draft to Already announced/Archive on the User-notice board.Jan 31 2025, 5:44 PM
gerritbot added a comment.Feb 6 2025, 2:08 PM

Change #1113141 merged by jenkins-bot:

[operations/mediawiki-config@master] Disable new WebAuthn credentials creation

https://gerrit.wikimedia.org/r/1113141

Stashbot mentioned this in T354701: Enable migration of WebAuthn credentials to central domain.Feb 6 2025, 2:08 PM

Mentioned in SAL (#wikimedia-operations) [2025-02-06T14:08:54Z] <urbanecm@deploy2002> Started scap sync-world: Backport for [[gerrit:1113141|Disable new WebAuthn credentials creation (T378402 T354701)]]

Stashbot added a comment.Feb 6 2025, 2:11 PM

Mentioned in SAL (#wikimedia-operations) [2025-02-06T14:11:33Z] <urbanecm@deploy2002> pmiazga, urbanecm: Backport for [[gerrit:1113141|Disable new WebAuthn credentials creation (T378402 T354701)]] synced to the testservers (https://wikitech.wikimedia.org/wiki/Mwdebug)

Stashbot added a comment.Feb 6 2025, 2:22 PM

Mentioned in SAL (#wikimedia-operations) [2025-02-06T14:22:55Z] <urbanecm@deploy2002> Finished scap sync-world: Backport for [[gerrit:1113141|Disable new WebAuthn credentials creation (T378402 T354701)]] (duration: 14m 00s)

Maintenance_bot removed a project: Patch-For-Review.Feb 6 2025, 2:30 PM
pmiazga closed this task as Resolved.Feb 6 2025, 2:30 PM

Landed on production. Tested scenarios:

✅ Check logging-in and logging out when using existing 2FA Webauthn key
✅ After removing the 2FA key there shouldn't be an option to register new one.
✅ After removing the 2FA key login/logout works
✅ Enable TOTP and try to log-in logout

Maintenance_bot edited projects, added User-notice-archive; removed User-notice.Feb 19 2025, 11:29 AM
Tgr mentioned this in T389064: Notify WebAuthn users about SUL3 changes.Mar 17 2025, 12:52 PM
gerritbot added a comment.Mar 17 2025, 1:00 PM

Change #1128403 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[operations/mediawiki-config@master] Revert "Disable new WebAuthn credentials creation"

https://gerrit.wikimedia.org/r/1128403

gerritbot added a project: Patch-For-Review.Mar 17 2025, 1:00 PM
gerritbot added a comment.Mar 17 2025, 1:05 PM

Change #1128403 merged by jenkins-bot:

[operations/mediawiki-config@master] Revert "Disable new WebAuthn credentials creation"

https://gerrit.wikimedia.org/r/1128403

Stashbot mentioned this in T342172: Icons: sqwiktionary logo icon should be localized to language.Mar 17 2025, 1:06 PM

Mentioned in SAL (#wikimedia-operations) [2025-03-17T13:06:22Z] <tgr@deploy2002> Started scap sync-world: Backport for [[gerrit:1128403|Revert "Disable new WebAuthn credentials creation" (T378402 T389064)]], [[gerrit:1128032|sqwiktionary: update logo, wordmark, tagline and icon (T342172)]], [[gerrit:1126533|Growth: eswiki+cswiki - enable new way of refreshing LinkRecommendations (T386250)]]

Stashbot mentioned this in T386250: Rewrite refreshLinkRecommendations to not iterate through article topics.Mar 17 2025, 1:06 PM
Stashbot added a comment.Mar 17 2025, 1:10 PM

Mentioned in SAL (#wikimedia-operations) [2025-03-17T13:10:17Z] <tgr@deploy2002> tgr, migr, anzx: Backport for [[gerrit:1128403|Revert "Disable new WebAuthn credentials creation" (T378402 T389064)]], [[gerrit:1128032|sqwiktionary: update logo, wordmark, tagline and icon (T342172)]], [[gerrit:1126533|Growth: eswiki+cswiki - enable new way of refreshing LinkRecommendations (T386250)]] synced to the testservers (https://wikitech.wikimedia.org/wiki/Mwdebug)

Stashbot added a comment.Mar 17 2025, 1:19 PM

Mentioned in SAL (#wikimedia-operations) [2025-03-17T13:19:49Z] <tgr@deploy2002> Finished scap sync-world: Backport for [[gerrit:1128403|Revert "Disable new WebAuthn credentials creation" (T378402 T389064)]], [[gerrit:1128032|sqwiktionary: update logo, wordmark, tagline and icon (T342172)]], [[gerrit:1126533|Growth: eswiki+cswiki - enable new way of refreshing LinkRecommendations (T386250)]] (duration: 13m 27s)

Maintenance_bot removed a project: Patch-For-Review.Mar 17 2025, 1:30 PM
Reedy reopened this task as Open.Mar 19 2025, 4:33 PM
Tgr closed this task as Resolved.Mar 19 2025, 10:32 PM

This is done, it's just not being used anymore. The plan was to notify WebAuthn users this week to migrate their keys to the shared domain; due to various complications that didn't happen yet, but will soon. At that point they will need to be able to create new passkeys.

Reedy subscribed.Mar 19 2025, 10:42 PM

Not being used anymore?

T389379: Cannot enable WebAuthn seems to suggest people are being allowed to try and move...

Tgr added a comment.Mar 20 2025, 12:26 AM

I mean, the disabling functionality is not being used anymore. I turned it off on Monday, a bit prematurely as it turns out because the SUL3 login rollout got sidetracked on other problems, but once it resumes, WebAuthn users will need to be able to replace the old passkey with a new one for auth.wikimedia.org. Do you see a problem with that? We can re-disable it and ask people to switch to TOTP if necessary, but it seemed easier to just let them create a new passkey. Granted, I didn't test that functionality yet.

Tgr added a comment.Mar 20 2025, 12:27 AM

(T389064: Notify WebAuthn users about SUL3 changes is the relvant task.)

gerritbot added a comment.Mar 26 2025, 11:52 PM

Change #1131482 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[operations/mediawiki-config@master] Disable new WebAuthn credentials creation on local domains

https://gerrit.wikimedia.org/r/1131482

gerritbot added a project: Patch-For-Review.Mar 26 2025, 11:52 PM
gerritbot added a comment.Mar 27 2025, 10:23 PM

Change #1131482 merged by jenkins-bot:

[operations/mediawiki-config@master] Disable new WebAuthn credentials creation on local domains

https://gerrit.wikimedia.org/r/1131482

Stashbot added a comment.Mar 27 2025, 10:23 PM

Mentioned in SAL (#wikimedia-operations) [2025-03-27T22:23:39Z] <thcipriani@deploy1003> Started scap sync-world: Backport for [[gerrit:1131482|Disable new WebAuthn credentials creation on local domains (T378402 T354701)]]

Stashbot added a comment.Mar 27 2025, 10:28 PM

Mentioned in SAL (#wikimedia-operations) [2025-03-27T22:28:03Z] <thcipriani@deploy1003> tgr, thcipriani: Backport for [[gerrit:1131482|Disable new WebAuthn credentials creation on local domains (T378402 T354701)]] synced to the testservers (https://wikitech.wikimedia.org/wiki/Mwdebug)

Stashbot added a comment.Mar 27 2025, 10:40 PM

Mentioned in SAL (#wikimedia-operations) [2025-03-27T22:40:42Z] <thcipriani@deploy1003> Finished scap sync-world: Backport for [[gerrit:1131482|Disable new WebAuthn credentials creation on local domains (T378402 T354701)]] (duration: 17m 03s)

Maintenance_bot removed a project: Patch-For-Review.Mar 27 2025, 11:30 PM
gerritbot added a comment.Sep 11 2025, 3:18 PM

Change #1187476 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[operations/mediawiki-config@master] Allow creating new WebAuthn passkeys on private wikis

https://gerrit.wikimedia.org/r/1187476

gerritbot added a project: Patch-For-Review.Sep 11 2025, 3:18 PM
gerritbot added a comment.Sep 15 2025, 8:37 PM

Change #1187476 merged by jenkins-bot:

[operations/mediawiki-config@master] Allow creating new WebAuthn passkeys on private wikis

https://gerrit.wikimedia.org/r/1187476

Stashbot mentioned this in T393473: Most authentication providers are disabled during autocreation on local domain (SUL3 mode).Sep 15 2025, 8:49 PM

Mentioned in SAL (#wikimedia-operations) [2025-09-15T20:49:56Z] <tgr@deploy1003> Started scap sync-world: Backport for [[gerrit:1187476|Allow creating new WebAuthn passkeys on private wikis (T378402 T354701)]], [[gerrit:1187980|Allow ClosedWikiProvider on the local domain on SUL wikis (T393473 T401640)]], [[gerrit:1188420|session: Cache JWT JTI in CookieSessionProvider (T399200)]]

Stashbot mentioned this in T399200: Update existing cookie-based sessions to include JWT cookie.Sep 15 2025, 8:50 PM
Stashbot mentioned this in T401640: ClosedWikiProvider stopped working.
Stashbot added a comment.Sep 15 2025, 8:56 PM

Mentioned in SAL (#wikimedia-operations) [2025-09-15T20:56:19Z] <tgr@deploy1003> tgr: Backport for [[gerrit:1187476|Allow creating new WebAuthn passkeys on private wikis (T378402 T354701)]], [[gerrit:1187980|Allow ClosedWikiProvider on the local domain on SUL wikis (T393473 T401640)]], [[gerrit:1188420|session: Cache JWT JTI in CookieSessionProvider (T399200)]] synced to the testservers (see https://wikitech.wikimedia.org/wiki/Mwdebug). Changes can now be verified there.

Stashbot added a comment.Sep 15 2025, 9:07 PM

Mentioned in SAL (#wikimedia-operations) [2025-09-15T21:07:19Z] <tgr@deploy1003> Finished scap sync-world: Backport for [[gerrit:1187476|Allow creating new WebAuthn passkeys on private wikis (T378402 T354701)]], [[gerrit:1187980|Allow ClosedWikiProvider on the local domain on SUL wikis (T393473 T401640)]], [[gerrit:1188420|session: Cache JWT JTI in CookieSessionProvider (T399200)]] (duration: 17m 23s)

Maintenance_bot removed a project: Patch-For-Review.Sep 15 2025, 9:31 PM
Quiddity unsubscribed.Sep 16 2025, 11:45 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits