Create Task
Maniphest T363695

Create a Wikimedia login domain that can be served by any wiki
Closed, ResolvedPublic
Actions

Description

For Wikimedia's central login system (SUL), we want to have a a single domain for storing a central session cookie that other domains (wikis) can rely on for authentication; and we want to do interactive login on that domain (T348388: SUL3: Use a dedicated domain for login and account creation - because browsers increasingly require user interaction with the cookie-storing domain before giving access to cookies); but we want the interaction on that domain to be similar to the interaction on the wiki where the user is logging in (in terms of i18n customizations, AbuseFilter/SpamBlacklist username rules etc).

One way to do this would be for the central login wiki's login page to fetch the relevant information from the origin wiki in a bunch of API calls and customize itself accordingly. This seems like a lot of effort with a long tail of small inconsistencies that will take forever to squash. An alternative approach would be to use a new domain, say https://sso.wikimedia.org/<wiki hostname>/, which would to resolve to the wiki specified in <wiki hostname> (ie. this page would be served by the same wiki from which the user started the login process, but under a different domain). We would limit what URLs can be accessed on this new domain, and add a bunch of config/hook overrides, like limiting what pages can be viewed and limiting user rights to only those needed for login, and maybe splitting some caches.

This would hugely simplify how displaying the central login page would work, although it would complicate the configuration system. I think (although I am not very sure) it would be a simpler approach on the net. It would also be a mixed change in terms of security - the login domain would be very much locked down compared to login.wikimedia.org (a real wiki), which is good, but it could be served by any wiki, ie. any backend code deployed in the Wikimedia cluster could potentially run on it, which is bad.

Also, for the reasons explained in T348388: SUL3: Use a dedicated domain for login and account creation, the URL used for interacting with cookies on the login domain will have to be user-visible (unless we use an iframe, which has security and browser compatibility disadvantages). Given "wikimedia" is less widely recognized than "wikipedia", this might pose its own UX challenges.

See also:

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Update CentralAuth multi-DC rules for SUL3, attempt 2operations/puppetproduction+35 -5
Update CentralAuth multi-DC rules for SUL3operations/puppetproduction+5 -3
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
 OpenNoneT345245 Mitigate phase-out of third-party cookies in Wikimedia production
 Resolved TgrT345249 Mitigate phase-out of third-party cookies in CentralAuth
 ResolvedOWresch-WMFT348388 SUL3: Use a dedicated domain for login and account creation
 Resolved TgrT363695 Create a Wikimedia login domain that can be served by any wiki
 Resolved TgrT365162 Set up sso.wikimedia.beta.wmflabs.org with config-layer routing to other wikis
 ResolvedsbassettT367995 Security Preview for shared login domain
 Resolved TgrT373738 Audit special pages used on the SUL3 shared login domain for disallowing user JS
 Declined TgrT373737 Disable irrelevant extensions on SUL3 login domain
 Resolved TgrT373732 Audit SUL3 shared-domain i18n messages for XSS
 ResolvedSecurity TgrT379677 FancyCaptcha uses unescaped i18n messages
 ResolvedmatmarexT45646 "MediaWiki:Copyright" message allows raw HTML
 ResolvedmatmarexT371530 Support cross-domain $wgLoadScript URLs in ResourceLoader
 ResolvedArielGlennT371267 Create a script to backfill missing local accounts on loginwiki/metawiki for new global accounts
 ResolvedArielGlennT368230 Investigate missing loginwiki accounts
 ResolvedmatmarexT371596 Preserve mobile domain when using the shared login domain
 ResolvedmatmarexT371609 Rewrite URLs when using the shared login domain
 ResolvedArielGlennT378401 Start running backfillLocalAccounts.php
 ResolvedJTweed-WMFT375954 Create SUL3 rollout plan for Wikimedia production
 ResolvedDAlangi_WMFT375787 Cookie-based feature flag for SUL3
 DeclinedFeature TgrT377140 Adapt user experience to expose the progressive rollout with a fallback link
 ResolvedDAlangi_WMFT377924 [SUL3] Make the `usesul3=0` query parameter work as the inverse of `usesul3=1`
 Resolved TgrT377142 Improve code quality for SUL3 shared domain logic
 ResolvedArielGlennT377144 Create method for deterministically opting new users into SUL3 rollout
 ResolvedArielGlennT384549 Create a per-user flag for enabling SUL3
 Resolved TgrT365586 Measure user impact of using a central login / signup page
 ResolvedpmiazgaT375955 Add a SUL3 flag to Statsd / Prometheus authentication metrics
 ResolvedDAlangi_WMFT377253 Add SUL3 flag to authentication-related event schemas
 Resolved TgrT377261 Track the number of interrupted SUL3 logins / signups
 Resolved TgrT377258 Write mediawiki.org documentation for SUL3
 ResolvedmatmarexT391406 Update CentralAuth documentation page after SUL3
 Resolved TgrT391270 Determine CentralAuth SUL3 defaults
 Resolved TgrT390329 SharedDomainHookHandler::DISALLOWED_LOCAL_PROVIDERS is hard to maintain
 ResolvedmatmarexT387861 Remove SUL3 opt-in code from CentralAuth
 DeclinedNoneT391358 SUL3 login broken when the local wiki and the central domain are in the same $wgCentralAuthCookieDomain set
 Resolved TgrT383729 SUL3 Phase 0: Account creation and login on test wikis
 Resolved TgrT377187 Set up auth.wikimedia.org
 ResolvedmatmarexT379811 Update URL structure for SUL3 shared domain
 ResolvedsbassettT378722 Application Security Review Request : SUL3
 Resolved TgrT380574 Add SUL3 authentication domain to deploy canary checks

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
Tgr added a comment.May 14 2024, 5:59 PM

There are two implementation strategies I can think of for such a shared domain:

  1. At the traffic level: ATS redirects sso.wikimedia.org/foowiki/path to foo.wikipedia.org/path so the target wiki mostly doesn't even notice what's going on (to some extent MediaWiki needs to be aware so I imagine we'd set a custom header).
  2. At the configuration level: CommonSettings.php applies some special logic when it determines from the hostname what DB name / wiki ID to use.

The first feels less messy, but I don't have a strong sense of pros/cons.

Either way, when a wiki is reached via sso.wikimedia.org, that would have to override some configuration settings: fail hard for non-SUL wikis (just in case, to avoid privacy leaks, although in theory there should not be any risk even without that), limit access to a predefined set of special pages (Special:Userlogin, Special:CreateAccount, in the future maybe things like change email, change password, change 2FA) and APIs (the APIs required for login/signup - meta=token, list=userinfo, list=globaluserinfo, meta=authmanagerinfo, action=clientlogin, action=createaccount, action=webauthn). The cookies we output would have to be different, not sure if that's a config-level change or an application-level change.

Tgr added a comment.May 14 2024, 6:15 PM

secure.wikimedia.org used to work in a similar way until it was replaced by T22643: Serve SSL/HTTPS sites out of same domain names as HTTP access: https://en.wikipedia.org/ (in 2013, I think?). It was implemented as an Apache proxy (still is, to some extent, to support old links).

Tgr added a project: Traffic.May 14 2024, 6:16 PM
Tgr moved this task from Ready to In progress on the SUL3 board.May 15 2024, 1:29 PM
kostajh subscribed.May 16 2024, 9:07 AM
Tgr updated the task description. (Show Details)May 16 2024, 11:46 AM
Tgr removed a project: Traffic.May 16 2024, 2:13 PM

Per discussion with Traffic, we'll explore implementing this in the MediaWiki configuration layer rather than some traffic routing layer.

Tgr mentioned this in T365162: Set up sso.wikimedia.beta.wmflabs.org with config-layer routing to other wikis.May 16 2024, 2:37 PM
Tgr added a subtask: T365162: Set up sso.wikimedia.beta.wmflabs.org with config-layer routing to other wikis.
Tgr moved this task from In progress to Blocked / External on the SUL3 board.
Tgr updated the task description. (Show Details)May 16 2024, 3:04 PM
Tgr mentioned this in T364866: Adapt to changes in post-login/signup hooks after switching to a central login wiki.May 16 2024, 4:58 PM
larissagaulia moved this task from Inbox, needs triage to Needs refinement on the MediaWiki-Platform-Team board.May 27 2024, 2:26 PM
Tgr added a comment.Jun 12 2024, 3:01 PM

A possible third approach that avoids the complexities of multiple wikis sharing a domain, and also avoids having to customize loginwiki, would be to keep submitting the login form on the local wiki, and then redirect to the central wiki for some sort of trivial workflow like clicking a button (which would be simple enough to not need any customization). It does have its own drawbacks though: more contrived UX (an extra step that makes no sense from the user's perspective), plus a secondary goal of SUL3 was to remove authentication workflows from local wikis so we can eventually reduce the threat surface.

Tgr updated the task description. (Show Details)Jun 12 2024, 7:09 PM
Tgr added a comment.Jun 12 2024, 7:19 PM

@pmiazga pointed out that using an URL structure like https://sso.wikimedia.org/en.wikipedia.org/wiki/Special:Userlogin might be mistaken for phishing by some users (most people don't recognize the "wikimedia" brand, and putting a domain name in the URL is an existing phishing trick). Left a question about that in the SUL3 design review task: T365298#9886304

Tgr added a comment.Jun 12 2024, 9:28 PM

Quick review of all the places where loginwiki is mentioned (per this search):

  • the editinterface permission is disabled on loginwiki. Using a shared domain will be less secure in that regard.
  • $wgCentralAuthAutoCreateWikis. Not really affected.
  • $wmgUseGlobalCssJs is disabled. Doesn't really matter, user CSS/JS is disabled on authentication-related special pages anyway.
  • $wgCheckUserLogLogins is disabled (per T253802#6557466). Should ask stewards about this.
  • CentralNotice, Parsoid, Math, Disambiguator, UniversalLanguageSelector, PagedTiffHandler, parser functions, TemplateData, CharInsert are disabled (T61702). CentralNotice is security-relevant as banners can execute Javascript; we should probably replicate that. UniversalLanguageSelector might be good to have (the default loginpage language selector has poor UX). We probably need parser functions because of i18n message overrides. The rest don't matter much.
  • $wgEnableEventBus (docs) is restricted. Not sure about the significance of this.
  • there's a write-on-GET exception for loginwiki URLs. We should probably reproduce that.
  • CentralAuth adds loginwiki to various CSP fields. We probably won't need that.
  • CentralAuth adds DNS prefetch for login.wikimedia.org. We should probably reproduce that.
Tgr mentioned this in T367995: Security Preview for shared login domain.Jun 19 2024, 8:47 PM
Tgr added a subtask: T367995: Security Preview for shared login domain.
Tgr mentioned this in T365298: Design request: Central Login Design Review and Recommendations.Jun 20 2024, 12:33 PM
Tgr mentioned this in T368230: Investigate missing loginwiki accounts.Jun 23 2024, 9:05 PM
akosiaris subscribed.Jun 25 2024, 3:08 PM
KStoller-WMF subscribed.Jul 1 2024, 7:37 PM
sbassett changed the status of subtask T367995: Security Preview for shared login domain from Open to In Progress.Jul 3 2024, 5:13 PM
Tgr mentioned this in T370692: Review mobile login UX for SUL3.Jul 22 2024, 6:33 PM
Tol subscribed.Jul 29 2024, 8:40 PM
Tgr mentioned this in T371530: Support cross-domain $wgLoadScript URLs in ResourceLoader.Jul 31 2024, 5:01 PM
Tgr added a subtask: T371530: Support cross-domain $wgLoadScript URLs in ResourceLoader.
Tgr mentioned this in T354482: Clean up login.wikimedia.org ahead of SUL3 login.Jul 31 2024, 10:58 PM
Tgr added a subtask: T371267: Create a script to backfill missing local accounts on loginwiki/metawiki for new global accounts.Jul 31 2024, 11:05 PM
Tgr added a subtask: T368230: Investigate missing loginwiki accounts.
Tgr mentioned this in T371596: Preserve mobile domain when using the shared login domain.Aug 1 2024, 12:13 PM
Tgr added a subtask: T371596: Preserve mobile domain when using the shared login domain.
Tgr mentioned this in T371609: Rewrite URLs when using the shared login domain.Aug 1 2024, 1:43 PM
Tgr added a subtask: T371609: Rewrite URLs when using the shared login domain.
Vermont subscribed.Aug 1 2024, 6:25 PM
Xaosflux subscribed.Aug 1 2024, 6:30 PM
Yahya subscribed.Aug 1 2024, 6:57 PM
Johannnes89 subscribed.Aug 18 2024, 4:35 PM
Krinkle closed subtask T365162: Set up sso.wikimedia.beta.wmflabs.org with config-layer routing to other wikis as Resolved.Aug 19 2024, 2:40 PM
Tgr mentioned this in T373732: Audit SUL3 shared-domain i18n messages for XSS.Aug 31 2024, 9:39 AM
Tgr mentioned this in T373737: Disable irrelevant extensions on SUL3 login domain.Aug 31 2024, 11:35 AM
Tgr mentioned this in T373738: Audit special pages used on the SUL3 shared login domain for disallowing user JS.
matmarex closed subtask T371609: Rewrite URLs when using the shared login domain as Resolved.Sep 14 2024, 2:42 AM
Tgr closed subtask T371596: Preserve mobile domain when using the shared login domain as Resolved.Sep 19 2024, 1:49 PM
Tgr mentioned this in T375796: Synchronize SUL2 and SUL3 central browser state.Sep 26 2024, 8:30 PM
DerHexer subscribed.Sep 27 2024, 11:45 AM
Tgr mentioned this in T376021: Migrate WebAuthn on Wikimedia wikis to central domain.Sep 30 2024, 10:04 AM
matmarex closed subtask T371530: Support cross-domain $wgLoadScript URLs in ResourceLoader as Resolved.Oct 2 2024, 5:26 PM
sbassett closed subtask T367995: Security Preview for shared login domain as Resolved.Oct 9 2024, 6:29 PM
Tgr moved this task from Blocked / External to Blocked on shared domains on the SUL3 board.Oct 14 2024, 7:17 PM
Tgr mentioned this in T377187: Set up auth.wikimedia.org.Oct 15 2024, 9:52 AM
Tgr added a subtask: T377187: Set up auth.wikimedia.org.
Tgr updated the task description. (Show Details)
Tgr added a subtask: T378401: Start running backfillLocalAccounts.php.Oct 28 2024, 6:29 PM
Tgr mentioned this in T378722: Application Security Review Request : SUL3.Oct 31 2024, 2:33 PM
AntiCompositeNumber subscribed.Nov 4 2024, 5:58 PM
In T363695#9886787, @Tgr wrote:
  • the editinterface permission is disabled on loginwiki. Using a shared domain will be less secure in that regard.

Only for local administrators, of which there are 0. Stewards, staff, new wikis importers, sysadmins, and global interface editors still have access through the global groups.

Frostly subscribed.Nov 5 2024, 3:09 AM
JTweed-WMF subscribed.Nov 11 2024, 11:28 AM

The decision is to use `https://auth.wikimedia.org/{{wikiid}, eg:

https://auth.wikimedia.org/enwiki/wiki/Special:Userlogin

Tgr mentioned this in T379811: Update URL structure for SUL3 shared domain.Nov 13 2024, 7:38 PM
Tgr added a subtask: T379811: Update URL structure for SUL3 shared domain.Nov 13 2024, 7:42 PM
Tgr moved this task from Blocked on shared domains to Epic on the SUL3 board.Nov 13 2024, 7:45 PM
matmarex closed subtask T379811: Update URL structure for SUL3 shared domain as Resolved.Nov 19 2024, 7:57 PM
Tgr mentioned this in T380574: Add SUL3 authentication domain to deploy canary checks.Nov 22 2024, 10:40 AM
Tgr mentioned this in T380575: Make SUL3 authentication domain mode available from CLI.Nov 22 2024, 10:52 AM
Tgr mentioned this in T381096: Hide the search form in the skin during login, signup, and other auth-domain workflows.Nov 28 2024, 11:35 AM
ArielGlenn closed subtask T378401: Start running backfillLocalAccounts.php as Resolved.Dec 3 2024, 4:51 PM
ArielGlenn closed subtask T371267: Create a script to backfill missing local accounts on loginwiki/metawiki for new global accounts as Resolved.
Tgr closed subtask T377187: Set up auth.wikimedia.org as Resolved.Jan 14 2025, 8:31 PM
Tgr added a comment.Jan 24 2025, 8:50 PM
In T363695#9886787, @Tgr wrote:
  • $wmgUseGlobalCssJs is disabled. Doesn't really matter, user CSS/JS is disabled on authentication-related special pages anyway.

Nevertheless, done as part of T373738: Audit special pages used on the SUL3 shared login domain for disallowing user JS.

Since there is no separate login wiki anymore, this basically just comes down to "do we want to log IPs for logins?". Per T381223: useragent-clienthints API does not work on the SUL3 authentication domain the answer is yes.

  • CentralNotice, Parsoid, Math, Disambiguator, UniversalLanguageSelector, PagedTiffHandler, parser functions, TemplateData, CharInsert are disabled (T61702). CentralNotice is security-relevant as banners can execute Javascript; we should probably replicate that. UniversalLanguageSelector might be good to have (the default loginpage language selector has poor UX). We probably need parser functions because of i18n message overrides. The rest don't matter much.

Done in T373738: Audit special pages used on the SUL3 shared login domain for disallowing user JS (to the extend it proved feasible - configuration, DB and cache sharing between the normal wiki and wiki-accessed-via-authentication-domain makes disabling complex extensions risky).

Still not sure about the significance of this, but since the authentication domain is just an alternative way of accessing the same wiki, not doing this should be fine.

We missed this one. Patch incoming.

  • CentralAuth adds loginwiki to various CSP fields. We probably won't need that.

We actually need that (at least once CSP is enforcement). Done in rECAU0bed631a089b: SUL3: Improve SUL3 autologin feature.

  • CentralAuth adds DNS prefetch for login.wikimedia.org. We should probably reproduce that.

Done in rECAU9f8ff1156fed: Special: Add support for central autologin in SUL3 mode.

(Probably for a while we want *both* loginwiki and the shared domain in the CSP exemptions / DNS prefetch. That's part of T375796: Synchronize SUL2 and SUL3 central browser state.)

gerritbot added a comment.Jan 24 2025, 9:42 PM

Change #1114070 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[operations/puppet@production] Update CentralAuth multi-DC rules for SUL3

https://gerrit.wikimedia.org/r/1114070

gerritbot added a project: Patch-For-Review.Jan 24 2025, 9:42 PM
gerritbot added a comment.Jan 28 2025, 5:09 PM

Change #1114070 merged by RLazarus:

[operations/puppet@production] Update CentralAuth multi-DC rules for SUL3

https://gerrit.wikimedia.org/r/1114070

Arendpieter subscribed.Feb 5 2025, 10:29 PM

After all wikis transition to SUL3, login.wikimedia.org will be removed, correct? Or what role will it have alongside auth.wikimedia.org?

Maintenance_bot removed a project: Patch-For-Review.Feb 5 2025, 10:30 PM
JJMC89 subscribed.Feb 5 2025, 11:59 PM
In T363695#10527223, @Arendpieter wrote:

After all wikis transition to SUL3, login.wikimedia.org will be removed, correct?

No, loginwiki will remain.

Bugreporter subscribed.Feb 6 2025, 2:38 AM
In T363695#10527351, @JJMC89 wrote:
In T363695#10527223, @Arendpieter wrote:

After all wikis transition to SUL3, login.wikimedia.org will be removed, correct?

No, loginwiki will remain.

How will loginwiki still be useful? Yes, stewards do checkuser on loginwiki for new accounts there, but this can be moved to metawiki.

AntiCompositeNumber added a comment.Feb 6 2025, 5:36 AM
In T363695#10527541, @Bugreporter wrote:

How will loginwiki still be useful? Yes, stewards do checkuser on loginwiki for new accounts there, but this can be moved to metawiki.

Because not doing anything is easier than getting the community to agree with you.

Tgr mentioned this in T348388: SUL3: Use a dedicated domain for login and account creation.Feb 16 2025, 8:10 PM
gerritbot added a comment.Feb 26 2025, 8:43 PM

Change #1123029 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[operations/puppet@production] [WIP] Update CentralAuth multi-DC rules for SUL3, attempt 2

https://gerrit.wikimedia.org/r/1123029

gerritbot added a project: Patch-For-Review.Feb 26 2025, 8:43 PM
Sgs subscribed.Mar 4 2025, 9:11 PM
gerritbot added a comment.Mar 6 2025, 5:12 PM

Change #1123029 merged by Vgutierrez:

[operations/puppet@production] Update CentralAuth multi-DC rules for SUL3, attempt 2

https://gerrit.wikimedia.org/r/1123029

Maintenance_bot removed a project: Patch-For-Review.Mar 6 2025, 5:31 PM
Tgr closed this task as Resolved.Mar 6 2025, 11:06 PM
Tgr claimed this task.
dcausse mentioned this in T388825: Some events in mediawiki.page_change.v1 refers to auth.wikimedia.org in meta.uri and meta.domain.Mar 13 2025, 5:20 PM
Tgr mentioned this in T387861: Remove SUL3 opt-in code from CentralAuth.Mar 16 2025, 8:03 PM
Arendpieter mentioned this in T220769: Account created without having a loginwiki or metawiki automatically created.Jan 14 2026, 11:20 AM
KStoller-WMF mentioned this in T415972: Account Creation: V2 experiment designs.Jan 30 2026, 3:49 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits