Page MenuHomePhabricator
Create Task
Maniphest T48179

Allow a challenge stage during authentication
Closed, ResolvedPublic
Actions

Description

Extension:OATHAuth implements two-factor authentication, and requires a token for users during the login process, if they have two-factor enabled. Unfortunately, it's necessary to put a token input on the initial login page, which is confusing for users who don't have two-factor enabled, or don't know what it is.

The proper solution for this is to have a challenge screen after the initial password login. MediaWiki doesn't have support for this. An extension can't display another screen before the authentication step completes, and once the authentication step completes, the user is logged in.

Version: 1.22.0
Severity: normal
See Also:
https://bugzilla.wikimedia.org/show_bug.cgi?id=42131

Details

Reference
bz46179

Related Objects
Search...

View Standalone Graph
This task is connected to more than 200 other tasks. Only direct parents and subtasks are shown here. Use View Standalone Graph to show more of the graph.
StatusSubtypeAssignedTask
· · ·
ResolvedAnomieT48179 Allow a challenge stage during authentication
OpenNoneT89459 Modernize MediaWiki authentication system (AuthManager)
· · ·

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 22 2014, 1:20 AM
bzimport added a project: MediaWiki-User-login-and-signup.
bzimport set Reference to bz46179.
bzimport added a subscriber: Unknown Object (MLST).
RyanLane created this task.Mar 15 2013, 11:02 PM
MZMcBride added a comment.Mar 15 2013, 11:29 PM

I'm adding bug 42131 as a see also (and leaving it marked resolved/wontfix), but it may properly be a dependency of this bug.

Krenair added a project: MediaWiki-Core-AuthManager.May 29 2015, 5:01 PM
Krenair subscribed.
Parent5446 subscribed.May 29 2015, 5:16 PM
Parent5446 added a comment.May 29 2015, 8:28 PM

Just to document the problem with this right now, here is the current workflow:

  1. Do preliminary login checks
  2. Run AbortLogin hook
  3. Check password
  4. Log in the user

All extensions are forced to hook in at step 2, which is before the password check. So if an extension needs to gather more information, and it redirects to another page, the password check has never happened and the password itself is no longer in the request.

Right now in OATHAuth, I'm getting around this by taking the WebRequest, storing it, and basically replaying the request once the new information is gathered. Of course, this is a risk because now private information is stored in Memcached. This can be mitigated with some sort of symmetric encryption, but it'd be better to just avoid it entirely.

The preferred workflow would be to have AuthManager organize its checks and be able to store the results of those checks so that further information can be gathered and further checks can be performed before the user is determined to be authenticated.

Tgr added a subtask: T89459: Modernize MediaWiki authentication system (AuthManager).Aug 26 2015, 4:40 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 26 2015, 4:40 AM
Tgr subscribed.Aug 26 2015, 4:45 AM

In AuthManager SecondaryAuthenticationProviders fulfill this role: they are invoked after the identity of the user has been established, can request further information (which will be handled by Special:UserLogin by showing a second form after the normal login form), and can block or abort the authentication process based on the reply.

Tgr reopened subtask T89459: Modernize MediaWiki authentication system (AuthManager) as Open.Aug 27 2015, 7:08 AM
Anomie closed this task as Resolved.Jun 16 2016, 4:27 PM
Anomie claimed this task.
Anomie subscribed.

AuthManager does this with SecondaryAuthenticationProviders. Further, OATHAuth has been updated to use this mechanism for its challenges in rEOAT563796a98c05: Update for AuthManager.

Aklapper removed subscribers: Anomie, wikibugs-l-list.Oct 16 2020, 5:43 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL