TL;DR: AuthManager is now in core, although it's currently behind a feature flag that is disabled on Wikimedia wikis. We're hoping that feature flag can be removed from 1.27 before release. Help fix extensions!
AuthManager is a new authentication system for MediaWiki that allows for easily plugging in multiple authentication methods, non-password-based authentication methods (such as authentication by redirecting to a third-party service), secondary authentication methods like two-factor auth, and so on. We've[1] been working on it for over a year now, and it's getting close to being done. Last week, we merged the core patches[2] and fixes for extensions bundled in the tarball. These were also backported to the REL1_27 branch. Documentation is now at https://www.mediawiki.org/wiki/Manual:SessionManager_and_AuthManager, please feel free to ask questions or to improve it.
AuthManager is currently behind a feature flag, $wgDisableAuthManager, which can be set to use the old authentication system rather than AuthManager. For Wikimedia wikis, our next step is to fix the rest of the extensions we use,[3] then (gradually) enable AuthManager while making sure things don't break.[4] We plan to default the flag to enabling AuthManager in master soon,[5] and we hope to be able to remove it entirely from 1.27 before release.[6]
If you maintain an extension in Gerrit and it needs updating for AuthManager, we've probably already filed a task in Phabricator for you! Look at the subtasks of T110282 for extensions deployed on Wikimedia wikis, or of T110291 for other extensions. Besides the information in the tasks, we've also compiled a list of common things needing updating and some solutions.[6]
If you run a wiki, you might need to set $wgDisableAuthManager = true if you have extensions that break. Remember, though, this isn’t a permanent solution, and you’ll need to update your extensions reasonably soon.
If you run a bot that still uses API action=login (and isn't using it for BotPasswords), it's time to update! If you have an interactive application that logs in with API action=login, you'll want to prepare to start using action=clientlogin. If you want some visibility, the tracking task for clients is T134945.
If you find bugs in AuthManager, please report them in Phabricator and include the #Reading-Infrastructure-Team tag.
See also previous AuthManager announcements: * https://lists.wikimedia.org/pipermail/wikitech-l/2016-January/084501.html * https://lists.wikimedia.org/pipermail/mediawiki-api/2016-January/003686.html * https://lists.wikimedia.org/pipermail/mediawiki-api/2016-January/003688.html
[1]: Mainly Gergő Tisza and I, with help from Bryan Davis and Chris Steipp. [2]: https://gerrit.wikimedia.org/r/#/c/195297/, https://gerrit.wikimedia.org/r/#/c/240052/, https://gerrit.wikimedia.org/r/#/c/265201/, and https://gerrit.wikimedia.org/r/#/c/282202/ [3]: https://phabricator.wikimedia.org/T110282 [4]: https://phabricator.wikimedia.org/T135504 [5]: We tried to do it already, but it broke all the selenium tests due to changes to account creation. See https://phabricator.wikimedia.org/T135884 for progress on that. [6]: https://phabricator.wikimedia.org/T135498 [7]: https://www.mediawiki.org/wiki/Manual:SessionManager_and_AuthManager/Updatin...
-- Brad Jorsch (Anomie) Senior Software Engineer Wikimedia Foundation