On May 16, 2014 5:20 PM, "Chad" innocentkiller@gmail.com wrote:
On Fri, May 16, 2014 at 4:38 PM, MZMcBride z@mzmcbride.com wrote:
Chris Steipp wrote:
Accounts are kinda namespaced, so github user foo and sul user foo can both have phabricator accounts.
Since we're using OAuth though, that requires a global wiki account so local only accounts would not be able to join. So we probably need password or LDAP auth at minimum.
I suppose you could rely only on global (in the CentralAuth extension sense) accounts, but it really would make sense for Wikimedia to get its own house in order first: we should finish fully unifying login across Wikimedia wikis before delving into concurrent authentication systems.
Yes, let's please. But that's another thread.
I'm less concerned about non-unified accounts than I am about the other (much more obvious) problem of "how do we use Phabricator if the cluster is down." Ryan suggested Labs LDAP and I agree, it's a very sane fallback. It's very unlikely for the cluster *and* LDAP to be down at the same time, and if they are it's probably network-related and we'll be screwed on
using
Phabricator anyway.
I think this mailing list thread suffers from an analysis of what the potential negative consequences of allowing third-party login are. The positive to users (one less username and password to remember) is
clearer
to see. What are the drawbacks of doing this? I'd like to see the pros
and
cons outlined on mediawiki.org or meta.wikimedia.org.
The positive side of "I can use one less login" is nice, don't get me
wrong.
I'm mostly worried about security issues in 3rd party implementations of oAuth that we can't control. I asked Chris S. about this earlier today and I
hope
he'll expand on this some more--especially concerning to me was the concrete example he gave with Facebook's own oAuth. Also he mentioned that
Twitter's
oAuth is known to be insecure in its implementation.
I don't want to start a rumor that using Twitter's OAuth for authentication is insecure, but OAuth 1 (which phabricator is using for the login) isn't made for authentication... Insert broken record track of me taking about this ;)
More authentication systems means a bigger attack surface we have to secure. If you look at the vulnerabilities fixed in phabricator via their bounty program [1], 3 are login with OAuth bugs. This makes me nervous (but kudos to them for running the program and fixing these).
Although it wasn't possible in any of these reported bugs yet, the big risk is that an attack will allow adding a login account to an existing phabricator account via csrf, allowing the attacker to add their 3rd party account to my phabricator account and then they can login as me using their Facebook, etc account. This famously happened to stack exchange via the Facebook login last year.
So I'll do an audit on the methods we decide to go with, but I'd like to keep that number fairly small. Turning them on isn't totally "free".
[1] https://hackerone.com/phabricator
Depending on how Github's oAuth is implemented that's the one I could see the strongest case being made for.
Enabling all of them seems like it'll just make the login page cluttered with options used by about 1-2 people each but I could be wrong.
-Chad _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l