This is a casual request for comments about the use of 3rd party authentication providers for our future Wikimedia Phabricator instance.
Wikimedia Phabricator is expected to replace Bugzilla, Gerrit and many other tools, each of them having their own registration and user account. The plan is to offer Wikimedia SUL (your Wikimedia credentials) as the default way to login to Phabricator -- details at http://fab.wmflabs.org/T40
However, Phabricator can support authentication using 3rd party providers like GitHub, Google, etc. You can get an idea at https://secure.phabricator.com/auth/start/
There are good reasons to plan for Wikimedia SUL only (consistency with the rest of Wikimedia projects), and there are good reasons to plan for other providers as well (the easiest path for most first-time contributors).
What do you think? Should we offer alternatives to Wikimedia login? If so, which ones?
On Thu, May 15, 2014 at 5:20 PM, Quim Gil qgil@wikimedia.org wrote:
This is a casual request for comments about the use of 3rd party authentication providers for our future Wikimedia Phabricator instance.
Wikimedia Phabricator is expected to replace Bugzilla, Gerrit and many other tools, each of them having their own registration and user account. The plan is to offer Wikimedia SUL (your Wikimedia credentials) as the default way to login to Phabricator -- details at http://fab.wmflabs.org/T40
However, Phabricator can support authentication using 3rd party providers like GitHub, Google, etc. You can get an idea at https://secure.phabricator.com/auth/start/
There are good reasons to plan for Wikimedia SUL only (consistency with the rest of Wikimedia projects), and there are good reasons to plan for other providers as well (the easiest path for most first-time contributors).
What do you think? Should we offer alternatives to Wikimedia login? If so, which ones?
Will Labs no longer have the same authentication as the rest of the tooling? Is this something that will be solved before the switch?
- Ryan
On Thursday, May 15, 2014, Ryan Lane <rlane32@gmail.comjavascript:_e(%7B%7D,'cvml','rlane32@gmail.com');> wrote:
Will Labs no longer have the same authentication as the rest of the tooling? Is this something that will be solved before the switch?
Wikitech-LDAP-Labs-Gerrit remains untouched in the first switch to Phabricator (what we call Day 1), which aims to task/bug management tools: Bugzilla, RT, Trello, Mingle.
Still, we need to have a good plan in mind, latest for the code review migration. I just created a related task at http://fab.wmflabs.org/T338
So far, it seems that the only solid 3rd party candidate to be considered is GitHub. Task created at http://fab.wmflabs.org/T337
On Thu, May 15, 2014 at 9:20 PM, Quim Gil qgil@wikimedia.org wrote:
There are good reasons to plan for Wikimedia SUL only (consistency with the rest of Wikimedia projects), and there are good reasons to plan for other providers as well (the easiest path for most first-time contributors).
If there's a problem with SUL/centralauth and you can't log in either to the wikis or to phabricator then how do we report/track that issue?
(I'm a bit less worried about the case where SSO/federated auth breaks but wiki login is still working.)
Also, have we considered two factor auth (2fa)? or are there some users (security bugs?) that should have different requirements than other users?
What do you think? Should we offer alternatives to Wikimedia login? If so, which ones?
I'm not sure about whether to open to any service under the sun. Would need to be sure that users are very clear about what happens if their choice of auth service is compromised or their account their is compromised or service decides to shut down.
-Jeremy
On Thu, 2014-05-15 at 21:34 +0000, Jeremy Baron wrote:
On Thu, May 15, 2014 at 9:20 PM, Quim Gil qgil@wikimedia.org wrote:
There are good reasons to plan for Wikimedia SUL only (consistency with the rest of Wikimedia projects), and there are good reasons to plan for other providers as well (the easiest path for most first-time contributors).
If there's a problem with SUL/centralauth and you can't log in either to the wikis or to phabricator then how do we report/track that issue?
We can still make noise on mailing lists and IRC (which sometimes is the case for reporting issues already).
Right now people complain that e.g. Bugzilla has a separate login so they don't report issues there. It's hard to judge what's the bigger problem because being concerned about our tools having the same auth mechanism has only come up since having the same auth mechanism is being considered, of course. :)
andre
i like the idea of having one wikimedia login for all wikimedia wikis, tools, labs, gerrit, mail lists, etc. and keeping other logins such as google, yahoo, or github in their own domain.
On May 15, 2014, at 23:20 , Quim Gil qgil@wikimedia.org wrote:
This is a casual request for comments about the use of 3rd party authentication providers for our future Wikimedia Phabricator instance.
Wikimedia Phabricator is expected to replace Bugzilla, Gerrit and many other tools, each of them having their own registration and user account. The plan is to offer Wikimedia SUL (your Wikimedia credentials) as the default way to login to Phabricator -- details at http://fab.wmflabs.org/T40
However, Phabricator can support authentication using 3rd party providers like GitHub, Google, etc. You can get an idea at https://secure.phabricator.com/auth/start/
There are good reasons to plan for Wikimedia SUL only (consistency with the rest of Wikimedia projects), and there are good reasons to plan for other providers as well (the easiest path for most first-time contributors).
What do you think? Should we offer alternatives to Wikimedia login? If so, which ones?
-- Quim Gil Engineering Community Manager @ Wikimedia Foundation http://www.mediawiki.org/wiki/User:Qgil _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
On Thu, May 15, 2014 at 2:20 PM, Quim Gil qgil@wikimedia.org wrote:
There are good reasons to plan for Wikimedia SUL only (consistency with the rest of Wikimedia projects), and there are good reasons to plan for other providers as well (the easiest path for most first-time contributors).
What do you think? Should we offer alternatives to Wikimedia login? If so, which ones?
I think we should also support Labs/LDAP in addition to SUL. I'm not really a fan of the third-party providers but we should definitely have a secondary auth in place for when the cluster is down as Jeremy rightly points out.
-Chad
On Thu, 2014-05-15 at 14:20 -0700, Quim Gil wrote:
This is a casual request for comments about the use of 3rd party authentication providers for our future Wikimedia Phabricator instance.
Wikimedia Phabricator is expected to replace Bugzilla, Gerrit and many other tools, each of them having their own registration and user account. The plan is to offer Wikimedia SUL (your Wikimedia credentials) as the default way to login to Phabricator -- details at http://fab.wmflabs.org/T40
However, Phabricator can support authentication using 3rd party providers like GitHub, Google, etc. You can get an idea at https://secure.phabricator.com/auth/start/
There are good reasons to plan for Wikimedia SUL only (consistency with the rest of Wikimedia projects), and there are good reasons to plan for other providers as well (the easiest path for most first-time contributors).
What do you think? Should we offer alternatives to Wikimedia login? If so, which ones?
Seeing the mess with user accounts we have on the Wikis these days, please make sure we wont run into naming conflicts. A wiki user with the global account "foo" should always be able to use that account Phabricator, no matter what users from other sources did before.
Cheers,
Marius
On May 15, 2014 3:56 PM, "hoo" hoo@online.de wrote:
On Thu, 2014-05-15 at 14:20 -0700, Quim Gil wrote:
This is a casual request for comments about the use of 3rd party authentication providers for our future Wikimedia Phabricator instance.
Wikimedia Phabricator is expected to replace Bugzilla, Gerrit and many other tools, each of them having their own registration and user
account.
The plan is to offer Wikimedia SUL (your Wikimedia credentials) as the default way to login to Phabricator -- details at
However, Phabricator can support authentication using 3rd party
providers
like GitHub, Google, etc. You can get an idea at https://secure.phabricator.com/auth/start/
There are good reasons to plan for Wikimedia SUL only (consistency with
the
rest of Wikimedia projects), and there are good reasons to plan for
other
providers as well (the easiest path for most first-time contributors).
What do you think? Should we offer alternatives to Wikimedia login? If
so,
which ones?
Seeing the mess with user accounts we have on the Wikis these days, please make sure we wont run into naming conflicts. A wiki user with the global account "foo" should always be able to use that account Phabricator, no matter what users from other sources did before.
Accounts are kinda namespaced, so github user foo and sul user foo can both have phabricator accounts.
Since we're using OAuth though, that requires a global wiki account so local only accounts would not be able to join. So we probably need password or LDAP auth at minimum.
Cheers,
Marius
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Yes. Support as many providers as possible, google at least, I basically don't even want to use any more web services with own login unless I have to. single login FTW
On Fri, May 16, 2014 at 3:51 PM, Chris Steipp csteipp@wikimedia.org wrote:
On May 15, 2014 3:56 PM, "hoo" hoo@online.de wrote:
On Thu, 2014-05-15 at 14:20 -0700, Quim Gil wrote:
This is a casual request for comments about the use of 3rd party authentication providers for our future Wikimedia Phabricator instance.
Wikimedia Phabricator is expected to replace Bugzilla, Gerrit and many other tools, each of them having their own registration and user
account.
The plan is to offer Wikimedia SUL (your Wikimedia credentials) as the default way to login to Phabricator -- details at
However, Phabricator can support authentication using 3rd party
providers
like GitHub, Google, etc. You can get an idea at https://secure.phabricator.com/auth/start/
There are good reasons to plan for Wikimedia SUL only (consistency with
the
rest of Wikimedia projects), and there are good reasons to plan for
other
providers as well (the easiest path for most first-time contributors).
What do you think? Should we offer alternatives to Wikimedia login? If
so,
which ones?
Seeing the mess with user accounts we have on the Wikis these days, please make sure we wont run into naming conflicts. A wiki user with the global account "foo" should always be able to use that account Phabricator, no matter what users from other sources did before.
Accounts are kinda namespaced, so github user foo and sul user foo can both have phabricator accounts.
Since we're using OAuth though, that requires a global wiki account so local only accounts would not be able to join. So we probably need password or LDAP auth at minimum.
Cheers,
Marius
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
On Friday, May 16, 2014, Petr Bena benapetr@gmail.com wrote:
Yes. Support as many providers as possible, google at least, I basically don't even want to use any more web services with own login unless I have to. single login FTW
I wonder why a user without a Wikimedia account or a GitHub account would need to login to Wikimedia Phabricator.
On Fri, May 16, 2014 at 9:23 AM, Quim Gil qgil@wikimedia.org wrote:
On Friday, May 16, 2014, Petr Bena benapetr@gmail.com wrote:
Yes. Support as many providers as possible, google at least, I basically don't even want to use any more web services with own login unless I have to. single login FTW
I wonder why a user without a Wikimedia account or a GitHub account would need to login to Wikimedia Phabricator.
To report or comment on a bug?
To anonymously report an issue? --scott
I feel like the ideal situation would be to:
1) Only allow Phabricator login with a Wikimedia account; and 2) When logging into Wikimedia, allow login with Google, GitHub, etc.
Unfortunately, fulfilling that situation means deploying the OpenID extension, which is definitely not ready yet.
*-- * *Tyler Romeo* Stevens Institute of Technology, Class of 2016 Major in Computer Science
On Fri, May 16, 2014 at 1:47 PM, C. Scott Ananian cananian@wikimedia.orgwrote:
On Fri, May 16, 2014 at 9:23 AM, Quim Gil qgil@wikimedia.org wrote:
On Friday, May 16, 2014, Petr Bena benapetr@gmail.com wrote:
Yes. Support as many providers as possible, google at least, I basically don't even want to use any more web services with own login unless I have to. single login FTW
I wonder why a user without a Wikimedia account or a GitHub account would need to login to Wikimedia Phabricator.
To report or comment on a bug?
To anonymously report an issue? --scott
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
On 2014-05-16, 1:57 PM, Tyler Romeo wrote:
- When logging into Wikimedia, allow login with Google, GitHub, etc.
Unfortunately, fulfilling that situation means deploying the OpenID extension, which is definitely not ready yet.
GitHub doesn't support OpenID.
~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://danielfriesen.name/]
Chris Steipp wrote:
Accounts are kinda namespaced, so github user foo and sul user foo can both have phabricator accounts.
Since we're using OAuth though, that requires a global wiki account so local only accounts would not be able to join. So we probably need password or LDAP auth at minimum.
I suppose you could rely only on global (in the CentralAuth extension sense) accounts, but it really would make sense for Wikimedia to get its own house in order first: we should finish fully unifying login across Wikimedia wikis before delving into concurrent authentication systems.
I think this mailing list thread suffers from an analysis of what the potential negative consequences of allowing third-party login are. The positive to users (one less username and password to remember) is clearer to see. What are the drawbacks of doing this? I'd like to see the pros and cons outlined on mediawiki.org or meta.wikimedia.org.
Greg Grossmeier wrote:
You can. You can "claim" other accounts in Phab.
What's Phab?
MZMcBride
On Fri, May 16, 2014 at 4:38 PM, MZMcBride z@mzmcbride.com wrote:
Chris Steipp wrote:
Accounts are kinda namespaced, so github user foo and sul user foo can both have phabricator accounts.
Since we're using OAuth though, that requires a global wiki account so local only accounts would not be able to join. So we probably need password or LDAP auth at minimum.
I suppose you could rely only on global (in the CentralAuth extension sense) accounts, but it really would make sense for Wikimedia to get its own house in order first: we should finish fully unifying login across Wikimedia wikis before delving into concurrent authentication systems.
Yes, let's please. But that's another thread.
I'm less concerned about non-unified accounts than I am about the other (much more obvious) problem of "how do we use Phabricator if the cluster is down." Ryan suggested Labs LDAP and I agree, it's a very sane fallback. It's very unlikely for the cluster *and* LDAP to be down at the same time, and if they are it's probably network-related and we'll be screwed on using Phabricator anyway.
I think this mailing list thread suffers from an analysis of what the potential negative consequences of allowing third-party login are. The positive to users (one less username and password to remember) is clearer to see. What are the drawbacks of doing this? I'd like to see the pros and cons outlined on mediawiki.org or meta.wikimedia.org.
The positive side of "I can use one less login" is nice, don't get me wrong.
I'm mostly worried about security issues in 3rd party implementations of oAuth that we can't control. I asked Chris S. about this earlier today and I hope he'll expand on this some more--especially concerning to me was the concrete example he gave with Facebook's own oAuth. Also he mentioned that Twitter's oAuth is known to be insecure in its implementation.
Depending on how Github's oAuth is implemented that's the one I could see the strongest case being made for.
Enabling all of them seems like it'll just make the login page cluttered with options used by about 1-2 people each but I could be wrong.
-Chad
On May 16, 2014 5:20 PM, "Chad" innocentkiller@gmail.com wrote:
On Fri, May 16, 2014 at 4:38 PM, MZMcBride z@mzmcbride.com wrote:
Chris Steipp wrote:
Accounts are kinda namespaced, so github user foo and sul user foo can both have phabricator accounts.
Since we're using OAuth though, that requires a global wiki account so local only accounts would not be able to join. So we probably need password or LDAP auth at minimum.
I suppose you could rely only on global (in the CentralAuth extension sense) accounts, but it really would make sense for Wikimedia to get its own house in order first: we should finish fully unifying login across Wikimedia wikis before delving into concurrent authentication systems.
Yes, let's please. But that's another thread.
I'm less concerned about non-unified accounts than I am about the other (much more obvious) problem of "how do we use Phabricator if the cluster is down." Ryan suggested Labs LDAP and I agree, it's a very sane fallback. It's very unlikely for the cluster *and* LDAP to be down at the same time, and if they are it's probably network-related and we'll be screwed on
using
Phabricator anyway.
I think this mailing list thread suffers from an analysis of what the potential negative consequences of allowing third-party login are. The positive to users (one less username and password to remember) is
clearer
to see. What are the drawbacks of doing this? I'd like to see the pros
and
cons outlined on mediawiki.org or meta.wikimedia.org.
The positive side of "I can use one less login" is nice, don't get me
wrong.
I'm mostly worried about security issues in 3rd party implementations of oAuth that we can't control. I asked Chris S. about this earlier today and I
hope
he'll expand on this some more--especially concerning to me was the concrete example he gave with Facebook's own oAuth. Also he mentioned that
Twitter's
oAuth is known to be insecure in its implementation.
I don't want to start a rumor that using Twitter's OAuth for authentication is insecure, but OAuth 1 (which phabricator is using for the login) isn't made for authentication... Insert broken record track of me taking about this ;)
More authentication systems means a bigger attack surface we have to secure. If you look at the vulnerabilities fixed in phabricator via their bounty program [1], 3 are login with OAuth bugs. This makes me nervous (but kudos to them for running the program and fixing these).
Although it wasn't possible in any of these reported bugs yet, the big risk is that an attack will allow adding a login account to an existing phabricator account via csrf, allowing the attacker to add their 3rd party account to my phabricator account and then they can login as me using their Facebook, etc account. This famously happened to stack exchange via the Facebook login last year.
So I'll do an audit on the methods we decide to go with, but I'd like to keep that number fairly small. Turning them on isn't totally "free".
[1] https://hackerone.com/phabricator
Depending on how Github's oAuth is implemented that's the one I could see the strongest case being made for.
Enabling all of them seems like it'll just make the login page cluttered with options used by about 1-2 people each but I could be wrong.
-Chad _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
On Fri, May 16, 2014 at 5:19 PM, Chad innocentkiller@gmail.com wrote:
I'm mostly worried about security issues in 3rd party implementations of oAuth that we can't control. I asked Chris S. about this earlier today and I hope he'll expand on this some more--especially concerning to me was the concrete example he gave with Facebook's own oAuth. Also he mentioned that Twitter's oAuth is known to be insecure in its implementation.
Depending on how Github's oAuth is implemented that's the one I could see the strongest case being made for.
I think we all know there are many insecure things about most login systems, including our own. The question is what do we get for the potential cost/risk. Obviously with Google and Facebook as options we don't stand to gain a lot in terms of technical contributions. With GitHub, the balance is probably tipped the other way. If we try it and in the long run, it provides very little benefit, we could consider phasing it out.
Enabling all of them seems like it'll just make the login page cluttered with options used by about 1-2 people each but I could be wrong.
Yes, absolutely. The login page of Phabricator's own phabricator instance is an example of providing too many choices. This slows people down when they have evaluate all the options.
On Sat, May 17, 2014 at 2:26 PM, Steven Walling steven.walling@gmail.comwrote:
Obviously with Google and Facebook as options we don't stand to gain a lot in terms of technical contributions.
This isn't necessarily true. I know that I personally would prefer to be able to log in with my Google account, because it's what I use for everything.
*-- * *Tyler Romeo* Stevens Institute of Technology, Class of 2016 Major in Computer Science
+1 to the idea of using Google or Github account. Makes the path easy for new contibutors. Earlier, I had a lot of trouble resetting the Gerrit password as there was no 'Forgot password' link in the sign in page (even I reported that as a bug: Bug 58205 < https://bugzilla.wikimedia.org/show_bug.cgi?id=58205%3E).
Thanks, Tony Thomas http://tttwrites.in FOSS@Amrita http://foss.amrita.ac.in
*"where there is a wifi, there is a way"*
On Sun, May 18, 2014 at 11:06 AM, Tyler Romeo tylerromeo@gmail.com wrote:
On Sat, May 17, 2014 at 2:26 PM, Steven Walling <steven.walling@gmail.com
wrote:
Obviously with Google and Facebook as options we don't stand to gain a lot in terms of technical contributions.
This isn't necessarily true. I know that I personally would prefer to be able to log in with my Google account, because it's what I use for everything.
*-- * *Tyler Romeo* Stevens Institute of Technology, Class of 2016 Major in Computer Science _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
On May 16, 2014 4:39 PM, "MZMcBride" z@mzmcbride.com wrote:
Greg Grossmeier wrote:
You can. You can "claim" other accounts in Phab.
What's Phab?
Short for Phabricator.
Greg
On Thu, May 15, 2014 at 2:20 PM, Quim Gil qgil@wikimedia.org wrote:
However, Phabricator can support authentication using 3rd party providers like GitHub, Google, etc. You can get an idea at https://secure.phabricator.com/auth/start/
I think since this is already built and would require no extra work, we should definitely support GitHub and Persona as well.
There are basically two types of users for our issue trackers and code review tools:
1). Users who are already Wikimedia community members or staff. These users will have Wikimedia and/or Labs accounts to authenticate with. This includes basically all Wikipedians etc. as well. Wikimedia OAuth support will make most of these people happy.
2.) Users who are technical or design-oriented who may be willing to help, but who come from outside Wikimedia. Basically anyone who does FOSS development these days has a GitHub account, which is a big part of why we mirror to GitHub already. If we are serious about wanting to be friendly towards additional open source contributors, all of these users will be familiar with either GitHub or Persona. (Mozilla Persona is less well-known, but is extremely user friendly and will be beloved by the hard core FOSS person who doesn't like GitHub's centralized model).
Other providers (like Google, Facebook, etc.) are not really going to get us a lot of extra traction among either Wikimedians or new technical contributors. Plus, having too many choices is a bad user experience.[1]
Steven
1. http://uxmyths.com/post/712569752/myth-more-choices-and-features-result-in-h...
Ideally you would be able to link your (say) github and WMF account. So that if I (as an outsider) start a bug report/patch/etc using my existing github account, and then eventually get a WMF account (so that I can do labs-related things?) I can manage my bugs/patches regardless of which account's cookies happen to be on my machine.
Then you might plausibly allow 3rd party accounts to open bugs, comment on them, etc, but require a WMF account in order to +2 patches, resolve bugs, or other higher-privilege operations. It should be as easy as possible to open and link a new WMF account when a new user starts wanting to contribute more. --scott
There is some privacy question around it?
2014-05-15 20:42 GMT-03:00 C. Scott Ananian cananian@wikimedia.org:
Ideally you would be able to link your (say) github and WMF account. So that if I (as an outsider) start a bug report/patch/etc using my existing github account, and then eventually get a WMF account (so that I can do labs-related things?) I can manage my bugs/patches regardless of which account's cookies happen to be on my machine.
Then you might plausibly allow 3rd party accounts to open bugs, comment on them, etc, but require a WMF account in order to +2 patches, resolve bugs, or other higher-privilege operations. It should be as easy as possible to open and link a new WMF account when a new user starts wanting to contribute more. --scott
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
On May 16, 2014 1:42 AM, "C. Scott Ananian" cananian@wikimedia.org wrote:
Ideally you would be able to link your (say) github and WMF account. So that if I (as an outsider) start a bug report/patch/etc using my existing github account, and then eventually get a WMF account (so that I can do labs-related things?) I can manage my bugs/patches regardless of which account's cookies happen to be on my machine.
Would it be plausible the right thing to do, keeping security and privacy in mind, to create and attach a SUL right on the first login through an external identity provider like github?
--Martijn
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
On Thu, May 15, 2014 at 4:42 PM, C. Scott Ananian cananian@wikimedia.orgwrote:
Ideally you would be able to link your (say) github and WMF account. So that if I (as an outsider) start a bug report/patch/etc using my existing github account, and then eventually get a WMF account (so that I can do labs-related things?) I can manage my bugs/patches regardless of which account's cookies happen to be on my machine.
You can. You can "claim" other accounts in Phab.
Greg
On Thu, May 15, 2014 at 7:36 PM, Steven Walling steven.walling@gmail.comwrote:
On Thu, May 15, 2014 at 2:20 PM, Quim Gil qgil@wikimedia.org wrote:
However, Phabricator can support authentication using 3rd party providers like GitHub, Google, etc. You can get an idea at https://secure.phabricator.com/auth/start/
I think since this is already built and would require no extra work, we should definitely support GitHub and Persona as well.
Persona is dead. It's no longer being actively developed by Mozilla.
- Ryan
wikitech-l@lists.wikimedia.org