On May 16, 2014 5:20 PM, "Chad" <innocentkiller(a)gmail.com> wrote:
On Fri, May 16, 2014 at 4:38 PM, MZMcBride <z(a)mzmcbride.com> wrote:
Chris Steipp wrote:
Accounts are kinda namespaced, so github user foo
and sul user foo can
both have phabricator accounts.
Since we're using OAuth though, that requires a global wiki account so
local only accounts would not be able to join. So we probably need
password or LDAP auth at minimum.
I suppose you could rely only on global (in the CentralAuth extension
sense) accounts, but it really would make sense for Wikimedia to get its
own house in order first: we should finish fully unifying login across
Wikimedia wikis before delving into concurrent authentication systems.
Yes, let's please. But that's another thread.
I'm less concerned about non-unified accounts than I am about the other
(much more obvious) problem of "how do we use Phabricator if the cluster
is down." Ryan suggested Labs LDAP and I agree, it's a very sane fallback.
It's very unlikely for the cluster *and* LDAP to be down at the same time,
and if they are it's probably network-related and we'll be screwed on
using
Phabricator anyway.
> I think this mailing list thread suffers from an analysis of what the
> potential negative consequences of allowing third-party login are. The
> positive to users (one less username and password to remember) is
clearer
> to see. What are the drawbacks of doing this?
I'd like to see the pros
and
The positive side of "I can use one less login" is nice, don't get
me
wrong.
I'm mostly worried about security issues in 3rd party implementations of
oAuth
that we can't control. I asked Chris S. about this earlier today and I
hope
he'll
expand on this some more--especially concerning to me was the concrete
example he gave with Facebook's own oAuth. Also he mentioned that
Twitter's
oAuth is known to be insecure in its implementation.
I don't want to start a rumor that using Twitter's OAuth for authentication
is insecure, but OAuth 1 (which phabricator is using for the login) isn't
made for authentication... Insert broken record track of me taking about
this ;)
More authentication systems means a bigger attack surface we have to
secure. If you look at the vulnerabilities fixed in phabricator via their
bounty program [1], 3 are login with OAuth bugs. This makes me nervous (but
kudos to them for running the program and fixing these).
Although it wasn't possible in any of these reported bugs yet, the big risk
is that an attack will allow adding a login account to an existing
phabricator account via csrf, allowing the attacker to add their 3rd party
account to my phabricator account and then they can login as me using their
Facebook, etc account. This famously happened to stack exchange via the
Facebook login last year.
So I'll do an audit on the methods we decide to go with, but I'd like to
keep that number fairly small. Turning them on isn't totally "free".
[1]
https://hackerone.com/phabricator
Depending on how Github's oAuth is implemented that's the one I could see
the strongest case being made for.
Enabling all of them seems like it'll just make the login page cluttered
with
options used by about 1-2 people each but I could be wrong.
-Chad
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l