Page MenuHomePhabricator
Create Task
Maniphest T121113

Create a migration path for legacy bots in an AuthManager world
Closed, ResolvedPublic
Actions

Description

AuthManager is generally going to complicate non-interactive authentication. We need to provide a method for legacy bots to be able to work without needing to prompt the operator for second-factors or the like.

Options include:

  1. OAuth owner-only consumers (T87395). Disadvantage is that it requires every bot to be updated to use OAuth rather than action=login. It also requires the OAuth extension to be installed.
  2. "Bot passwords" (not terribly different from Google's application passwords) via action=login. Disadvantage is that it's yet-another thing.
  3. Somehow do T110276 in a way that action=login is backwards-compatible as long as stuff like 2-factor isn't enabled. Disadvantage is that it's impossible to guarantee the "as long as" conditions won't be changed in the future.

Current thinking is that we'll do both #1 (recommended) and #2 (easy for end users to implement).

Details

SubjectRepoBranchLines +/-
Add "bot passwords"mediawiki/coremaster+1 K -17
Revert "Add owner-only consumers"mediawiki/extensions/OAuthmaster+50 -205
Add owner-only consumersmediawiki/extensions/OAuthmaster+205 -50
Customize query in gerrit

Related Objects
Search...

Event Timeline

Anomie created this task.Dec 10 2015, 4:28 PM
Anomie claimed this task.
Anomie raised the priority of this task from to Medium.
Anomie updated the task description. (Show Details)
Anomie added projects: Reading-Infrastructure-Team-Old (Don't use), MediaWiki-Action-API, MediaWiki-Core-AuthManager.
Anomie added subscribers: bd808, Aklapper, Tgr, Anomie.
gerritbot subscribed.Dec 10 2015, 4:29 PM

Change 255488 had a related patch set uploaded (by Anomie):
Add owner-only consumers

https://gerrit.wikimedia.org/r/255488

gerritbot added a project: Patch-For-Review.Dec 10 2015, 4:29 PM
Anomie moved this task from Backlog to AuthManager Next on the MediaWiki-Core-AuthManager board.Dec 10 2015, 4:30 PM
Anomie moved this task from Unsorted to In Dev on the MediaWiki-Action-API board.
Anomie moved this task from Backlog to In Dev/Progress on the Reading-Infrastructure-Team-Old (Don't use) board.
Legoktm updated the task description. (Show Details)Dec 10 2015, 10:26 PM
Legoktm set Security to None.
gerritbot added a comment.Dec 12 2015, 10:44 PM

Change 255488 merged by jenkins-bot:
Add owner-only consumers

https://gerrit.wikimedia.org/r/255488

Krenair subscribed.Dec 12 2015, 10:47 PM
ReleaseTaggerBot added a project: MW-1.27-release (WMF-deploy-2015-12-15_(1.27.0-wmf.9)).Dec 12 2015, 11:00 PM
jayvdb subscribed.Dec 14 2015, 12:53 AM
Anomie removed a project: Patch-For-Review.Dec 14 2015, 4:53 PM
gerritbot added a comment.Dec 14 2015, 7:32 PM

Change 259052 had a related patch set uploaded (by Gergő Tisza):
Revert "Add owner-only consumers"

https://gerrit.wikimedia.org/r/259052

gerritbot added a project: Patch-For-Review.Dec 14 2015, 7:32 PM

Change 259052 merged by jenkins-bot:
Revert "Add owner-only consumers"

https://gerrit.wikimedia.org/r/259052

gerritbot added a comment.Dec 14 2015, 8:01 PM

Change 259066 had a related patch set uploaded (by Anomie):
Add "bot passwords"

https://gerrit.wikimedia.org/r/259066

Legoktm subscribed.Dec 15 2015, 6:12 PM

Can we call it what pretty much everyone else calls it, "application passwords"? Instead of "bot passwords" which sound specific to bots, when it's really not.

Anomie added a subscriber: csteipp.Dec 15 2015, 7:51 PM

When I pitched this to @csteipp before putting a lot of work into writing code for it, he was concerned that calling it "application passwords" would make people think it was ok to use this instead of OAuth for tools. Since the entire point of this is to avoid breaking existing bot code when AuthManager finally happens (otherwise we'd just tell everyone to switch to OAuth and be done with it), we decided that calling it "bot passwords" would set the right expectations.

That's also why the header for Special:BotPasswords takes pains to point out that no one should ever ask you to generate one and tell it to them, and why Gerrit change 259067 exists.

Tgr added a comment.Dec 15 2015, 9:53 PM

Also worth noting that when Google introduced OAuth and tried to dissuade users from giving out their normal password, there already was a huge ecosystem of non-OAuth-enabled apps (including some of Google's own apps). In MediaWiki, on the other hand, automated login is pretty much only used by bots and the mobile apps (their developers need to be looped into this conversation BTW).

Anomie added a comment.Dec 15 2015, 10:21 PM

Mobile apps aren't bots, so this task doesn't apply to them. T110276: Rewrite the login API to use AuthManager does.

Once the API changes for AuthManager are finalized, we'll make the big announcement on wikitech-l about how authentication is going to change for everyone and what their options are. I suspect mobile apps will probably want to change over to action=clientlogin (or whatever I wind up naming it) rather than making users create an account on the desktop, set up a bot password, and then put the bot password into the app for login. OTOH, they might go for OAuth instead.

Legoktm added a comment.Dec 23 2015, 11:31 PM
In T121113#1881930, @Anomie wrote:

When I pitched this to @csteipp before putting a lot of work into writing code for it, he was concerned that calling it "application passwords" would make people think it was ok to use this instead of OAuth for tools. Since the entire point of this is to avoid breaking existing bot code when AuthManager finally happens (otherwise we'd just tell everyone to switch to OAuth and be done with it), we decided that calling it "bot passwords" would set the right expectations.

Does anyone else call it "bot passwords"? I think it's just needlessly confusing, given that "bot" is already an overused term. Also OAuth works for Wikimedia sites, but is an extra extension that most people won't have installed (it also requires mysql/memcached, etc.).

That's also why the header for Special:BotPasswords takes pains to point out that no one should ever ask you to generate one and tell it to them, and why Gerrit change 259067 exists.

Except presumably the bot framework that doesn't support OAuth is going to say, "hey! Go to Special:BotPasswords, generate one and type it in here".

Anomie moved this task from In Dev/Progress to Needs Review/Feedback on the Reading-Infrastructure-Team-Old (Don't use) board.Dec 28 2015, 11:14 PM
Anomie moved this task from In Dev to Needs Review on the MediaWiki-Action-API board.Jan 4 2016, 7:01 PM
gerritbot added a comment.Jan 12 2016, 11:07 PM

Change 259066 merged by jenkins-bot:
Add "bot passwords"

https://gerrit.wikimedia.org/r/259066

Tgr added a project: User-notice.Jan 12 2016, 11:32 PM
ReleaseTaggerBot added projects: MW-1.27-release (WMF-deploy-2016-01-19_(1.27.0-wmf.11)), MW-1.27-release-notes.Jan 13 2016, 12:00 AM
Johan moved this task from To Triage to Announce in next Tech/News on the User-notice board.Jan 14 2016, 9:24 AM
Johan moved this task from Announce in next Tech/News to In current Tech/News draft on the User-notice board.Jan 14 2016, 5:49 PM
Johan moved this task from In current Tech/News draft to Recently announced in Tech/News on the User-notice board.Jan 18 2016, 6:37 PM
Dereckson awarded a token.Jan 20 2016, 4:12 AM
Dereckson subscribed.

The UI for bot passwords is clean and nice to use.

Anomie closed this task as Resolved.Jan 20 2016, 4:30 PM

Created, deployed, and announced → resolved.

Capt_Swing subscribed.Jan 26 2016, 8:34 PM

What happened to Special:BotPasswords? The page is gone on Enwiki, and the login method appears to no longer work.

bd808 added a comment.Jan 26 2016, 8:50 PM
In T121113#1967142, @Capt_Swing wrote:

What happened to Special:BotPasswords? The page is gone on Enwiki, and the login method appears to no longer work.

Special:BotPasswords is part of the 1.27.0-wmf.11 release which was removed from the wikis at 2016-01-23T01:33Z due to issues with account logout processes. We have been working since then to correct these issues and 1.27.0-wmf.11 will be rolling back to the wikis with this week's deployment train (group0/testing on 2016-01-26, group1/non-wikipedia on 2016-01-27, all on 2016-01-28).

Capt_Swing added a comment.Jan 26 2016, 9:04 PM

thanks bd808!

Johan moved this task from Recently announced in Tech/News to Already announced/Archive on the User-notice board.Jan 28 2016, 9:45 AM
bd808 added a comment.Feb 2 2016, 7:45 PM

Special:BotPasswords will not be in 1.27.0-wmf.12 but is currently scheduled to return in 1.27.0-wmf.13.

Aklapper removed subscribers: Capt_Swing, Anomie.Oct 16 2020, 5:42 PM
Ladsgroup edited projects, added User-notice-archive; removed MW-1.27-release (WMF-deploy-2016-01-19_(1.27.0-wmf.11)), User-notice.Aug 13 2022, 1:54 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits