Opened 16 years ago
Last modified 11 years ago
#1 new enhancement
MediaWiki certificate-based login
| Reported by: | andersk | Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | autoinstallers | Keywords: | |
| Cc: |
Description (last modified by broder)
(Imported from help.mit.edu #393622.)
MediaWiki? installs should support certificate authentication by default, with fallback to regular authentication.
Change History (14)
comment:1 Changed 16 years ago by broder
- Description modified (diff)
comment:2 Changed 16 years ago by price
FTR, there's an extension here that does something like what we want:
But it doesn't support also having password-based accounts.
The infrastructure it uses for tying into Mediawiki's authentication system is this:
whose API is documented here:
So the task is to start from that extension, read the AuthPlugin? docs, and figure out how to adapt it to do what we want.
comment:3 Changed 16 years ago by broder
Yeah...that plugin is a piece of crap. It doesn't work with any moderately version of MediaWiki?. I have done significant hacking in the past to make it work, although I don't remember what I did and don't fancy figuring it out again.
comment:4 Changed 16 years ago by geofft
That plugin has now been updated fairly recently.
Also, Prof. Chuang in [help.mit.edu #687224] gave us a plugin.
comment:5 Changed 15 years ago by geofft
[help.mit.edu #747227] also wans to be notified, I guess. As would scripts-announce.
I'm vaguely working on this in my free time.
comment:6 Changed 14 years ago by adehnert
- Owner set to adehnert
There's now a wiki with certificate auth running at https://scripts-demo.scripts.mit.edu/mediawiki/index.php?title=Main_Page (the DB gets wiped every day at 6:06AM, FYI). I'm using a pretty heavily modified version of http://www.mediawiki.org/wiki/Extension:AutomaticREMOTE_USER.
If people want to poke at that and let me know if it has issues, that'd be neat.
I'll probably do a bit more work on making the plugin less heavily modified, and then at some point I should probably talk with Edward about how to integrate this with the Wizard autoinstaller.
comment:7 follow-up: ↓ 8 Changed 14 years ago by adehnert
Test plan:
- Going to https://scripts-demo.scripts.mit.edu:444/mediawiki/index.php?title=Main_Page should log you in if you already have an account
- "Create account" (on :44{3,4}) should let you create an account with your preferred username, password, email address, and real name
- On port 444, it should auto-fill username and email address
- Changing your password, email address, real name, and random preferences should work
- If the email address of an account is <username>@mit.edu, you should be able to log into it without giving a password (and maybe if you give the wrong password, though we don't care about that) if you have certs for <username>
- You should be able to use a password to log in (on :44{3,4})
- If an account has an email address that *isn't* <username>@mit.edu, you shouldn't be able to log in to it, regardless of username
- No assertions are being made about behavior if the email address isn't all lowercase
- Using the email address in your cert should confirm it
comment:8 in reply to: ↑ 7 Changed 14 years ago by adehnert
Replying to adehnert:
Test plan:
- Going to https://scripts-demo.scripts.mit.edu:444/mediawiki/index.php?title=Main_Page should log you in if you already have an account
Verified.
- "Create account" (on :44{3,4}) should let you create an account with your preferred username, password, email address, and real name
Verified (I think).
- On port 444, it should auto-fill username and email address
Verified.
- Changing your password, email address, real name, and random preferences should work
Verified.
- If the email address of an account is <username>@mit.edu, you should be able to log into it without giving a password (and maybe if you give the wrong password, though we don't care about that) if you have certs for <username>
Verified.
- You should be able to use a password to log in (on :44{3,4})
Verified.
- If an account has an email address that *isn't* <username>@mit.edu, you shouldn't be able to log in to it, regardless of username
Verified.
- No assertions are being made about behavior if the email address isn't all lowercase
No verification required.
- Using the email address in your cert should confirm it
Verified. (Well, for initial create. I've also verified that changing your email address to the one in your cert doesn't confirm it, but I don't care.)
comment:9 Changed 14 years ago by andersk
It sounds like Alex thinks the code is ready to be merged, so the next step is to turn it into a reviewable branch on top of git://scripts.mit.edu/autoinstalls/mediawiki.git master.
comment:10 Changed 14 years ago by andersk
My comment on the current implementation (having not looked at the code) is that changing the URL to https and port 444 is not a discoverable interface; there should be some way of automatically redirecting you. This could probably be done in .htaccess.
comment:11 Changed 12 years ago by ezyang
What happened to adehnert's prototype; w.r.t. the current Scripts FAQ entry? http://scripts.mit.edu/faq/129/how-do-i-authenticate-users-with-certificates
comment:12 Changed 12 years ago by adehnert
- Owner adehnert deleted
In my Copious Free Time[*], I will resume work on this ticket (if not sooner, or later). Consequently, I'm unclaiming this ticket.
I kinda encourage the next person to, rather than working off my modified extension, go write one from scratch. It'll have clearer licensing, and plausibly be less buggy and complicated, and my version can't feasibly be synced from upstream.
[*] Expected delivery time: no earlier than six months from now. Reasonably likely not in the next forty-odd years.
comment:13 Changed 12 years ago by vasilvv
I cannot find the reassignment buttons right now, but I am now working on this ticket.
Please contact hurwitz if this is ever done.