Core Platform Team/Initiative/Adding Multiple Identity Providers to PluggableAuth/Initiative Description

Background:

The PluggableAuth extension and associated authentication and authorization plugins are widely used in the third-party MediaWiki community to support authentication with enterprise and public identity providers. A design principle for PluggableAuth is that it must continue to be usable across the wide range of current use cases from Google authentication to Azure authentication to SAML authentication and more.

One feature that has been much requested recently is support on a single wiki for multiple identity providers. This is similar to going to many modern web sites and being offered the choice of authenticating with Google, Facebook, Twitter, etc. The OpenID Connect plugin currently supports this feature, but only for providers that support that protocol. There has been a request from third-party Wikibase users as well as Hallo Welt to make this feature available for all PluggableAuth plugins. For example, see https://phabricator.wikimedia.org/T258726.

Requirements:


 * design new config to support multiple providers
 * add unit tests to PluggableAuth including dummy test providers
 * design special page for selecting providers (either an enhancement to Special:UserLogin or a separate special page as is done for OpenIDConnect - this may require core changes, but perhaps those could be deferred to a separate, later project)
 * implement provider chooser
 * retrofit OpenIDConnect to use PluggableAuth provider chooser rather than its own
 * add support to SimpleSAMLphp (may delegate to Hallo Welt)
 * code review and acceptance testing by WMDE and Hallo Welt

Time Estimate:


 * 2 developers for 4 weeks

Note:

PluggableAuth login is intended for third-party MediaWiki and Wikibase wikis. It is NOT being suggested for use on Wikimedia projects. Among many other factors, there would be too much community opposition to Wikimedia accounts being linked to and known by non-Wikimedia identity providers. That being said, it is possible that some internal wikis may choose to use it. For example, it is currently used on https://wikifarm.wmflabs.org/cpt/index.php/Special:Userlogin to support authentication using Wikimedia GSuite credentials.