Core Platform Team/Initiative/Adding Multiple Identity Providers to PluggableAuth/Initiative Description
 | This page is obsolete. It is being retained for archival purposes. It may document extensions or features that are obsolete and/or no longer supported. Do not rely on any information on this page. The Core Platform Team and its initiatives do not exist anymore. See MediaWiki Engineering Group instead since 2023. |
- Summary
Support login from multiple identity providers in a single wiki
- Significance and Motivation
Feature requested for third-party Wikibase installations and other third-party wikis
- Outcomes
- MediaWiki third party deployments, including Wikibase, can support authentication from multiple enterprise sources
- Better support for different authentication models and exercise of alternate code paths. This makes things better for our own authentication approaches, such as CentralAuth.
- Increases the familiarity on Platform Engineering Team with the authentication code that we are responsible for and could be a good gateway task to CentralAuth work.
- Baseline Metrics
PluggableAuth only supports a single authentication provider at a time, and most authentication providers only support a single identity provider.
- Target Metrics
PluggableAuth supports multiple simultaneous authentication providers
- Stakeholders
- Wiki admins who need to support authentication from off-wiki identity providers (e.g. admins of third-party Wikibase instances)
- Wiki users who wish to be able to login using existing credentials from other identity providers
- Known Dependencies/Blockers
None given
| https://www.mediawiki.org/wiki/Extension:PluggableAuth:
The PluggableAuth extension provides a framework for creating authentication and authorization extensions. Authentication is the process of proving that a user is who they say they are. This may be done, for example, by providing a username and password or some token or biometric. PluggableAuth supports the following authentication extensions:
Authorization is the process of determining whether a particular authenticated user should have access to a particular resource - in this case a wiki. This may be done, for example, by checking a list of authorized email addresses or checking values of user attributes provided by an identity server. PluggableAuth supports the following authorization plugins:
|
Background:
The PluggableAuth extension and associated authentication and authorization plugins are widely used in the third-party MediaWiki community to support authentication with enterprise and public identity providers. A design principle for PluggableAuth is that it must continue to be usable across the wide range of current use cases from Google authentication to Azure authentication to SAML authentication and more.
One feature that has been much requested recently is support on a single wiki for multiple identity providers. This is similar to going to many modern web sites and being offered the choice of authenticating with Google, Facebook, Twitter, etc. The OpenID Connect plugin currently supports this feature, but only for providers that support that protocol. There has been a request from third-party Wikibase users as well as Hallo Welt to make this feature available for all PluggableAuth plugins. For example, see task T258726.
Requirements:
- design new config to support multiple providers
- add unit tests to PluggableAuth including dummy test providers
- design special page for selecting providers (either an enhancement to Special:UserLogin or a separate special page as is done for OpenIDConnect - this may require core changes, but perhaps those could be deferred to a separate, later project)
- implement provider chooser
- retrofit OpenIDConnect to use PluggableAuth provider chooser rather than its own
- add support to SimpleSAMLphp (may delegate to Hallo Welt)
- code review and acceptance testing by WMDE and Hallo Welt
Time Estimate:
- 2 developers for 4 weeks
Note:
PluggableAuth login is intended for third-party MediaWiki and Wikibase wikis. It is NOT being suggested for use on Wikimedia projects. Among many other factors, there would be too much community opposition to Wikimedia accounts being linked to and known by non-Wikimedia identity providers. That being said, it is possible that some internal wikis may choose to use it. For example, it is currently used on https://wikifarm.wmflabs.org/cpt/index.php/Special:Userlogin to support authentication using Wikimedia GSuite credentials.