Page MenuHomePhabricator
Create Task
Maniphest T230043

Add WebAuthn support to Mobile apps
Open, LowPublic
Actions

Description

Following on from the breakage in T228588: 2FA logon doesn’t work on the iOS app and T227925: Unable to log in to Android app with two-factor authentication (2FA) I'm wanting to give a heads up about the incoming Webauthn changes in T100373: WebAuthn (U2F) integration for Extension:OATHAuth and to be deployed to WMF wikis (T227242: Deploy WebAuthn to Wikimedia Wikis) sometime after the PHP7 migration (T176370: Migrate to PHP 7 in WMF production)

No major rush, but it'd be nice to be ahead of the curve and have the support implemented (and released?) before it goes live on Wikimedia

Filing one bug for the two apps for ease of tracking

Related Objects
Search...

Event Timeline

Reedy created this task.Aug 7 2019, 4:59 PM
Restricted Application added projects: Wikipedia-Android-App-Backlog, Wikipedia-iOS-App-Backlog. · View Herald TranscriptAug 7 2019, 4:59 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Reedy added a parent task: T227242: Deploy WebAuthn to Wikimedia Wikis.Aug 7 2019, 4:59 PM
Charlotte removed a project: Android-app-Bugs.Aug 12 2019, 12:35 PM
Charlotte triaged this task as Medium priority.Aug 13 2019, 4:21 PM
Charlotte added a project: Technical-Debt.
Charlotte set the point value for this task to 5.
Charlotte moved this task from Needs Triage to Tech Debt Backlog on the Wikipedia-Android-App-Backlog board.
LGoto added a project: iOS-app-v6.4-Seamonkey-On-A-Hoverboard.Aug 19 2019, 6:50 PM
LGoto moved this task from Needs Triage to Engineering Backlog on the Wikipedia-iOS-App-Backlog board.
Daylen subscribed.Aug 21 2019, 4:18 AM
JMinor removed a project: iOS-app-v6.4-Seamonkey-On-A-Hoverboard.Aug 26 2019, 6:46 PM
Reedy mentioned this in T231242: [Spike] Webauthn support for iOS app.Aug 29 2019, 11:00 AM
Osnard subscribed.Sep 6 2019, 5:41 AM
Charlotte removed the point value for this task.Mar 30 2020, 4:32 PM
Charlotte closed subtask T248878: [SPIKE] Investigate potential move to Webauthn support as Resolved.May 1 2020, 3:34 PM
Charlotte subscribed.

@Reedy mentioned that we should consider the issues flagged up in T248339 when we work on this in future.

LGoto closed subtask T231242: [Spike] Webauthn support for iOS app as Declined.Jun 30 2020, 8:47 PM
Charlotte lowered the priority of this task from Medium to Low.Aug 4 2020, 4:40 PM
Tsevener subscribed.Jan 27 2021, 6:58 PM

Bumping this ticket that was discovered in iOS grooming. Judging by our closed spike, we needed to make the login form more dynamic to respond to the values returned in the "fields" key from the login call:

Call:
POST https://en.wikipedia.org/w/api.php (action=query&amirequestsfor=login&format=json&meta=authmanagerinfo)

Response

{
  "batchcomplete": "",
  "query": {
    "authmanagerinfo": {
      "canauthenticatenow": "",
      "cancreateaccounts": "",
      "preservedusername": "",
      "requests": [
        {
          "id": "MediaWiki\\Auth\\PasswordAuthenticationRequest",
          "metadata": {},
          "required": "primary-required",
          "provider": "Password-based authentication",
          "account": "",
          "fields": {
            "username": {
              "type": "string",
              "label": "Username",
              "help": "Username for authentication."
            },
            "password": {
              "type": "password",
              "label": "Password",
              "help": "Password for authentication.",
              "sensitive": ""
            }
          }
        },
        {
          "id": "MediaWiki\\Auth\\RememberMeAuthenticationRequest",
          "metadata": {},
          "required": "optional",
          "provider": "MediaWiki\\Auth\\RememberMeAuthenticationRequest",
          "account": "MediaWiki\\Auth\\RememberMeAuthenticationRequest",
          "fields": {
            "rememberMe": {
              "type": "checkbox",
              "label": "Keep me logged in (for up to 365 days)",
              "help": "Whether the password should be remembered for longer than the length of the session.",
              "optional": ""
            }
          }
        }
      ]
    }
  }
}

We would like to implement oAuth in the near future (here's the associated spike) - given that and the low priority on this one, is task still worth doing? Does it only involve making those fields dynamic or am I missing something else?

Reedy renamed this task from Add Webauthn support to Mobile apps to Add WebAuthn support to Mobile apps.Jan 27 2021, 11:39 PM
Reedy updated the task description. (Show Details)
Reedy removed a subscriber: Charlotte.
Netsnipe subscribed.EditedAug 3 2024, 9:00 AM

With the more widespread adoption of FIDO2 passwordless authentication (aka passkeys) across the web, especially on Android and iOS, shouldn't there be a renewed impetus to implement this now? I was quite taken aback that I was locked out of my account on the iOS app after turning on WebAuth via Wikipedia on my desktop browser. There was no warning on the website that the Mobile Apps don't support this 2FA method yet.

Tsevener added a comment.Aug 6 2024, 7:41 PM

Sorry about the surprise @Netsnipe. I have added a mention of this missing support in https://en.wikipedia.org/wiki/Help:Two-factor_authentication#WebAuthn.

Tsevener added a subscriber: Seddon.Aug 6 2024, 7:44 PM
Seddon reopened subtask T231242: [Spike] Webauthn support for iOS app as Open.Aug 28 2024, 2:18 PM
Tsevener added a comment.Aug 29 2024, 1:02 PM

@Netsnipe There have been blockers in the past on this (T248339, T354701, T348388), so we have not considered this up to this point. We need to do a fresh investigation on what this change would take for the apps team. We have reopened our original investigation spike task (T231242), but note that this support is not on our roadmap. Thank you for flagging and bringing this to our attention.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits