Page MenuHomeMiraheze

Extension request: WebAuthn
Closed, ResolvedPublic


WebAuthn is a way to authenticate on the Web based on asymmetric cryptography. At a high level, it's intended to be used with hardware authenticators on the client, which hold the private key for an account and authenticate the client in their own way before proceeding with the log-in process.

Extension:WebAuthn, an extension used by Wikimedia, implements this in MediaWiki as an optional 2FA option, alongside the currently-used TOTP.

Event Timeline

OrangeStar triaged this task as Normal priority.Apr 5 2023, 18:53
OrangeStar created this task.
MacFan4000 subscribed.

As this extension is used on WMF wikis it is exempt from security review.

@MacFan4000 It hasn't necessarily been approved yet, it remains to be decided whether or not it will be implemented as it relates to 2FA.

Well if it's up to a vote this gets a +1000 from me.

If this is approved I'm happy to install today or tomorrow.

I personally don't see any issue that would prevent us from implementing this if it is wanted.

It seems to supplement OATHAuth so there shouldn't be any issue there though perhaps for now we can restrict it to Meta only to test it out if desired as it's in a beta status.

BrandonWM moved this task from Long Term to Short Term on the BrandonWM board.

Will proceed with install then.

PR (MW):
PR (Conf.):

@Reception123 Does this need an + to ManageWikiExtensions or will it be enabled globally?

I don't see why an authentication method would be on a wiki-to-wiki basis

That's what I was assuming, I just wasn't positive on how local vs global extensions are configured.

Ah, so that's an addition to GlobalExtensions.php

@OrangeStar If you're able to push PRs in MediaWiki and mw-config repos today, this should be done.

It's taking time to merge it because I don't have a FIDO2 key yet (will get mine SoonTM, sometime next week), and in my experience the soft tokens that Firefox offers for development barely work, so it's not like I could test it if installed. As I'll have my key next week, I expect to install the extension next week too.

I have a Yubikey now, so I'll proceed with installing the extension and testing it, fingers crossed.

Seems like it didn't work, the extension's i18n messages aren't loading, and there's an error in the API when registering keys.

[c919f48a05d94a77cef39b6d] Caught exception of type Error

@Reception123 ^ what does the stack trace say?

Class 'Webauthn\PublicKeyCredentialRpEntity' not found
from /srv/mediawiki/w/extensions/WebAuthn/src/Authenticator.php(424)
#0 /srv/mediawiki/w/extensions/WebAuthn/src/Authenticator.php(261): MediaWiki\Extension\WebAuthn\Authenticator->getRegisterInfo()
#1 /srv/mediawiki/w/extensions/WebAuthn/src/Api/WebAuthn.php(223): MediaWiki\Extension\WebAuthn\Authenticator->startRegistration()
#2 [internal function]: MediaWiki\Extension\WebAuthn\Api\WebAuthn->getRegisterInfo(array)
#3 /srv/mediawiki/w/extensions/WebAuthn/src/Api/WebAuthn.php(52): call_user_func_array(array, array)
#4 /srv/mediawiki/w/includes/api/ApiMain.php(1900): MediaWiki\Extension\WebAuthn\Api\WebAuthn->execute()
#5 /srv/mediawiki/w/includes/api/ApiMain.php(875): ApiMain->executeAction()
#6 /srv/mediawiki/w/includes/api/ApiMain.php(846): ApiMain->executeActionWithErrorHandling()
#7 /srv/mediawiki/w/api.php(90): ApiMain->execute()
#8 /srv/mediawiki/w/api.php(45): wfApiMain()
#9 {main}

Maybe we need to run composer? The extension does say to do that.

i18n issues fixed by redeploying, however API errors when registering keys remain ([8bc0bcb740f6e78563458099] Caught exception of type Error). Maybe Puppet didn't run yet, though apparently it runs every 30 minutes. That class is from the web-auth/webauthn-lib composer package (, should be fixed once Puppet runs I guess. I'll try re-registering my key later on see if anything changes, and if not I think we could try manually running Puppet on mw*.

That above error no longer happens, however when I attempt to add a key, I get internal_api_error_Error. There is nothing helpful in the logs.

We're sure this extension is compatible with Miraheze right?

We're sure this extension is compatible with Miraheze right?

It is, we just have to get Composer running for this extension which I'm not having much luck at doing.

That above error no longer happens, however when I attempt to add a key, I get internal_api_error_Error. There is nothing helpful in the logs.

Unfortunately it is the same error. You can get a stack trace via watching network requests on the developer tools after giving the key a nickname. I just tried right now and got [93a3e5b384e48f0e98b3c6d2] Caught exception of type Error.

This comment was removed by OrangeStar.

Maybe Composer doesn't run automatically, because it is only run at deploy time and expects that extensions be added to Composer at the same time as installation? I think if we redeploy world Composer will run. Maybe the solution here is the classic turn it off/turn it on.

Extension installed and working!