MediaWiki Platform Team/SUL3

The current version of Single User Login (SUL2) provides central authentication that ensures users have a single identity across all Wikimedia projects, including the ability to log in on one wiki and be automatically logged in across all wikis.

With SUL2, login and account creation happens on an individual wiki domain and central session management is handled with a series of redirects that require no user interaction. SUL3 will move login and account creation to a central domain to require the user to directly interact with the domain that’s setting the central session cookies.

This ensures compatibility with browser anti-tracking features, which are increasingly blocking cookies set by domains that the user has not directly interacted with. It will also allow us to improve account security by limiting authentication to a single domain, which can be locked down to a greater extent than individual wikis to further prevent XSS vulnerabilities.

SUL3 is designed to fully replicate the existing authentication experience, including all per-wiki customisation.

When a user visits a wiki, the browser sends a request to login.wikimedia.org to retrieve the central session. As there is no user interaction on login.wikimedia.org, this is increasingly blocked by browsers trying to prevent cross-domain tracking cookies.

To prevent browsers from blocking these cookies, we need to ensure user interaction on the central domain. This requires us to move the login and signup forms from individual wikis to the central domain. As it currently hosts Login Wiki, which will continue to exist to support existing workflows, it is difficult to reuse the login.mediawiki.org domain for SUL3.

When a user clicks on Create account or Log in, they will be redirected to a new central authentication domain. The page displayed will have a URL on the central domain, but will render as if the user was still on the original wiki. Once logged in, the user will be redirected back to the original wiki and autologin to other wikis will work as it does today.

URLs on the central authentication domain will be of the form:

https://auth.wikimedia.org/{wikiid}/wiki/{page}

Eg:

https://auth.wikimedia.org/enwiki/wiki/Special:Userlogin

In determining the best approach to SUL3, we wanted to:

• Minimise UX changes: Minimise the non-essential changes that users experience, by preserving current flexibility and customisation of the wikis.
• Maintain account security: Reduce the risk of unknown vulnerabilities by limiting changes to security-critical code and moving all interactions to a single domain.
• Improve platform sustainability: Limit the number of authentication mechanisms to minimise technical debt and improve the long-term sustainability of the platform.

We intend to deploy SUL3 gradually, so that any problems can be identified before they affect a large number of users. We will also closely monitor authentication metrics, including new account creation and login rates, to ensure that this change has not had a negative impact.

We aim to be deployed on all test wikis by the end of Q2 [Dec 2024] and will perform a phased rollout to opt-in all users in Q3 [Jan–Mar 2025].

• Most features roll out on a per-wiki basis, but as authentication is inherently cross-wiki, we want to avoid giving the same user different experiences on different wikis.
• This means that the rollout must be a per-user rollout rather than a per-wiki rollout and feature configuration is therefore per-user, not per-wiki.
• Once a user is opted-in through one wiki, they will experience the new SUL3 experience when logging in on all wikis.

The plan for phased rollout is as follows:

*Staged rollout percentages: 0.1%, 1%, 10%, 50%, 100%

• MediaWiki Product Insights/Reports/September 2024, contains another overview of the project
• T348388 - Use central login wiki for login (SUL3), the main parent-task of the project