CentralAuth relies on a central session (a MediaWiki session on a predefined domain, like login.wikimedia.org) for looking up the user's identity on any given wiki. This requires a handshake: the browser, the server when accessed via the central session domain, and the server when accessed via the local wiki domain need to exchange information with each other in a way that allows the server to verify that the user talking to it through the login domain and the user talking to it through the local domain are the same.
Today, there are two such handshake mechanisms used:
- Central login: after the user successfully logs in on the local wiki, prove that to the central wiki and establish a session there.
- Central autologin: retrieve the user's central session from the central wiki and log them in there.
T348388: Use central login wiki for login (SUL3) will change the login process - credential verification will happen on the central domain, not the local domain, so instead of communicating the fact of a successful login from the local domain to the central domain, we will need to do it in the opposite direction. We need to come up with an exact algorithm for this. This is the most security-sensitive part of CentralAuth and will require careful auditing.