Release status: experimental
|Description||Allow MediaWiki authentication with WordPress credentials|
|Author(s)||Johan Hattne (hattnetalk)|
|Latest version||0.0.0 (2020-12-30)|
|Compatibility policy||Master maintains backward compatibility.|
AuthWP is a MediaWiki extension that allows authentication with WordPress credentials. It is a rewrite of by Ciaran Gultnieks and is intended to provide essentially the same functionality using
AuthenticationProvider introduced in MediaWiki 1.27.
Users are matched between MediaWiki and WordPress by their username. The ID of a given user may, however, differ between the two systems. User management is largely delegated to WordPress, because it imposes more stringent requirements than MediaWiki. For instance, AuthWP maps MediaWiki's real name to WordPress's display name, but whereas MediaWiki's real name can be set to an arbitrary string, WordPress's display name is confined to combinations of the user's first and last names. Hence, AuthWP does not allow users to set their real name, but requires them to change their display names in WordPress instead. Similarly, a user's email address must be set from WordPress. Because WordPress allows authentication using email addresses, they are required to be unique and any changes should be properly validated.
Unlike WPMW, AuthWP does not synchronize user attributes from WordPress to MediaWiki on every request. This feature is probably better implemented in a WordPress plugin or theme.
Not only must MediaWiki be running on the same host as an existing WordPress setup, it must also be installed inside the WordPress directory. For instance, MediaWiki could be located in a
mediawiki directory next to WordPress's
wp-load.php file. If this is not the case MediaWiki will apparently not see the WordPress cookies, which are used for authentication; see for hints on how to deal with that situation.
- Download and place the file(s) in a directory called
- Add the following code at the bottom of your LocalSettings.php:
wfLoadExtension( 'AuthWP' );
- Done – Navigate to Special:Version on your wiki to verify that the extension is successfully installed.
The path to the WordPress installation relative to the MediaWiki installation is configured using the extension's
$wgAuthWPPath configuration variable. This value defaults to
.., which is appropriate if the MediaWiki root resides in a directory next to WordPress's
wp-load.php file. The only other configuration option is
$wgAuthWPPriority, which defines the priority of AuthWP's session provider. The default value is
100, which means that AuthWP runs at the highest priority and therefore has the ability to invalidate the session for downstream session providers when the users logs out from WordPress.
AuthWP can auto-create authenticated WordPress users in MediaWiki when they first access the wiki, provided
LocalSettings.php contains something to effect of
$wgGroupPermissions['*']['autocreateaccount'] = true;
The new MediaWiki user's email address and real name are taken from WordPress. Note that this can only work if the WordPress username is also a valid MediaWiki username and this is currently not checked!
In order to create accounts de novo from MediaWiki,
LocalSettings.php will need to contain
$wgGroupPermissions['*']['createaccount'] = true; $wgGroupPermissions['*']['read'] = true;
WordPress defaults will be used for all attributes other than display name, username, and password; for instance, the new WordPress user's
role may be set to
Subscriber. In particular, note that because MediaWiki does not require an email address on registration, it may be left empty in the new WordPress account, and this can .
- A valid WordPress session should grant access to MediaWiki. Conversely, a valid MediaWiki session should grant access to WordPress.
- Logging out of WordPress should log the user out of MediaWiki and vice versa.
- Passwords can be changed in either MediaWiki or WordPress, but MediaWiki will not store any passwords for users with WordPress accounts: if a password is changed from MediaWiki, it will be updated in WordPress.
- Accounts cannot be removed or locked in WordPress.