Extension:GoogleLogin/pt-br

This page is a translated version of the page Extension:GoogleLogin and the translation is 23% complete.
Outdated translations are marked like this.
Manual de extensões do MediaWiki
GoogleLogin
Estado da versão: beta
Implementação Identidade de usuário , Página especial
Descrição Permite realizar o login através de uma conta Google.
Autor(es) Florian Schmidt (Florianschmidtwelzowdiscussão)
Última versão 0.4.0-git
MediaWiki >= 1.39.0
Modifica o banco
de dados
Sim
Tabelas googlelogin_allowed_domains
user_google_user
Licença Licença MIT
Download
README
  • $wgGLAPIKey
  • $wgGLAllowedDomainsStrict
  • $wgGLAppId
  • $wgGLAllowedDomainsDB
  • $wgGLAuthoritativeMode
  • $wgGLSecret
  • $wgGLEnableEchoEvents
  • $wgGLAllowedDomains
  • managegooglelogin
  • managegooglelogindomains
Veja a version lifecycle para verificar a compatibilidade.
Quarterly downloads 53 (Ranked 83rd)
Para traduzir a extensão GoogleLogin, verifique sua disponibilidade no translatewiki.net
Problemas Tarefas em aberto · Relatar um bug

A extensão Google Login permite que usuários da Wiki façam login em suas contas Google. A extensão usa uma API da Google para requisitar informações básicas do perfil da Google (como ID da Conta, nome completo e seu endereço de e-mail Google.).

Requisitos

Para usar esta extensão você vai precisar:

  • MediaWiki 1.36+
  • MySQL/MariaDB (Não há suporte ao PostgreSQL ou SQLite.)
  • PHP 7.3+
  • Acesso ao Google Developer
  • API Credenciais para aplicações Web (ID de Cliente e ClientSecret)
  • Permissão para executar o composer udapte --no-dev no terminal do seu servidor. (Acesso Root)

Instalação

  • Baixe e coloque o(s) arquivo(s) num diretório chamado GoogleLogin na sua pasta extensions/.
    Developers and code contributors should install the extension from Git instead, using:cd extensions/
    git clone https://gerrit.wikimedia.org/r/mediawiki/extensions/GoogleLogin
  • Se estiver instalando a partir do git, execute o Composer para instalar as dependências PHP através de composer install --no-dev no diretório da extensão. (Veja tarefa T173141 para possíveis complicações.)
  • Adicione o seguinte código ao final do seu arquivo LocalSettings.php :
    wfLoadExtension( 'GoogleLogin' );
    
  • Execute o script de atualização que criará automaticamente as tabelas de banco de dados necessárias a essa extensão.
  • Configuração de parâmetros requerida
  • Permissão para o ./wiki/extensions/GoogleLogin/cache ser escrito pelo usuário do webserver.
  •   Concluído – Navegue à página Special:Version em sua wiki para verificar se a instalação da extensão foi bem sucedida.

Configuração

A extensão prover duas variáveis de configuração para o ID de cliente e o ClientSecret (Você pode alinhar essas configurações com o Google Console Developer, remova o "<" e ">").

$wgGLSecret = '<your-client-secret>';
$wgGLAppId = '<your-client-id>';

= Parâmetros Adicionais de Configuração

Configuração de variáveis Valor Padrão Descrição
$wgGLAllowedDomains[gerrit 1] '' Numa matriz (array) de domínios de e-mail, que são permitidos para usar com o GoogleLogin, e.g. [ 'example.com' ];, por padrão todos os domínios são permitidos. Quando configurado ou alterada tais configurações, é necessário rodar o script de manutenção.
$wgGLAllowedDomainsDB[gerrit 2] false Se configurado como verdadeiro, a extensão verifica se o domínio do e-mail principal daquele usuário tem permissão para realizar login.
$wgGLAllowedDomainsStrict[gerrit 1] false Apenas observe se $wgGLAllowedDomains é uma matriz (array). Se configurado como verdadeiro, o domínio do e-mail irá checar se os domínios são permitidos para login.

test.example.com isn't allowed if $wgGLAllowedDomainsStrict is true and example.com is an allowed domain.
test.example.com is allowed if $wgGLAllowedDomainsStrict is false and example.com is an allowed domain.

$wgGLAPIKey[gerrit 3] '' Key for public API access. Used only for admin actions to check, if the user has a Google Plus profile or not.
$wgGLAuthoritativeMode[gerrit 4] false Controls the Authoritative mode of GoogleLogin.
$wgGLEnableEchoEvents true

Settings in Google Developer Console

Para usar esta extensão, você precisa de uma conta de desenvolvedor do Google e acesso ao developer console. Este é um guia passo a passo simples (muito simples!):

  1. Read and accept the terms of service
  1. Create your first project
  1. Go to APIs and services
  1. Click + CREATE CREDENTIALS
  1. Select OAuth client ID
  1. Select as Web application as APPLICATION TYPE, as Authorized JavaScript origins type in your domain name (no wildcards and directories allowed!)
  1. Type in your Authorized redirect URI like this example:
  1. If your domain is example.com and you have installed MediaWiki in Root of your domain, the redirect URI is as follows: https://example.com/index.php/Special:GoogleLoginReturn
  1. Click create and copy the Client ID and Client Secret to the configuration variables in LocalSettings.php

Special page "Special:GoogleLoginReturn"

The allowed redirect URI in Google developer console must be in the wiki's content language. If your wiki was set to German as the content language, then use Spezial:GoogleLoginReturn. In case you used the wrong language, all authentication requests will fail with the error code redirect uri mismatch.

Debugging

Normally, you can see the error message on all generic error pages. Sometimes there are Internal Errors, called Exceptions. In this case, please add $wgShowExceptionDetails with value true in LocalSettings.php to see the complete Exception message. For a support request, please provide always the lines of the Exception.

Use on a private wiki

If you have set your Wiki to private with

$wgGroupPermissions['*']['read'] = false;

you have to whitelist the "Special:GoogleLoginReturn" page, so that anonymous users can access the callback URL after being redirected from the authentication provider. You can do this by adding the following line to your LocalSettings.php:

$wgWhitelistRead = [ 'Special:GoogleLoginReturn' ];

The name of the special page must be in the wiki's content language. If your wiki was e.g. set to German as the content language, then use Spezial:Benutzerkonto_anlegen. In case you used the wrong language, all authentication requests will fail and redirect you to "Special:Login".

Administer allowed domains on-wiki

 
The user interface to manage the list of allowed domains.

GoogleLogin provides a feature to restrict the login with Google to specific Email address domains (such as gmail.com, googlemail.com or every other (own) domain). This feature is especially interesting for companies, who use their own domain names with Google Apps. The list of domains, which are allowed to login with Google, are managed in an array in the LocalSettings.php (the $wgGLAllowedDomains configuration option). Since version 0.4.0, GoogleLogin also provides a way to manage the list of allowed domains on the wiki itself. The allowed domains are saved in the database when this feature is enabled and can be change (remove/add) through a graphical user interface (a special page) or through the MediaWiki API.

Note: The list of allowed domains cannot be managed in LocalSettings.php anymore, once the administration of the domains in the database is enabled.

To enable the feature to manage the allowed domains in the database, just set the $wgGLAllowedDomainsDB configuration variable to true in your LocalSettings.php. You also want to assign the new managegooglelogindomains user right to one group you're a member of (please keep in mind, that all users with this user right are allowed to change the list of allowed domains, so consider to add this right to an administrator-level group only!). An example configuration could look like:

$wgGLSecret = 'your-secret';
$wgGLAppId = 'your-app-id';
$wgGLAllowedDomainsDB = true;
$wgGroupPermissions['sysop']['managegooglelogindomains'] = true;

You now need to run the update.php script again, so that the necessary database changes are applied to your database. After the update process is completed, you can navigate to the special page Special:GoogleLoginAllowedDomains on your wiki. You'll get a page where you can add new domains, which are allowed to login with their Google account and you can remove them, once they was added.

Configuration parameter "$wgGLAPIKey"

This configuration option still exists, but it's now used for more than just the Special:ManageGoogleLogin special page. It's now used to get the name of a user on Special:RemoveCredentials to make it easier to the user to identify the correct Google account (instead of just showing the Google ID). If the key isn't correct or isn't supplied, GoogleLogin will show the Google ID only. For a good user experience, it's highly suggested to supply this api key now.

Authoritative mode

Automatic account creation

Google Login supports a so called authoritative mode, in which, when enabled, a user account is automatically created with the Google account, which was used to login, is not associated with a local MediaWiki account already. This option is disabled by default and needs to be enabled with a configuration option. However, please read the following important information before doing so. This feature requires that the wiki's configuration strictly supports the following:

  • GoogleLogin needs to be the only primary authentication provider, e.g. set
$wgAuthManagerConfig = [
    'primaryauth' => [
        GoogleLogin\Auth\GooglePrimaryAuthenticationProvider::class => [
            'class' => GoogleLogin\Auth\GooglePrimaryAuthenticationProvider::class,
            'sort' => 0
        ]
    ],
    'preauth' => [],
    'secondaryauth' => []
];
$wgInvalidUsernameCharacters = ':~';
$wgUserrightsInterwikiDelimiter = '~';
  • Autocreation of accounts needs to be enabled:
$wgGroupPermissions['*']['autocreateaccount'] = true;
  • The GoogleLogin authoritative mode needs to be enabled:
$wgGLAuthoritativeMode = true;

Enabling this feature also has the following influence:

  • The username of the account is the primary email field of the returned information from Google. This is not configurable.
  • If a local wiki account is already connected, this account is used to login, which means that an already existing account takes precedence over creating a new one.
  • The newly created account will automatically be linked with the Google account.
  • GoogleLogin will not let a user add or remove any further Google account connections (or the automatically created link) to prevent a user from being not able to login anymore.
  • GoogleLogin does not add a password during the account creation, if the authoritative mode is disabled and password login shall be enabled again, the user needs to reset their password.

Manual account creation

Google Login also supports a variant of the so called authoritative mode, in which, when configured, a user account is still manually created by the respective user but automatically mapped to the Google account, which was used when creating the account, if it is not already associated with a local MediaWiki account. Moreover only permissive Google accounts can register an account manually.

  • Creation of accounts needs to be enabled (also for private wikis):
$wgGroupPermissions['*']['createaccount'] = true;
  • If on a private wiki the following pages need to be accessible by everybody, e.g. for English language wikis:
$wgWhitelistRead = [
    'Special:Login',
    'Special:GoogleLoginReturn',
    'Special:CreateAccount',
    'Special:CreateAccount/return'
];
Note that the special pages need to be added in the wiki language.
  • The primary authentication provider needs to be disabled, i.e. set
$wgAuthManagerAutoConfig['primaryauth'] = [ ];

Enabling manual account creation has the same influence as automatic account creation does (see above), however with the following difference:

  • The user who creates the account is free in its naming, i.e. some sort of user name logic cannot be enforced.
  • If a local wiki account is already connected, an additional new account cannot be created manually, which means that an already existing account takes precedence over creating a new one.

Google API PHP Client

This Extension uses the Google API PHP Client (included in versions before 0.2.1), distributed under the Apache 2.0 License. The Client can be downloaded from GitHub.

Maintenance script "updatePublicSuffixArray.php"

The "updatePublicSuffixArray.php" maintenance script downloads a list of domain names which are valid to be used in the world. This is required in order for GoogleLogin to allow subdomains of a specific email domain when you have restricted the login with GoogleLogin for specific domains. This is only needed if $wgGLAllowedDomainsStrict is set to false (which is the default) and every time the setting configuration parameter $wgGLAllowedDomains was changed.

Version lifecycle

Please note that I support only the latest version of GoogleLogin. Any versions apart from the current release (which means the current MediaWiki release branch) and the current development version (aka master) are not supported anymore.

References

Gerrit Code review

See also

  • OpenID Connect - Allows for authentication and authorization, including logging in with Google.