Open main menu
This page is a translated version of the page Extension:GoogleLogin and the translation is 40% complete.

Other languages:
Deutsch • ‎English • ‎français • ‎中文 • ‎日本語
MediaWiki扩展手册
OOjs UI icon advanced.svg
GoogleLogin
发布状态: 测试
Googlelogin.PNG
实现 用戶識別 , 特殊页面
描述 提供用您的Google帐户的登录方式。
作者 Florian Schmidt (Florianschmidtwelzowtalk)
最新版本 0.4.0-git
MediaWiki 1.31+
PHP 5.6+
数据庫更新
许可协议 MIT授權條款
下载
README
有关兼容性概述,请参见版本生命周期
翻译GoogleLogin扩展如果在translatewiki.net可用
检查使用和版本矩阵。
问题 开放的工作 · 报告错误

The GoogleLogin extension allows wiki users to login with their Google account. The extension uses the Google API to request basic profile information from Google (such as the account ID, the full name and the e-mail address).

必要条件

要使用此扩展,您至少需要:

  • MediaWiki 1.31+
  • MySQL (现在没有PostgreSQL或SQLite支持!)
  • PHP 5.6+
  • 谷歌开发者访问权限
  • Web应用程序的API凭据(客户端ID和客户端密钥)
  • 能够运行composer update --no-dev

安装

  • 下载文件,并将其放置在您extensions/文件夹中的GoogleLogin目录内。
  • 只有從git安裝才运行Composer来安装PHP依赖,通过发行composer install --no-dev至扩展目录。 (参见T173141了解潜在问题。)
  • 将下列代码放置在您的LocalSettings.php的底部:
    wfLoadExtension( 'GoogleLogin' );
    
  • 运行更新脚本,它将自动创建此扩展必须依赖的数据库表。
  • 配置所需的参数
  • 确保./wiki/extensions/GoogleLogin/cache对于Web服务器的用户是可写的
  •   完成 – 在您的wiki上导航至Special:Version,以验证扩展已成功安装。

致使用MediaWiki 1.24或更早版本的用户:

上面的说明介绍的是安装此扩展的新方法,它使用wfLoadExtension()。 如果您需要在早期版本(MediaWiki 1.24和更早版本)中安装此扩展,而不是wfLoadExtension( 'GoogleLogin' );,您需要使用:

require_once "$IP/extensions/GoogleLogin/GoogleLogin.php";

配置

The extension provides two configuration variables to set the Client ID and Client Secret (you get this pair in the Google Developer Console, remove "<" and ">").

$wgGLSecret = '<your-client-secret>';
$wgGLAppId = '<your-client-id>';

其他配置参数

配置变量 默认值 描述
$wgGLAllowedDomains[gerrit 1] '' An array of mail domains, which are allowed to use with GoogleLogin, e.g. array( 'example.com' );. Default: all domains are allowed. 如果设置,则需要运行updatePublicSuffixArray.php维护脚本。
$wgGLAllowedDomainsDB[gerrit 2] false If set to true, GoogleLogin uses the database to check, if an e-mail domain of the primary e-mail-address of a Google account is allowed to login.
$wgGLAllowedDomainsStrict[gerrit 1] false Only observed, if $wgGLAllowedDomains is an array. If set to true, the email domain will be checked completely against the allowed domains (instead of only the TLD), e.g.:

test.example.com isn't allowed if $wgGLAllowedDomainsStrict is true and example.com is an allowed domain.
test.example.com is allowed if $wgGLAllowedDomainsStrict is false and example.com is an allowed domain.

$wgGLAPIKey[gerrit 3] '' Key for public API access. Used only for admin actions to check, if the user has a Google Plus profile or not.
$wgGLAuthoritativeMode[gerrit 4] 'false' Controls the Authoritative mode of GoogleLogin.

谷歌开发者控制台中的设置

To use this extension you need a Google developer account and access to the developer console. This is a simple (a very simple!) step-by-step guide (use Step 1 of the official step-by-step example with these settings):

  1. Open Google developer console
  2. Read and accept the terms of service
  3. Create your first project
  4. Go to APIS & AUTH
  5. Go to Credentials
  6. In Section OAuth click Create new Client ID
  7. Select as Web application as APPLICATION TYPE, as Authorized JavaScript origins type in your domain name (no wildcards and directories allowed!)
  8. Type in your Authorized redirect URI like this example:
    If your domain is example.com and you have installed MediaWiki in Root of your domain, the redirect URI is as follows: http://example.com/index.php/Special:GoogleLoginReturn
  9. Click create and copy the Client ID and Client Secret to the configuration variables in LocalSettings.php

"Special:GoogleLoginReturn" or (in german for example) "Spezial:GoogleLoginReturn"

The allowed redirect URI in Google developer console must be in the content language. So, if your wiki has german as the content language, then use Spezial:GoogleLoginReturn. If you used the wrong language, all authentication requests will fail with the error code redirect uri mismatch.

调试

Normally, you can see the error message on all generic error pages. Sometimes there are Internal Errors, called Exceptions. In this case, please add $wgShowExceptionDetails with value true in LocalSettings.php to see the complete Exception message. For a support request, please provide always the lines of the Exception.

在私人维基上使用

If you have set your Wiki to private with

$wgGroupPermissions['*']['read'] = false;

you have to whitelist the "Special:GoogleLoginReturn" page, so that anonymous users can access the callback URL after being redirected from the authentication provider. You can do this by adding the following line to your LocalSettings.php:

$wgWhitelistRead = array( 'Special:GoogleLoginReturn' );

Administer allowed domains on-wiki

 
The user interface to manage the list of allowed domains.

GoogleLogin provides a feature to restrict the login with Google to specific E-Mail address domains (such as gmail.com, googlemail.com or every other (own) domain). This feature is especially interesting for companies, who use their own domain names with Google Apps. The list of domains, which are allowed to login with Google, are managed in an array in the LocalSettings.php (the $wgGLAllowedDomains configuration option). Since version 0.4.0, GoogleLogin also provides a way to manage the list of allowed domains on the wiki itself. The allowed domains are saved in the database when this feature is enabled and can be change (remove/add) through a graphical user interface (a special page) or through the MediaWiki API.

注意:一旦启用了数据库中域的管理,就无法在LocalSettings.php中管理允许的域列表。

To enable the feature to manage the allowed domains in the database, just set the $wgGLAllowedDomainsDB configuration variable to true in your LocalSettings.php. You also want to assign the new managegooglelogindomains user right to one group you're a member of (please keep in mind, that all users with this user right are allowed to change the list of allowed domains, so consider to add this right to an administrator-level group only!). An example configuration could look like:

$wgGLSecret = 'your-secret';
$wgGLAppId = 'your-app-id';
$wgGLAllowedDomainsDB = true;
$wgGroupPermissions['sysop']['managegooglelogindomains'] = true;

You now need to run the update.php script again, so that the necessary database changes are applied to your database. After the update process is completed, you can navigate to the special page Special:GoogleLoginAllowedDomains on your wiki. You'll get a page where you can add new domains, which are allowed to login with their Google account and you can remove them, once they was added.

$wgGLAPIKey

This configuration option still exists, but it's now used for more than just the Special:ManageGoogleLogin special page. It's now used to get the name of a user on Special:RemoveCredentials to make it easier to the user to identify the correct Google account (instead of just showing the Google ID). If the key isn't correct or isn't supplied, GoogleLogin will show the Google ID only. For a good user experience, it's highly suggested to supply this api key now.

Authoritative mode

Google Login supports a so called authoritative mode, in which, when enabled, a user account is automatically created when the Google account, which was used to login, is not associated with a local MediaWiki account already. This option is disabled by default and needs to be enabled with a configuration option. However, please read the following important information before doing so. This feature requires that the wiki's configuration strictly supports the following:

  • GoogleLogin needs to be the only primary authentication provider
  • The @ sign needs to be whitelisted in the $wgInvalidUsernameCharacters configuration
  • Autocreation of accounts needs to be enabled:

$wgGroupPermissions['*']['autocreateaccount'] = true;

  • The GoogleLogin authoritative mode needs to be enabled

Enabling this feature also has the following influence:

  • The username of the account is the primary e-mail field of the returned information from Google. This is not configurable.
  • If a local wiki account is already connected, this account is used to login, which means that an already existing account takes precedence over creating a new one.
  • The new created account will automatically being linked with the Google account.
  • GoogleLogin will not let a user add or remove any further Google account connections (or the automatically created link) to prevent a user from being not able to login anymore.
  • GoogleLogin does not add a password during the account creation, if the authoritative mode is disabled and password login shall be enabled again, the user needs to reset their password.

Google API PHP Client

This Extension uses the Google API PHP Client (included in versions before 0.2.1), distributed under the Apache 2.0 License. The Client can be downloaded from GitHub.

updatePublicSuffixArray.php

The updatePublicSuffixArray.php maintenance script downloads a list of domain names which are valid to be used in the world. This is required in order for GoogleLogin to allow subdomains of a specific email domain when you've restricted the login with GoogleLogin for specific domains. This is only needed if $wgGLAllowedDomainsStrict is set to false (which is the default).

Version lifecycle

Please note that I support only the latest version of GoogleLogin. Any versions apart from the current release (which means the current MediaWiki release branch) and the current development version (aka master) are not supported anymore.

参考资料