Extension:Magic Link Authentication

This extension requires the PluggableAuth extension to be installed first.
MediaWiki extensions manual
Magic Link Authentication
Release status: experimental
Implementation User identity
Description Extends the PluggableAuth extension to provide authentication using a magic link
Author(s) Cindy Cicalese (cindy.cicalesetalk)
Compatibility policy For every MediaWiki release that is a Long Term Support release there is a corresponding branch in the extension.
MediaWiki
Database changes Yes
Tables magic_link_auth
License MIT License
Download
  • $wgMagicLinkAuthentication_SigningKey
  • $wgMagicLinkAuthentication_EncryptionKey
  • $wgMagicLinkAuthentication_TokenLifetime
  • $wgMagicLinkAuthentication_EmailSender
Translate the Magic Link Authentication extension if it is available at translatewiki.net
Issues Open tasks · Report a bug

The Magic Link Authentication extension provides authentication using a magic link (a form of passwordless authentication) in conjunction with Extension:PluggableAuth. The user enters their email address at Special:UserLogin, and they are emailed a magic link containing a JWT. When they click on the link, they are redirected back to the wiki and, if the JWT is validated, logged in. The JWT has a configurable expiration period and can only be used once.

Installation

edit
  • Download and move the extracted MagicLinkAuthentication folder to your extensions/ directory.
    Developers and code contributors should install the extension from Git instead, using:cd extensions/
    git clone https://gerrit.wikimedia.org/r/mediawiki/extensions/MagicLinkAuthentication
  • Add the following code at the bottom of your LocalSettings.php file:
    wfLoadExtension( 'MagicLinkAuthentication' );
    
  • Run the update script which will automatically create the necessary database tables that this extension needs.
  •   Done – Navigate to Special:Version on your wiki to verify that the extension is successfully installed.

Configuration parameters

edit
Flag Default Description
$wgMagicLinkAuthentication_SigningKey null Secret key used to sign magic link (required).
$wgMagicLinkAuthentication_EncryptionKey null Secret key used to encrypt part of magic link payload (required).
$wgMagicLinkAuthentication_TokenLifetime 300 Lifetime of magic link token in seconds.
$wgMagicLinkAuthentication_EmailSender null Email address used for sender of magic link. If null, the value of $wgPasswordSender will be used.

Notes

edit

This extension can be used with the OATHAuth extension, which provides support for two-factor authentication (2FA) to add an additional measure of security.

If there are multiple users that have a given email address in the MediaWiki user table in the database, the first account returned by the database query will be used. This could happen if other authentication extensions are in use or have been in use in the past for the wiki. This extension does not prevent this situation.

If the editmyprivateinfo permission (see Manual:User_rights#List_of_permissions) is enabled, a user could change their email address. In this case, the user could log in, change their email address, log out, and be unable to log back in to that account. The administrator of the wiki would need to determine if they want to prevent this by disabling the editmyprivateinfo permission. Note that disabling the editmyprivateinfo permission will prevent users from changing their email address, but will also prevent them from updating their real name or, if local username/password authentication is enabled, their password.

Limitations

edit

When clicking on the magic link, the user must be on the same device using the same browser as was used when requesting the magic link.

See also

edit