Extension:OAuth
OAuth État de la version : stable |
|
---|---|
Implémentation | Identité de l'utilisateur , Droits utilisateur , API |
Description | Permet aux utilisateurs d'autoriser en sécurité une autre application (cliente) d'utiliser l'API action de MediaWiki pour son compte. |
Dernière version | 1.1.0 (continuous updates) |
Politique de compatibilité | branches de version |
Modifications de la base de données |
Oui |
Tables | oauth_accepted_consumer oauth_registered_consumer |
Licence | Licence publique générale GNU v2.0 ou supérieur |
Téléchargement | |
|
|
|
|
|
|
Traduire l’extension OAuth sur translatewiki.net | |
Rôle Vagrant | oauth |
Problèmes | Tâches ouvertes · Signaler un bogue |
The OAuth extension implements an OAuth server in MediaWiki that supports both the OAuth 1.0a and OAuth 2.0 protocol versions. It allows third party developers to securely develop applications ("consumers"), to which users can give a limited set of permissions ("grants"), so that the application can use the MediaWiki action API on the user's behalf.
Prérequis
- OAuth relies on the object cache for temporary tokens and sessions. This should work as long as cache configuration settings are sane. (Older versions required Memcached explicitly.)
- Currently, only mysql and sqlite database backends are supported
- If the mediawiki installation is private (i.e. users need to log in to have read access), Special:OAuth will need to be added to the white list.
Installation
- Si vous utilisez Vagrant , installez avec
vagrant roles enable oauth --provision
- Installation manuelle
- Téléchargez et placez le(s) fichiers (s) dans un répertoire appelé
OAuth
dans votre dossierextensions/
. - Seulement lorsque vous installez à partir de Git, exécutez Composer pour installer les dépendances PHP, en entrant
composer install --no-dev
après vous être positionné dans le répertoire de l'extension. (Voir tâche T173141 pour des complications potentielles.) - Ajoutez le code suivant à la fin de votre fichier LocalSettings.php :
wfLoadExtension( 'OAuth' );
- Exécutez le script de mise à jour qui va créer automatiquement les tables de base de données dont cette extension a besoin.
- Configure the general parameters as required.
- Configure the user rights by putting them into the relevant groups in
$wgGroupPermissions
. - Fait – Accédez à Special:Version sur votre wiki pour vérifier que l'extension a bien été installée.
Pour les utilisateurs de MediaWiki 1.24 ou précédents :
Les instructions ci-dessus décrivent la nouvelle procédure pour installer cette extension en utilisant wfLoadExtension()
.
Si vous avez besoin d'installer cette extension sur les précédentes versions de MediaWiki (1.24 ou antérieur), à la place de wfLoadExtension( 'OAuth' );
, vous devez utiliser :
require_once "$IP/extensions/OAuth/OAuth.php";
Droits utilisateur
Right | Description |
---|---|
mwoauthproposeconsumer | Proposer des nouveaux consommateurs OAuth |
mwoauthupdateownconsumer | Mettre à jour les consommateurs OAuth |
mwoauthmanageconsumer | Gérer les consommateurs OAuth |
mwoauthsuppress | Supprimer les consommateurs OAuth |
mwoauthviewsuppressed | Afficher les consommateurs OAuth supprimés |
mwoauthviewprivate | Afficher les données privées OAuth |
mwoauthmanagemygrants | Gérer les droits OAuth |
To assign a permission to some group, for example to sysops, you add following line to LocalSettings.php
:
$wgGroupPermissions['sysop']['mwoauthproposeconsumer'] = true;
Configuration
Nom de variable | valeur par défaut | Description |
---|---|---|
$wgMWOAuthCentralWiki
|
false
|
Wiki ID of OAuth management wiki. On wiki farms, it makes sense to set this to a wiki that acts as a portal site, is dedicated to management, or just handles login/authentication. It can, however, be set to any wiki in the farm. For single-wiki sites or farms where each wiki manages consumers separately, it should be left as false. |
$wgMWOAuthSharedUserIDs
|
false
|
(obsolète), use $wgMWOAuthSharedUserSource instead
Whether shared global user IDs are stored in the oauth tables. On wiki farms with a central authentication system (with integer user IDs) that share a single OAuth management wiki, this must be set to true. If wikis have a central authentication system but have their own OAuth management, then this can be either true or false. Otherwise it should always be set to false. Setting this to true requires CentralIdLookup or an MWOAuth aware authentication extension. This value should not be changed after the fact to avoid ambigious IDs. Proper user ID migration should be done before any such changes. |
$wgMWOAuthSharedUserSource
|
null
|
Central ID provider when sharing OAuth credentials over a wiki farm
Source of shared user IDs, if enabled. If CentralIdLookup is available, this is the $providerId for CentralIdLookup::factory(). Generally null would be what you want, to use the default provider. If that class is not available or the named provider is not found, this is passed to the 'OAuthGetUserNamesFromCentralIds', 'OAuthGetLocalUserFromCentralId', 'OAuthGetCentralIdFromLocalUser', and 'OAuthGetCentralIdFromUserName' hooks. This has no effect if $wgMWOAuthSharedUserIDs is set to false. |
$wgMWOAuthRequestExpirationAge
|
2592000 (30 days)
|
Seconds after which an idle request for a new Consumer is marked as "expired" |
$wgMWOAuthSecureTokenTransfer
|
false
|
Require SSL/TLS for returning Consumer and user secrets. This is required by RFC 5849, however if a wiki wants to use OAuth, but doesn't support SSL, this option makes this configuration possible. This should be set to true for most production settings. |
$wgOAuthSecretKey
|
$wgSecretKey
|
A secret configuration string (random 32-bit string generated using "base64_encode(random_bytes(32))") used to hmac the database-stored secret to produce the shared secrets for Consumers. This provides some protection against an attacker reading the values out of the consumer table (the attacker would also need $wgOAuthSecretKey to generate valid secrets), and some protection against potential weaknesses in the secret generation. If this string is compromised, the site should generate a new $wgOAuthSecretKey, which will invalidate Consumer authorizations that use HMAC/shared secret signatures instead of public/private keys. Consumers can regenerate their new shared secret by using the "Reset the secret key to a new value" option under Special:MWOAuthConsumerRegistration/update. If null, the value is set to $wgSecretKey. |
$wgOAuthGroupsToNotify
|
[]
|
The list of user groups which should be notified about new consumer proposals. Setting this will only have an effect when Echo is installed. |
$wgMWOauthDisabledApiModules
|
[]
|
List of API module classes to disable when OAuth is used for the request |
$wgMWOAuthReadOnly
|
false
|
Prevent write activity to the database. When this is set, consumers cannot be added or updated, and new authorizations are prohibited. Authorization headers for existing authorizations will continue to work. Useful for migrating database tables |
$wgMWOAuthSessionCacheType
|
$wgSessionCacheType
|
The storage mechanism for session data. If null, it defaults to $wgSessionCacheType. |
$wgOAuth2EnabledGrantTypes
|
[
"authorization_code",
"refresh_token",
"client_credentials"
]
|
List of OAuth2 grants that client applications can be allowed to use. Actual grants client application will be allowed to use can be any subset of grants listed here. Grants, other than the ones listed here, are considered legacy grants, and are not supported by this extension |
$wgOAuth2PrivateKey
|
""
|
Private key or a path to the private key used to sign OAuth2 JWT being transmitted. |
$wgOAuth2PublicKey
|
""
|
Public key or a path to the public key used to verify OAuth2 resource requests. |
$wgOAuth2RequireCodeChallengeForPublicClients
|
true
|
Controls whether clients are required to send code challenges with OAuth2 requests. This only applies to non-confidential clients. |
$wgOAuth2GrantExpirationInterval
|
"PT1H"
|
Controls validity period for access tokens. Does not apply to owner-only clients, whose access tokens are always non-expiring. Accepts ISO 8601 durations or can be set to "infinity" or false for non-expiring tokens. |
$wgOAuth2RefreshTokenTTL
|
"PT1M"
|
Controls validity period for refresh tokens. Accepts ISO 8601 durations or can be set to "infinity" or false for non-expiring tokens. |
OAuth 2.0 REST endpoints
The following REST endpoints are provided for OAuth 2.0 interaction
Path | Description | Allowed parameters | Allowed method |
---|---|---|---|
/oauth2/authorize | Used for retrieving authorization code when using authorization_code grant. |
|
GET |
/oauth2/access_token | Used for requesting access tokens |
|
POST |
/oauth2/resource/{{type}} | Used for retrieving protected resources using the access token issued previously.
Currently, two resource types can be retrieved using this endpoint, by replacing
|
No parameters are allowed, apart from the {{type}} parameter that is included in the path
|
GET/POST |
/oauth2/client | Lists OAuth 1.0a or 2.0 clients for the logged-in user. Authentication can be achieved over CentralAuth or by including an access token in the authorization header. |
|
GET |
/oauth2/client/{client_key}/reset_secret | Resets a client secret. For owner-only clients, this endpoint also resets the access token. |
|
POST |
/oauth2/client | Creates an OAuth 2.0 client. |
|
POST |
Experimental REST endpoints
To enable the experimental REST endpoints, add the $wgRestAPIAdditionalRouteFiles configuration variable to your LocalSettings.php:
$wgRestAPIAdditionalRouteFiles[] = "$wgExtensionDirectory/OAuth/experimentalRoutes.json";
Voir aussi
- Extension:OAuthAuthentication – A MediaWiki extension that lets your wiki delegate authentication to another wiki that is running Extension:OAuth.
- Extension:OATHAuth - A similarly named extension which implements a second authentication factor using OATH-based one-time passwords.
- Extension:WSOAuth – A MediaWiki extension that lets your wiki delegate authentication to any OAuth provider using PluggableAuth, including a wiki that is running Extension:OAuth.
- oauthclient-php – a client library for OAuth consumers.
Cette extension est utilisée par au moins un des projets Wikimédia. Cela signifie probablement que l’extension est assez stable et fonctionnelle pour être utilisée sur des sites à fort trafic. Recherchez le nom de cette extension dans le CommonSettings.php de Wikimédia et dans le fichier de configuration InitialiseSettings.php pour situer les endroits où elle est installée. Une liste complète des extensions installées sur un Wiki donné peut être visualisée sur la page Special:Version de ce wiki. |