扩展:OAuth

This page is a translated version of the page Extension:OAuth and the translation is 79% complete.
Other languages:
Bahasa Indonesia • ‎English • ‎français • ‎中文 • ‎日本語
MediaWiki扩展手册
OOjs UI icon advanced.svg
OAuth
发布状态: 稳定版
实现 用戶識別 , 用户权限 , API
描述 Allow users to safely authorize another application ("consumer") to use the MediaWiki action API on their behalf.
兼容性方针 发行分支
数据庫更新
表格 oauth_accepted_consumer
oauth_registered_consumer
许可协议 GNU通用公眾授權條款2.0或更新版本
下载
  • $wgOAuth2PublicKey
  • $wgOAuthGroupsToNotify
  • $wgMWOAuthRequestExpirationAge
  • $wgOAuth2RefreshTokenTTL
  • $wgMWOAuthCentralWiki
  • $wgOAuth2PrivateKey
  • $wgMWOAuthSecureTokenTransfer
  • $wgOAuth2RequireCodeChallengeForPublicClients
  • $wgMWOAuthSharedUserSource
  • $wgOAuth2GrantExpirationInterval
  • $wgMWOAuthSharedUserIDs
  • $wgMWOAuthSessionCacheType
  • $wgMWOauthDisabledApiModules
  • $wgOAuth2EnabledGrantTypes
  • $wgMWOAuthReadOnly
  • $wgOAuthSecretKey
  • mwoauthproposeconsumer
  • mwoauthupdateownconsumer
  • mwoauthmanageconsumer
  • mwoauthsuppress
  • mwoauthviewsuppressed
  • mwoauthviewprivate
  • mwoauthmanagemygrants
翻译OAuth扩展如果在translatewiki.net可用
检查使用和版本矩阵。
Vagrant角色 oauth
问题 开放的工作 · 报告错误


The OAuth extension implements an OAuth server in MediaWiki that supports both the OAuth 1.0a and OAuth 2.0 protocol versions. It allows third party developers to securely develop applications ("consumers"), to which users can give a limited set of permissions ("grants"), so that the application can use the MediaWiki action API on the user's behalf.


If you're attempting to develop an application that uses OAuth on a wiki, see OAuth for Developers. If you are trying to use an OAuth-enabled tool on a wiki which has this extension installed, see Help:OAuth.

条件

  • OAuth relies on the object cache for temporary tokens and sessions. This should work as long as cache configuration settings are sane. (Older versions required Memcached explicitly.)
  • Currently, only mysql and sqlite database backends are supported
  • If the mediawiki installation is private (i.e. users need to log in to have read access), Special:OAuth will need to be added to the white list.

安装

  • 如果使用Vagrant ,请通过vagrant roles enable oauth --provision安装
手动安装

致使用MediaWiki 1.24或更早版本的用户:

上面的说明介绍的是安装此扩展的新方法,它使用wfLoadExtension()。 如果您需要在早期版本(MediaWiki 1.24和更早版本)中安装此扩展,而不是wfLoadExtension( 'OAuth' );,您需要使用:

require_once "$IP/extensions/OAuth/OAuth.php";

用户权限

权限 描述
mwoauthproposeconsumer 提议新的OAuth消费者
mwoauthupdateownconsumer 更新您控制的OAuth消费者
mwoauthmanageconsumer 管理OAuth消费者
mwoauthsuppress 阻止OAuth消费者
mwoauthviewsuppressed 查看已阻止的OAuth消费者
mwoauthviewprivate 查看私有OAuth数据
mwoauthmanagemygrants 管理OAuth功能

To assign a permission to some group, for example to sysops, you add following line to LocalSettings.php:

$wgGroupPermissions['sysop']['mwoauthproposeconsumer'] = true;

配置

值名 默认值 描述
$wgMWOAuthCentralWiki false Wiki ID of OAuth management wiki. On wiki farms, it makes sense to set this to a wiki that acts as a portal site, is dedicated to management, or just handles login/authentication. It can, however, be set to any wiki in the farm. For single-wiki sites or farms where each wiki manages consumers separately, it should be left as false.
$wgMWOAuthSharedUserIDs false (已弃用), use $wgMWOAuthSharedUserSource instead

Whether shared global user IDs are stored in the oauth tables. On wiki farms with a central authentication system (with integer user IDs) that share a single OAuth management wiki, this must be set to true. If wikis have a central authentication system but have their own OAuth management, then this can be either true or false. Otherwise it should always be set to false. Setting this to true requires CentralIdLookup or an MWOAuth aware authentication extension. This value should not be changed after the fact to avoid ambigious IDs. Proper user ID migration should be done before any such changes.

$wgMWOAuthSharedUserSource null Central ID provider when sharing OAuth credentials over a wiki farm

Source of shared user IDs, if enabled. If CentralIdLookup is available, this is the $providerId for CentralIdLookup::factory(). Generally null would be what you want, to use the default provider. If that class is not available or the named provider is not found, this is passed to the 'OAuthGetUserNamesFromCentralIds', 'OAuthGetLocalUserFromCentralId', 'OAuthGetCentralIdFromLocalUser', and 'OAuthGetCentralIdFromUserName' hooks. This has no effect if $wgMWOAuthSharedUserIDs is set to false.

$wgMWOAuthRequestExpirationAge 2592000 (30 days) Seconds after which an idle request for a new Consumer is marked as "expired"
$wgMWOAuthSecureTokenTransfer false Require SSL/TLS for returning Consumer and user secrets. This is required by RFC 5849, however if a wiki wants to use OAuth, but doesn't support SSL, this option makes this configuration possible. This should be set to true for most production settings.
$wgOAuthSecretKey $wgSecretKey A secret configuration string (random 32-bit string generated using "base64_encode(random_bytes(32))") used to hmac the database-stored secret to produce the shared secrets for Consumers. This provides some protection against an attacker reading the values out of the consumer table (the attacker would also need $wgOAuthSecretKey to generate valid secrets), and some protection against potential weaknesses in the secret generation. If this string is compromised, the site should generate a new $wgOAuthSecretKey, which will invalidate Consumer authorizations that use HMAC/shared secret signatures instead of public/private keys. Consumers can regenerate their new shared secret by using the "Reset the secret key to a new value" option under Special:MWOAuthConsumerRegistration/update. If null, the value is set to $wgSecretKey.
$wgOAuthGroupsToNotify [] The list of user groups which should be notified about new consumer proposals. Setting this will only have an effect when Echo is installed.
$wgMWOauthDisabledApiModules [] List of API module classes to disable when OAuth is used for the request
$wgMWOAuthReadOnly false Prevent write activity to the database. When this is set, consumers cannot be added or updated, and new authorizations are prohibited. Authorization headers for existing authorizations will continue to work. Useful for migrating database tables
$wgMWOAuthSessionCacheType $wgSessionCacheType The storage mechanism for session data. If null, it defaults to $wgSessionCacheType.
$wgOAuth2EnabledGrantTypes
[
	"authorization_code",
	"refresh_token",
	"client_credentials"
]
List of OAuth2 grants that client applications can be allowed to use. Actual grants client application will be allowed to use can be any subset of grants listed here. Grants, other than the ones listed here, are considered legacy grants, and are not supported by this extension
$wgOAuth2PrivateKey "" Private key or a path to the private key used to sign OAuth2 JWT being transmitted.
$wgOAuth2PublicKey "" Public key or a path to the public key used to verify OAuth2 resource requests.
$wgOAuth2RequireCodeChallengeForPublicClients true Controls whether clients are required to send code challenges with OAuth2 requests. This only applies to non-confidential clients.
$wgOAuth2GrantExpirationInterva "PT1H" Controls validity period for access tokens. Does not apply to owner-only clients, whose access tokens are always non-expiring. Accepts ISO 8601 durations or can be set to "infinity" or false for non-expiring tokens.
$wgOAuth2RefreshTokenTTL "PT1M" Controls validity period for refresh tokens. Accepts ISO 8601 durations or can be set to "infinity" or false for non-expiring tokens.

OAuth 2.0 REST endpoints

The following REST endpoints are provided for OAuth 2.0 interaction

Path Description Allowed parameters Allowed method
/oauth2/authorize Used for retrieving authorization code when using authorization_code grant.
  • response_type (required)
  • client_id (required)
  • redirect_uri (optional) - if present, must match the URI that was set when client was registered exactly
  • scope (optional)
  • state (optional)
  • code_challenge (optional) - required if $wgOAuth2RequireCodeChallengeForPublicClients is true
  • code_challenge_method (optional) - - required if $wgOAuth2RequireCodeChallengeForPublicClients is true
GET
/oauth2/access_token Used for requesting access tokens
  • grant_type (required) - type of grant used
  • client_id (optional)
  • client_secret (optional) - required if client is confidential
  • redirect_uri (optional) - if present, must match the URI that was set when client was registered exactly
  • scope (optional)
  • code (optional) - required if authorization_code grant is used
  • refresh_token (optional) - required if refresh_token grant is used
  • code_verifier (optional)
POST
/oauth2/resource/{{type}} Used for retrieving protected resources using the access token issued previously.

Currently, two resource types can be retrieved using this endpoint, by replacing {{type}}placeholder with the type key:

  • profile - retrieve the user profile of the user that is represented by the access token used to make the request - usually used for logging users in on 3rd party websites using MediaWiki
  • scopes - retrieve all scopes client (application) is allowed to use with the current access token
No parameters are allowed, apart from the {{type}} parameter that is included in the path GET/POST
If OAuth credentials are shared over a wiki farm, make sure that real names are used/hidden consistently across all wikis (using $wgHiddenPrefs ). On wikis where real names are hidden, the OAuth permission request message that tells the user which information is shared does not mention the real name, so in that case there should not be any other wiki where the OAuth consumer may still get that information from.

参见

  • Extension:OAuthAuthentication – A MediaWiki extension that lets your wiki delegate authentication to another wiki that is running Extension:OAuth.
  • 扩展:两步验证 - A similarly named extension which implements a second authentication factor using OATH-based one-time passwords.
  • Extension:WSOAuth – A MediaWiki extension that lets your wiki delegate authentication to any OAuth provider using PluggableAuth, including a wiki that is running Extension:OAuth.
  • oauthclient-php – a client library for OAuth consumers.