This page is a translated version of the page Extension:OAuth and the translation is 22% complete.
Outdated translations are marked like this.
本页面的主题不是 Extension:OATHAuthExtension:WSOAuth.
发行状态: 稳定版
实现 用户身份 , 用户权限 , API
可讓用户安全地授权另一个应用程序("消费者")代表他们使用 MediaWiki的動作API。
作者 Aaron Schulz, Chris Steipp, Brad Jorsch, Robert Vogel, Dejan Savuljesku
最新版本 1.1.0 (continuous updates)
兼容性政策 快照跟随MediaWiki发布。 master分支不向后兼容。
MediaWiki >= 1.42
Composer mediawiki/oauth
许可协议 GNU通用公眾授權條款2.0或更新版本
帮助 Help:OAuth
  • $wgOAuth2PublicKey
  • $wgOAuth2RequireCodeChallengeForPublicClients
  • $wgMWOAuthCentralWiki
  • $wgMWOAuthSecureTokenTransfer
  • $wgMWOAuthSharedUserSource
  • $wgOAuth2GrantExpirationInterval
  • $wgOAuthAutoApprove
  • $wgMWOauthDisabledApiModules
  • $wgOAuth2EnabledGrantTypes
  • $wgMWOAuthNonceCacheType
  • $wgOAuthGroupsToNotify
  • $wgMWOAuthRequestExpirationAge
  • $wgOAuth2RefreshTokenTTL
  • $wgMWOAuthSessionCacheType
  • $wgMWOAuthReadOnly
  • $wgOAuth2PrivateKey
  • $wgMWOAuthSharedUserIDs
  • $wgOAuthSecretKey

  • mwoauthproposeconsumer
  • mwoauthupdateownconsumer
  • mwoauthmanageconsumer
  • mwoauthsuppress
  • mwoauthviewsuppressed
  • mwoauthviewprivate
  • mwoauthmanagemygrants
季度下載量 99 (Ranked 59th)
正在使用的公开wiki数 982 (Ranked 246th)
Vagrant角色 oauth
問題 开启的任务 · 报告错误

OAuth扩展在MediaWiki中实现了一个OAuth服务器,同时支持OAuth 1.0aOAuth 2.0协议版本。 它可讓第三方开发者安全地开发应用程序("消费者"),用户可以向其授予一组有限的权限("授权"),这样应用程序就可以代表用户使用MediaWiki動作API

如果你正试图在维基上开发使用开放授权(OAuth)的应用程序,请参阅面向开发者的 OAuth。 如果您试图在已安装此扩展的维基站点上使用支持 OAuth 的工具,请参阅OAuth


  • OAuth 依赖对象缓存来获取临时令牌和会话。 只要缓存配置设置是正常的,就应该能正常工作。 (旧版本明确需要Memcached 。)
  • 目前仅支持 MySQL 和 SQLite 数据库后端
  • 如果 MediaWiki 安装是私有的(即用户需要登录才有读取权限),则需要将Special:OAuth添加到白名单



  • 如果使用Vagrant ,请通过vagrant roles enable oauth --provision安装


$wgGroupPermissions['sysop']['mwoauthproposeconsumer'] = true;



变量名称 默认值 描述
$wgMWOAuthCentralWiki false OAuth 管理维基的维基ID。 在维基農場中,将其设置为入口站点、专门用于管理或仅处理登录/身份验证的维基站点是合理的。 不过,它可以设置为农场中的任何维基。 对于单维基网站或每个维基单独管理消费者的农场,应将其保留为false
$wgMWOAuthSharedUserIDs false (已弃用) 改用$wgMWOAuthSharedUserSource

全域共享用户ID是否存储在oauth表中。 在共享单个 OAuth 管理维基的具有中央身份验证系统(具有整数用户 ID)的维基场中,必须将此设置为 true。 如果维基有一个中央认证系统,但有自己的 OAuth 管理系统,那么这可以是truefalse。 否则,应始终设置为false。 将此设置为true需要CentralIdLookup或MWOAuth感知身份验证的扩展。 This value should not be changed after the fact to avoid ambigious IDs. Proper user ID migration should be done before any such changes.

$wgMWOAuthSharedUserSource null Central ID provider when sharing OAuth credentials over a wiki farm

Source of shared user IDs, if enabled. If CentralIdLookup is available, this is the $providerId for CentralIdLookup::factory(). Generally null would be what you want, to use the default provider. If that class is not available or the named provider is not found, this is passed to the OAuthGetUserNamesFromCentralIds, OAuthGetLocalUserFromCentralId, OAuthGetCentralIdFromLocalUser, OAuthGetCentralIdFromUserName hooks. This has no effect if $wgMWOAuthSharedUserIDs is set to false.

$wgMWOAuthRequestExpirationAge 2,592,000 (30 days) Seconds after which an idle request for a new Consumer is marked as "expired"
$wgMWOAuthSecureTokenTransfer true Require SSL/TLS for returning Consumer and user secrets. This is required by RFC 5849, however if a wiki wants to use OAuth, but doesn't support SSL, this option makes this configuration possible. This should be set to true for most production settings.
$wgOAuthSecretKey $wgSecretKey A secret configuration string (random 32-bit string generated using "base64_encode(random_bytes(32))") used to hmac the database-stored secret to produce the shared secrets for Consumers. This provides some protection against an attacker reading the values out of the consumer table (the attacker would also need $wgOAuthSecretKey to generate valid secrets), and some protection against potential weaknesses in the secret generation. If this string is compromised, the site should generate a new $wgOAuthSecretKey, which will invalidate Consumer authorizations that use HMAC/shared secret signatures instead of public/private keys. Consumers can regenerate their new shared secret by using the "Reset the secret key to a new value" option under Special:MWOAuthConsumerRegistration/update. If null, the value is set to $wgSecretKey.
$wgOAuthGroupsToNotify [] The list of user groups which should be notified about new consumer proposals. Setting this will only have an effect when Echo is installed.
$wgMWOauthDisabledApiModules [] List of API module classes to disable when OAuth is used for the request
$wgMWOAuthReadOnly false Prevent write activity to the database. When this is set, consumers cannot be added or updated, and new authorizations are prohibited. Authorization headers for existing authorizations will continue to work. Useful for migrating database tables
$wgMWOAuthSessionCacheType $wgSessionCacheType The storage mechanism for session data. If null, it defaults to $wgSessionCacheType.
$wgOAuthAutoApprove [] Allows automatic immediate approval of low-risk apps. In the form of [ 'grants' => [ 'grant1', 'grant2', ... ] ]
List of OAuth2 grants that client applications can be allowed to use. Actual grants client application will be allowed to use can be any subset of grants listed here. Grants, other than the ones listed here, are considered legacy grants, and are not supported by this extension
$wgOAuth2PrivateKey "" Private key or a path to the private key used to sign OAuth2 JWT being transmitted. See the OAuth 2.0 Server documentation for how to generate the keys.
$wgOAuth2PublicKey "" Public key or a path to the public key used to verify OAuth2 resource requests.
$wgOAuth2RequireCodeChallengeForPublicClients true Controls whether clients are required to send code challenges with OAuth2 requests. This only applies to non-confidential clients.
$wgOAuth2GrantExpirationInterval "PT1H" (1 hour) Controls validity period for access tokens (stored in the cache configured in MWOAuthSessionCacheType). Does not apply to owner-only clients, whose access tokens are always non-expiring. Accepts ISO 8601 durations or can be set to "infinity" or false for non-expiring tokens.
$wgOAuth2RefreshTokenTTL "P1M" (1 month) Controls validity period for refresh tokens (stored in the cache configured in MWOAuthSessionCacheType). Accepts ISO 8601 durations or can be set to "infinity" or false for non-expiring tokens.


权限 描述
mwoauthproposeconsumer 提议新的OAuth消费者
mwoauthupdateownconsumer 更新您控制的OAuth消费者
mwoauthmanageconsumer 管理OAuth消费者
mwoauthsuppress 阻止OAuth消费者
mwoauthviewsuppressed 查看已阻止的OAuth消费者
mwoauthviewprivate 查看私有OAuth数据
mwoauthmanagemygrants 管理OAuth功能


OAuth 2.0 REST endpoints

The following REST endpoints are provided for OAuth 2.0 interaction

Path Description Allowed parameters Allowed method
/oauth2/authorize Used for retrieving authorization code when using authorization_code grant.
Name Required? Description
redirect_uri No if present, must match the URI that was set when client was registered exactly
scope No
state No
code_challenge No required if $wgOAuth2RequireCodeChallengeForPublicClients is true
code_challenge_method No required if $wgOAuth2RequireCodeChallengeForPublicClients is true
/oauth2/access_token Used for requesting access tokens
Name Required? Description
grant_type type of grant used
client_id No
client_secret No required if client is confidential
redirect_uri No if present, must match the URI that was set when client was registered exactly
scope No
code No required if authorization_code grant is used
refresh_token No required if refresh_token grant is used
code_verifier No
/oauth2/resource/{{type}} Used for retrieving protected resources using the access token issued previously.

Currently, two resource types can be retrieved using this endpoint, by replacing {{type}} placeholder with the type key:

  • profile - retrieve the user profile of the user that is represented by the access token used to make the request - usually used for logging users in on 3rd party websites using MediaWiki
  • scopes - retrieve all scopes client (application) is allowed to use with the current access token
No parameters are allowed, apart from the {{type}} parameter that is included in the path GET/POST
/oauth2/client Lists OAuth 1.0a or 2.0 clients for the logged-in user. Authentication can be achieved over CentralAuth or by including an access token in the authorization header.
Response example
  "clients": [
      "client_key": "xxxxxxxxxxxxxx",
      "name": "TestFromCurl1807",
      "version": "2.0",
      "email": "admin@example.com",
      "callback_url": "http://example.com",
      "scopes": [
      "registration": "20200818230806",
      "stage": 0,
      "oauth_version": 2,
      "description": "foo",
      "allowed_grants": [
      "registration_formatted": "23:08, 18 August 2020"
  "total": 1
  • oauth_version (optional) - either 1 (to return only OAuth 1.0a clients) or 2 (to return only OAuth 2.0 clients). Default: 2
  • Pagination parameters
    • limit (optional) - maximum number of clients to return. Default: 25
    • offset (optional) - number of clients to skip before returning the first result. Default: 0
/oauth2/client/{client_key}/reset_secret Resets a client secret. For owner-only clients, this endpoint also resets the access token.
Response example
  "name": "Example",
  "client_key": "xxxxxxxxxx",
  "secret": "xxxxxxxxxx",
  "access_token": "xxxxxxxxxx"
Name Required? Description Default
client_key client identifier
reason No string containing the reason for resetting the secret. ''
/oauth2/client Creates an OAuth 2.0 client.
Response example
  "name": "Example",
  "client_key": "xxxxxxxxxx",
  "secret": "xxxxxxxxxx",
  "access_token": "xxxxxxxxxx"
Name Required? Description Default
name client name
description client description
email contact email
is_confidential set to true if the client is confidential; set to false for public clients like mobile and desktop apps
grant_types OAuth 2.0 grant types used by the client, one or more of the following: authorization_code, refresh_token, client_credentials
scopes OAuth 2.0 scopes, either mwoauth-authonly, mwoauth-authonlyprivate or the set of applicable grants
version No client version. 1.0
wiki No applicable project. * for all wikis
owner_only ? set to true for a client used only by the creating user
callback_url No Return URL for authorizing users. ''
callback_is_prefix No set to true to allow the client to specify a callback in requests and use the callback URL as a required prefix. false
If OAuth credentials are shared over a wiki farm, make sure that real names are used/hidden consistently across all wikis (using $wgHiddenPrefs ). On wikis where real names are hidden, the OAuth permission request message that tells the user which information is shared does not mention the real name, so in that case there should not be any other wiki where the OAuth consumer may still get that information from.


  • Extension:OATHAuth - A similarly named extension which implements a second authentication factor using OATH-based one-time passwords.
  • Extension:WSOAuth A MediaWiki extension that lets your wiki delegate authentication to any OAuth provider using PluggableAuth, including a wiki that is running Extension:OAuth.
  • oauthclient-php A client library for OAuth consumers.