Open main menu

Extension:OAuthAuthentication

MediaWiki extensions manual
OOjs UI icon advanced.svg
OAuthAuthentication
Release status: beta
Implementation Hook , Special page
Description Use the MediaWiki OAuth extension on another wiki as authentication on your wiki.
Author(s) CSteipptalk
Latest version 0.1.0
MediaWiki 1.25+
PHP 5.4
Database changes Yes
Tables oauthauth_user
License GNU General Public License 2.0
Download
Translate the OAuthAuthentication extension if it is available at translatewiki.net
Check usage and version matrix.
Issues Open tasks · Report a bug

The OAuthAuthentication extension lets your wiki delegate authentication to another wiki that is running Extension:OAuth. Various configuration flags let you set policies about the times of users who can register (restrict it to a set of names, or a particular group).

Contents

Before you beginEdit

Before you begin, you need to register a new OAuth application on the wiki where you are delegating authentication. For example, register your app on meta.wikimedia.org to use any WMF wiki as the remote wiki.

One information required during registration is the so called OAuth "callback" URL: this is the address where OAuth must redirect the authentication result. It must be a sub page called finish of the special page Special:OAuthLogin of the wiki where OAuthAuthentication is installed: the full URl would look like https://www.mywiki.org/index.php/Special:OAuthLogin/finish.[1]
Once you have registered your app, you will receive a consumer key and secret to be securely noted (it can't be retrieved at a later time) and used for the OAuthAuthentication configuration as below

Also insure that the php-curl module is installed in your system.

InstallationEdit

  • Download and place the file(s) in a directory called OAuthAuthentication in your extensions/ folder.
  • Only when installing from git run Composer to install PHP dependencies, by issuing composer install --no-dev in the extension directory. (See T173141 for potential complications.)
  • Add the following code at the bottom of your LocalSettings.php:
    wfLoadExtension( 'OAuthAuthentication' );
    
  • Run the update script which will automatically create the necessary database tables that this extension needs.
  • Additionally, set the following in your LocalSettings.php:
  1. $wgOAuthAuthenticationUrl - the path to the Special:OAuth page on the wiki where you are delegating authentication. E.g., http://en.wikipedia.org/w/index.php?title=Special:OAuth if you're delegating authentication to English Wikipedia.
  2. $wgOAuthAuthenticationConsumerKey - The key that you received when you registered your app, as explained above
  3. $wgOAuthAuthenticationConsumerSecret - The secret that you received when you registered your app, as explained above. At this time, RSA private keys are not supported (it would be easy to add, patches welcome).
  •   Done – Navigate to Special:Version on your wiki to verify that the extension is successfully installed.

Configuration parametersEdit

$wgOAuthAuthenticationCanonicalUrl
If you are seeing exceptions saying the JWT didn't validate, set this to the canonical url ($wgCanonicalServer) of the wiki where you delegated authentication. Note, the URL must match exactly - if that wiki uses http:// for the canoncial url, you must also use that, even if you set https:// in $wgOAuthAuthenticationUrl. This will not actually use http for any data transfer, it merely is used to confirm that the user's identity assertion came from the wiki you expected it from.
$wgOAuthAuthenticationAccountUsurpation
Whether you want to allow usurpation of existing accounts. So if User:Foo is already registered on your wiki, then you setup this extension, and User:Foo on the wiki where you delegated authentication signs in, this option determines if your local User:Foo account is given to the user signing in ($wgOAuthAuthenticationAccountUsurpation = true), or if they will be prevented from signing in because the account already exists ($wgOAuthAuthenticationAccountUsurpation = false).
$wgOAuthAuthenticationUsernameWhitelist
To restrict the users who are allowed to sign in to your wiki to a list of specific usernames, set this to an array of usernames. False allows any username to sign in, assuming they also satisfy the group whitelist.
$wgOAuthAuthenticationGroupWhitelist
To restrict the users who are allowed to sign in to your wiki to the users who are members of a specific group, set this to an array of group names. False allows any group to sign in, assuming they also satisfy the username whitelist.
$wgOAuthAuthenticationAllowLocalUsers
If non-OAuth accounts are allowed. Keep this to the default (true) if you want to allow power users to visit Special:UserLogin directly and create a new account.
$wgOAuthAuthenticationRemoteName
A simple name for the wiki where you have delegated authentication, used in several error messages. For example, setting this to "Wikipedia" would show "Login on Wikipedia" instead of the normal login link. Html is allowed in this string, if you want to include a logo.
$wgOAuthAuthenticationMaxIdentityAge
How long a user's session is valid without re-validating their session. For wikis where the username/group policies need to be strictly enforced (e.g., you only allow sysops to login, and if a user is desysop'ed on the wiki where you delegated authentication, they need to have their access here revoked soon after), set this to a short number of seconds. The default of 1 hour is a good balance for most wikis.

Known issuesEdit

After the successful authentication to the server wiki, the client one could report an error similar to the following instead of the expected confirmation of the successful login:

Error from line 98 of /srv/mediawiki/extensions/OAuthAuthentication/specials/SpecialOAuthLogin.php: Call to undefined method LoginForm::successfulLogin()

The result might or might not be a correct login into the client wiki. For further information please see https://phabricator.wikimedia.org/T207351 : should the login constantly fails, it is possible to workaround the issue by applying the small patch as described in that same task.

Single Sign-On with WikipediaEdit

I just want to do single sign-on with Wikipedia, how do I do that??

  1. Register a new OAuth application on meta.wikimedia.org. Don't use an RSA key pair for authentication, but let mediawiki.org generate your shared secret for you.
  2. Set the following in your LocalSettings.php:
$wgOAuthAuthenticationUrl = 'https://en.wikipedia.org/w/index.php?title=Special:OAuth';
$wgOAuthAuthenticationConsumerKey = '<The key that you received when you registered your app>';
$wgOAuthAuthenticationConsumerSecret = '<The secret that you received when you registered your app.>';
$wgOAuthAuthenticationCanonicalUrl = 'https://en.wikipedia.org';
$wgOAuthAuthenticationRemoteName = 'Wikipedia';

To exclusively use Wikipedia as your sign-on system (to keep things simple), also set in LocalSettings.php:

$wgOAuthAuthenticationAllowLocalUsers = false;

See alsoEdit

ReferencesEdit

  1. How can I get the mediawiki's ConsumerKey?, Post and commented screenshot on MediaWiki Users