Extension:OpenID Connect

• ダウンロードして、ファイルをextensions/フォルダー内のOpenIDConnectという名前のディレクトリ内に配置します。
  開発者とコード寄稿者は、上記の代わりに以下を使用してGitからインストールします:cd extensions/
git clone https://gerrit.wikimedia.org/r/mediawiki/extensions/OpenIDConnect
• 以下のコードを LocalSettings.php ファイルの末尾に追加します:

  wfLoadExtension( 'OpenIDConnect' );
  

• 更新スクリプトを実行します。このスクリプトは、この拡張機能が必要とするデータベーステーブルを自動的に作成します。
• 依存関係をインストールします。
• 必要に応じて設定します。
•   完了 – ウィキの「Special:Version」に移動して、拡張機能が正しくインストールされたことを確認します。

The OpenIDConnect extension requires the CURL PHP extension and the OpenID Connect PHP library. If you are following the standard installation procedure and downloaded the archive from mediawiki.org, the dependencies have been bundled and there is no further action required.

If you are following the development/contributor installation procedure using git, add the line "extensions/OpenIDConnect/composer.json" to the composer.local.json file in the root directory of your wiki, e.g.

{
	"extra": {
		"merge-plugin": {
			"include": [
				"extensions/OpenIDConnect/composer.json"
			]
		}
	}
}

Then run composer update in the root directory of your wiki. This will install any dependencies (i.e. the jumbojett OpenID Connect PHP library).

大抵のOpenID認証プロバイダの構成設定は、プロバイダのドメインの/.well-known/openid-configuration^[1]にあるファイルで共有されています。 この拡張機能は、認証する際にこれらの設定を紹介します。 In addition, the configuration parameters below are used to configure the extension to communicate with the identity provider as desired.

認証プロバイダで設定する際、リダイレクトURLやコールバックURLが必要です。 その値はSpecial:PluggableAuthLoginページへの完全なURLに設定します。

Default value:: []

詳しくはExtension:PluggableAuth#Configurationを参照

A mandatory array of arrays specifying the OpenID Connect issuers and their configuration. The data field of the array contains an array that has the following keys:

Default value:: false

If a new user is being created in the database and no preferred username was provided by the issuer or preferred_username was set to null or the empty string, a value of true for this flag indicates that the user's real name, if provided by the issuer, should be used as the new user's username. If set to true, and no preferred username was provided by the issuer "User" for the first and starting with the second user "User" followed by a number will be used, e.g., "User", "User1", "User2", etc. The same naming happens if this parameter is set to false.

Default value:: false

If a new user is being created in the database, and no preferred username was provided by the issuer or preferred_username was set to null or the empty string, and either no real name was provided by the issuer or $wgOpenIDConnect_UseRealNameAsUserName was undefined or set to false, a value of true for this flag indicates that the name portion of the user's email address, if provided by the issuer, should be used as the new user's username. This parameter cannot be set to true at the same time $wgOpenIDConnect_UseRealNameAsUserName is set to true. In this case this setting will be ignored.

Default value:: false

If a user already exists in the database with the same user name as the authenticated user and has null values for subject and issuer, use this user, setting the subject and issuer in the database to those of the authenticated user. This is useful when the wiki previously used a different authentication mechanism. If neither this parameter nor $wgOpenIDConnect_MigrateUsersByEmail are set to true the settings for user creation will be used as described above.

Default value:: false

If a user already exists in the database with the same email address as the authenticated user and has null values for subject and issuer, use this user, setting the subject and issuer in the database to those of the authenticated user. This is useful when the wiki previously used a different authentication mechanism. If neither this parameter nor $wgOpenIDConnect_MigrateUsersByUserName are set to true the settings for user creation will be used as described above.

Default value:: false

When the user logs out from the wiki, force reauthentication with the identity provider at next login even if they have not logged out from the identity provider.

Default value:: false

When the user logs out from the wiki, also log out from the identity provider. This is not supported by all identity providers (e.g. Google).

Default value:: null

Callable that takes two parameters (preferred username string and the array of attributes returned from the identity provider) and returns a possibly modified preferred username to use for a new user; this value is only used if no value is provided for preferredUsernameProcessor in the config data section (version 7.2.0+)

Default value:: null

Callable that takes two parameters (real name string and the array of attributes returned from the identity provider) and returns a possibly modified real name to use for a new user; this value is only used if no value is provided for realnameProcessor in the config data section (version 7.2.0+)

Default value:: null

Callable that takes two parameters (email address string and the array of attributes returned from the identity provider) and returns a possibly modified email address to use for a new user; this value is only used if no value is provided for emailProcessor in the config data section (version 7.2.0+)

Default value:: false

Boolean to indicate whether to generate a random unique identifier to use for the username of a new user if no preferred username is provided (rather than the default of using User followed by a unique integer) and no value is provided for useRandomUsernames in the config data section (version 8.0.0+)

A simple example of the $wgPluggableAuth_Config configuration for a single issuer is as follows:

$wgPluggableAuth_Config[] = [
    'plugin' => 'OpenIDConnect',
    'data' => [
        'providerURL' => 'https://id.mycompany_abc.com/connect/',
        'clientID' => '.....',
        'clientsecret' => '.....'
    ]
];

$wgPluggableAuth_Config["My Company's Connect Server"] = [
    'plugin' => 'OpenIDConnect',
    'data' => [
        'providerURL' => 'https://id.mycompany_abc.com/connect/',
        'clientID' => '.....',
        'clientsecret' => '.....'
    ]
];
$wgPluggableAuth_Config["Partner Company's Connect Server"] = [
    'plugin' => 'OpenIDConnect',
    'data' => [
        'providerURL' => 'https://id.partnercompany_def.com/connect/',
        'clientID' => '.....',
        'clientsecret' => '.....'
    ]
];

As of version 7.0.0, group synchronization is possible using the capability provided by the PluggableAuth extension. For information on configurating group synchronization, see the PluggableAuth documentation.

As of version 8.3.0, backchannel logout is supported. In order to use it, you must configure your identity provider for backchannel logout, pointing to the rest.php/pluggableauth/v1/logout endpoint on your wiki.

1. Using the Google Developer Console create a project.
2. Click on the project, click on the hamburger menu (three horizontal lines in the top left), and click on APIs & Services -> Credentials on the menu.
3. Click the Create credentials -> OAuth client ID button and select Web application. Fill in the consent screen information and save.
4. Provide the redirect URI in Authorized redirect URIs^[2]:

   https://[URLofWiki]/wiki/Special:PluggableAuthLogin
   

5. Click Create Client ID.
6. Note the Client ID and Client Secret that are assigned.

The Google issuer is now configured. Add the corresponding configuration to your LocalSettings.php file, filling in the clientID and clientsecret fields with the values assigned above.

$wgPluggableAuth_Config[] = [
    'plugin' => 'OpenIDConnect',
    'data' => [
        'providerURL' => 'https://accounts.google.com',
        'clientID' => '.....',
        'clientsecret' => '.....',
    ]
];

1. In the Entra admin center, go to 'Identity', then to 'Applications', and then 'App Registrations'
2. Register a new Application
   1. Provide a Name
   2. Likely specify 'Accounts in this org directory only'
   3. Provide redirect URI:^[2]

      https://[URLofWiki]/wiki/Special:PluggableAuthLogin
      

3. In the new app, go to 'Certificates and secrets' and create a new Client secret

$wgPluggableAuth_Config[] = [
    'plugin' => 'OpenIDConnect',
    'data' => [
        'providerURL' => 'https://login.microsoftonline.com/[tenantID]/v2.0/',
        'clientID' => '[Application (Client) ID]',
        'clientsecret' => '[Secret from Certs and Secrets]'
    ]
];
$wgOpenIDConnect_UseRealNameAsUserName = true;

When using the common endpoint for Microsoft login, the issuer URL provided by the well-known endpoint contains a placeholder for the tenant ID, causing verification of JWT claims to fail. In this case, you can use an issuer validator to fix this. For example, you could provide an issuer validator that always returns true:

$wgPluggableAuth_Config[] = [
    'plugin' => 'OpenIDConnect',
    'data' => [
        'providerURL' => 'https://login.microsoftonline.com/common/v2.0/',
        'clientID' => '[Application (Client) ID]',
        'clientsecret' => '[Secret from Certs and Secrets]',
        'issuerValidator' => fn( $iss ) => true,
    ]
];

$wgPluggableAuth_Config[] = [
    'plugin' => 'OpenIDConnect',
    'data' => [
        from above example
    ],
	'groupsyncs' => [
		[
			'type' => 'mapped',
			'map' => [
				'sysop' => ['groups' => '8d1cc10c-3e95-4637-941d-0c1237352e85'],
				'interface-admin' => ['groups' => 'See where to find Object ID below'] 
			]
		]
	]
];

1. In Azure, go to `Manage` -> `Token configuration`. Click `Add group claims`, select "Groups assigned to the application (recommended for large enterprise companies to avoid exceeding the limit on the number of groups a token can emit)".
2. Find app in Enterprise applications, and go to `Manage` -> `Users and groups`. Add group.
3. You can now click on the group and copy the `Object ID` and paste above.
4. You need to relogin to take effect.

• Your Keycloak realm name is acme
• Your Keycloak URL and Port is https://keycloak.local:8080
• Your Keycloak Client ID is set to mediawiki
• Your auto-generated client secret is 12345

$wgPluggableAuth_Config[] = [
    'plugin' => 'OpenIDConnect',
    'data' => [
        'providerURL' => 'https://keycloak.local:8080/realms/acme',
        'clientID' => 'mediawiki',
        'clientsecret' => '12345'
    ]
];

• If you're running into trouble, like "The provider {$param} could not be fetched. Make sure your provider has a well known configuration available.", your URI^[3] is wrong. You can test the correctness by calling https://keycloak.local:8080/realms/acme/.well-known/openid-configuration in your browser. If you get back a long JSON, the path is correct.
  • Another way to verify the 'providerURL' is to check it against the ‘Redirect URI’ at Keycloak>Identity Providers>keycloak-oidc, i.e.: https://keycloak.local:8080/realms/acme/broker/keycloak-oidc/endpoint. For 'providerURL' you need the portion up to one level below realms.
• Make sure the redirect uri provided by this OIDC^[4] plugin is set valid for your keycloak-server under acme -> Clients -> mediawiki -> Settings -> valid redirect uris . For testing purposes you can add a wildcard "*".

Allowed grant types: (all)
Login redirect URIs: the full URL to Special:PluggableAuthLogin, e.g. https://www.example.com/wiki/index.php/Special:PluggableAuthLogin
Login flow: "Redirect to app to initiate login (OIDC compliant)"
Initiate login URI: the full URL to Special:UserLogin, e.g. https://www.example.com/wiki/index.php/Special:UserLogin

You must specify the openid, profile, and email scopes to communicate with Okta. If you omit the appropriate scopes, Okta will gladly authenticate your users but will not return any useful claims.

$wgPluggableAuth_Config[] = [
    'plugin' => 'OpenIDConnect',
    'data' => [
        'providerURL' => 'https://your-okta-org.okta.com',
        'clientID' => '(paste the client ID Okta assigned your new app here)',
        'clientsecret' => '(paste the client secret Okta assigned your new app here)'
     ]
 ];

Allowing @ in usernames may break your wiki's Interwiki compatibility (if you rely on that). To allow the use of the @ character, just set $wgInvalidUsernameCharacters = ' '; and $wgUserrightsInterwikiDelimiter = '#'; in LocalSettings.php.

  注: As of the date this example was written, a bug exists in the OpenID Connect PHP library which causes stricter OIDC providers like Okta to reject certain requests. This should be resolved in the future when the library is updated to incorporate the change. The solution is to add a single line of code to $MEDIAWIKI_ROOT/extensions/OpenIDConnect/vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php as follows: right below: unset($token_params['client_secret']); simply add: unset($token_params['client_id']); # see https://github.com/jumbojett/OpenID-Connect-PHP/pull/208/commits/dd44c1ca7e45d35dcd8f32ea503b545149bc6562 (this was fixed in version 0.9.8)

To authenticate your users against Okta, you must first create a new OIDC app in your Okta org and assign it to the relevant users/groups, etc.

• Login to Gitlab Admin Area
• Go to Applications -> New Application
  • Name: MediaWiki
  • Redirect URI: <wiki server>/wiki/Special:PluggableAuthLogin
  • Trusted: yes
  • Confidential: yes
  • Scopes: openid, profile, email
• Submit
• Copy Application ID and Secret to LocalSettings.php

// Extension PluggableAuth
wfLoadExtension( 'PluggableAuth' );
$wgPluggableAuth_EnableLocalLogin = true; // set to false to deactivate local logins if required

// Extension OpenIDConnect
wfLoadExtension( 'OpenIDConnect' );
$wgPluggableAuth_Config['Login with your Gitlab Account'] = [
   'plugin' => 'OpenIDConnect',
   'data' => [
       'providerURL' => '...',  // '''Add your gitlab server here (main page)'''
       'clientID' => '...',     // '''Insert Gitlab Application ID here!'''
       'clientsecret' => '...', // '''Insert Gitlab Secret here!'''
       // Alternative 'nickname'
       // Alternative 'name'
       'preferred_username' => 'nickname'
   ]
];

You can find more information to Gitlab's docs at OpenID Connect Provider.

Amazon Cognito is a user identity service by AWS^[5].

• Your Amazon Cognito user pool ID is us-west-2_XdLg34nAA
• Your AWS region is us-west-2
• Your Client ID is set to mediawiki
• Your auto-generated client secret is 12345

$wgPluggableAuth_Config[] = [
    'plugin' => 'OpenIDConnect',
    'data' => [
        'providerURL' => 'https://cognito-idp.us-west-2.amazonaws.com/us-west-2_XdLg34nAA',
        'clientID' => 'mediawiki',
        'clientsecret' => '12345'
    ]
];

• Running Nextcloud version 24, or Nextcloud All-In-One v3.0.0
• Nextcloud has the App "OIDC Identity Provider v0.2.6" installed. https://github.com/H2CK/oidc
• Your nextcloud runs from domain my.nextcloud.com
• The public url : https://my.nextcloud.com/.well-known/openid-configuration is redirected to <your internal nextcloud server>/index.php/apps/oidc/openid-configuration by e.g. nginx or another reverse proxy.
• Via nextcloud admin account, under Settings > Security > "Open ID Connect clients" you add a client with the following details
  • Name: wiki
  • Redirection URI: The full URL to Special:PluggableAuthLogin, e.g. https://www.example.com/wiki/index.php/Special:PluggableAuthLogin (Note: if your wiki's default language isn't english, Special will be different!)
  • Signing Algorithm: RS256
  • Type: confidential When you click "add" it will provide the Client Identifier string and the Secret string. Enter these values into the LocalSettings.php for myGeneratedID and myGeneratedSecret shown below.

wfLoadExtension( 'PluggableAuth' );
$wgGroupPermissions['*']['autocreateaccount'] = true;
$wgPluggableAuth_EnableAutoLogin = true; // Now the user doesn't have the 'login'/'logout' button.

wfLoadExtension( 'OpenIDConnect' );
$wgPluggableAuth_Config[] = [
    'plugin' => 'OpenIDConnect',
    'data' => [
        'providerURL' => 'https://my.nextcloud.com',
        'clientID' => 'myGeneratedID',
        'clientsecret' => 'myGeneratedSecret'
   ]
];

Version 8.3.0

• Add support for backchannel logout (T327147)

Version 8.2.1

• Fixed case insensitive email comparison for email migration

Version 8.2.0

• Added support for specifying parameters to the well known config (T383498)
• Added support for code challenge/PKCE (T366023)
• Added ability to set the token endpoint auth (T378905)

Version 8.1.0

• Fixed bug on database upgrade (T378904)
• Updated https://github.com/jumbojett/OpenID-Connect-PHP to version 1.0.2 (T378907)
• Bump minimum MediaWiki version to 1.39

Version 8.0.2

• Use case insensitive email comparison for email migration
• Improved random username generation

Version 8.0.1

• Reverted back to version 0.9.10 of https://github.com/jumbojett/OpenID-Connect-PHP for stability

Version 8.0.0

• Allow multiple identity providers to map to a single user (T361877)

Version 7.2.0

• Add processor functions (T357752) to allow username, real name, and email normalization
• Add random username generator
• Updated to version 1.0.0 of https://github.com/jumbojett/OpenID-Connect-PHP
• Code clean-up (added tests, removed deprecations)

Version 7.1.0

• Support custom issuer validator (T360249)

Version 7.0.2

• Use ID token to get claims during authentication (T348931)

Version 7.0.1

• Allow preferred_username config attribute to be null or blank (T339311)

Version 7.0.0

• Made compatible with PluggableAuth 7.0.0
• Add optional single logout ($wgOpenIDConnect_SingleLogout)
• Replace ForceLogout (which was broken) with ForceReauth ($wgOpenIDConnect_ForceReauth)
• Add function to get access token with refresh token
• Use new PluggableAuth group population framework; supports retrieval of attributes including groups
• Code improvements
• Bug fixes:
  • T307353: Query condition in username migration is wrong

Version 6.2

• Update jumbojett/openid-connect-php library version to 0.9.10
• Replace deprecated User::idFromName

Version 6.1

• Make sure populate group hook only runs for OpenID Connect plugin instances

Version 6.0

• Updated to be compatible with PluggableAuth version 6.0

Version 5.4

• Updated jumbojett/openid-connect-php to version 0.9.1
• Fixed bug while trying to authenticate with Okta where extra parameters are sent in the request making the request fail

Version 5.3

• Fixed bug with migrated initial lowercase usernames (T249630)

Version 5.2

• Added optional configuration options for disabling the verification of hostnames and certificates, for use in development environments with self-issued certificates

Version 5.1

• Added generation of full redirect URL so OpenID Connect PHP library doesn't have to guess, which occasionally it didn't have enough information to do accurately

Version 5.0

• Moved subject and issuer columns from user table to openid_connect table (requires database update)
• Added support for Postgres

Version 4.1

• Added namespace for library class

Version 4.0

• Added optional error message to authenticate()
• Bumped version number to synchronize with PluggableAuth and SimpleSAMLphp extensions

Version 2.3

• Fixed whitelist implementation
• Changes migration flags to allow migration by email address in addition to migration by user name

Version 2.2

• Fixes related to PluggableAuth MediaWIki 1.27 upgrade
• Array coding conventions

Version 2.1

• Update to MediaWiki 1.27 session management
• Added default values for configuration variables to extension.json

Version 2.0

• Updated extension registration
• Changed configuration variables to use "wg" prefix
• Added composer.json to get OpenID Connect library using composer

Version 1.2

• Added ability to specify auth params and added support for table prefixes

Version 1.1

• Added support for Google

Version 1.0

• Initial version

• Wikis that use URLs of the form https://example.org/w/index.php?title=Page_title (i.e. having the page title provided as a query parameter) will not be redirected correctly to complete the authentication flow. Instead, URLs must be of the form https://example.org/w/index.php/Page_title, which can be accomplished by using short URLs or by setting $wgArticlePath appropriately.
• This extension may not work correctly with $wgMainCacheType = CACHE_ACCEL;. In this case you also need to set $wgSessionCacheType = CACHE_DB; (see T147161).
• This extension does not work on non-standard ports unless you manually update the underlying Openid connect client, see: jumbojett/OpenID-Connect-PHP issue 58 on GitHub. This issue also applies when connecting to other webserver than IIS.
• When running the createAndPromote.php maintenance script, both the PluggableAuth and OpenID Connect extensions need to be disabled by commenting out their wfLoadExtension() calls.
• This extension does not support custom well-known endpoints. This means Azure Active Directory B2C's OpenID Connect authentication flow is currently not supported.

• Extension:PluggableAuth
• Extension:SimpleSAMLphp
• Extension:Email Authorization
• Extension:LDAP Authorization