扩展:PluggableAuth

Languages:

This extension is maintained by a member of the MediaWiki利益相關者小組.

**MediaWiki的扩展的手冊**
PluggableAuth 發佈狀態：穩定版本

实现	用户識別 , 用户权限 , 钩子
描述	为身份验证授权的扩展提供框架。
作者	Cindy Cicalese (cindy.cicalese^讨论)
最新版本	7.0-dev (2023-02-08)
兼容性政策	快照跟随MediaWiki发布。 master分支不向後兼容。
MediaWiki	>= 1.35.0
Composer	mediawiki/pluggable-auth
许可协议	MIT授權條款
下載	下載扩展 Git ^[?]: 下载Git master 浏览存储库 (Phabricator · GitHub) 提交历史 repository contributors (GitHub) 代码复核
參數 $wgPluggableAuth_EnableFastLogout $wgPluggableAuth_EnableLocalLogin $wgPluggableAuth_EnableLocalProperties $wgPluggableAuth_EnableAutoLogin $wgPluggableAuth_Config
使用的钩子 AuthChangeFormFields BeforeInitialize LocalUserCreated SkinTemplateNavigation::Universal SpecialPage_initList TitleReadWhitelist UserLogoutComplete
提供的钩子 PluggableAuthPopulateGroups PluggableAuthUserAuthorization
季度下載量	2,202 (Ranked 2^nd)
翻譯PluggableAuth的扩展，若在translatewiki.net可用
問題	尚未完成的工作 · 报告錯誤

PluggableAuth的扩展提供了一个创建身份验证授权扩展的框架。

Authentication is the process of proving that a user is who they say they are. This may be done, for example, by providing a username and password or some token or biometric.

The following authentication extensions can be used with PluggableAuth:

SimpleSAMLphp - 使用 SAML
OpenID Connect - 使用OpenID
LDAPAuthentication2 - uses LDAP
WSOAuth - 使用 OAuth
Shibboleth - uses Shibboleth
DiscourseSsoConsumer - uses Discourse
NaylorAMS - uses Naylor Association Management Software
PHPBB Auth - uses phpBB

授权是验证用户是否应该访问特定资源的过程。例如，可以通过检查授权电子邮件地址列表或检查身份服务器提供的用户属性值来实现。

在PluggableAuth之下，授权类扩展确定经过身份验证的用户是否可以继续登录到wiki。 However, the authentication extensions (rather than the authorization extensions) take care of which user groups a user should be authorized for, based on the attributes passed from the identity provider (IdP).

The following authorization extensions can be used with PluggableAuth:

Email Authorization - 使用电子邮件地址和域名列表
LDAP Authorization - 使用LDAP

PluggableAuth must be used with one or more authentication plugins and zero or more authorization plugins. If more than one authentication plugin is used, a button for each authentication plugin will be added to the Special:UserLogin page. If a single authentication plugin is used and local login is disabled, the Special:UserLogin page will be bypassed. If no authorization plugins are used, all authenticated users will be authorized to use the wiki.

PluggableAuth defines two important hooks:

PluggableAuthUserAuthorization - enables authorization plugins to provide code to make an authorization decision
PluggableAuthPopulateGroups - used to augment MediaWiki's group information with that from an external provider

安裝

下载文件，并将其放置在您extensions/文件夹中的PluggableAuth目录内。
将下列代码放置在您的LocalSettings.php 的底部：
```
wfLoadExtension( 'PluggableAuth' );
```
The createaccount or autocreateaccount user rights must be granted to all users. See User rights.
Configure as required
完成 – 在您的wiki上导航至Special:Version，以验证已成功安装扩展。

One or more authentication plugins and zero or more authorization plugins must be installed as well.

Version 6.0 of PluggableAuth is a significant upgrade. The configuration variable $wgPluggableAuth_Config is required in version 6.0. The plugins must be compatible with the version of PluggableAuth installed.

Compatibility Matrix
插件	PluggableAuth 版本6.0或更高	PluggableAuth 版本5.7或更早
DiscourseSsoConsumer	-	2.0.0
LDAPAuthentication2	-	1.0.1
NaylorAMS	-	0.1.0
OpenID Connect	6.0	5.4
PHPBB Auth	4.1.0	4.0.0
Shibboleth	-	v1.0.0-rc.1
SimpleSAMLphp	5.0.0	4.5.2
WSOAuth	6.0	5.0
EmailAuthorization	3.0	2.0
LDAPAuthorization	-	1.0.0

配置

All versions

标记	默认	描述
`$wgPluggableAuth_EnableAutoLogin`	`false`	Should login occur automatically when a user visits the wiki?
`$wgPluggableAuth_EnableLocalLogin`	`false`	Should user also be presented with username/password fields on the login page to allow local password-based login to the wiki?
`$wgPluggableAuth_EnableLocalProperties`	`false`	If true, users can edit their email address and real name on the wiki. If false, the default, they cannot do so. Note that, if you rely on email address and/or real name returned from the authentication provider in any way, you should leave this setting at its default value. After the call to `authenticate()`, PluggableAuth checks to see if the real name or email address returned are different from those saved in the wiki database. If either is different, it checks to see if this setting is true. If so, this is understood by PluggableAuth to indicate that the real name and email address are managed in the wiki on the `Special:Preferences` page. Otherwise, the real name and email address are managed by the authentication provider, so the new real name and email address values are saved to the wiki database. That is, if this setting is false, any changes to the real name or email address at the remote authentication provider will overwrite the local values when the user logs in.

Version 6.0 or later

标记	默认	描述
`$wgPluggableAuth_Config`	无默认值	An array of arrays containing configuration for the authentication plugins. The keys to the outer array are used as the button labels on `Special:UserLogin` if no button message is provided in the respective inner array. The valid keys to the inner arrays are: `plugin` (required) — The name of the authentication plugin `buttonLabelMessage` (optional) — The system message (e.g. (MediaWiki:)SSOButtonLabel) to be used for the label for the button on `Special:UserLogin` `data` — A configuration array to be passed to the authentication plugin. The contents depend upon the authentication plugin. Depending upon the authentication plugin, this may be optional or required.

Version 5.7 or earlier

标记	默认	描述
`$wgPluggableAuth_ButtonLabelMessage`	无默认值	If set, the name of a message that will be used for the label of the login button on the `Special:UserLogin` form. This is useful if an authentication plugin will be showing the `Special:UserLogin` form to the user and needs to customize the button label with a localizable Message. If not set and if no value is set for `$wgPluggableAuth_ButtonLabelMessage`, the value of the `pluggableauth-loginbutton-label` message, which has a default value of "Log in with PluggableAuth" will be used. To override this value you can edit the page `MediaWiki:Pluggableauth-loginbutton-label` and its language variants. This configuration variable is usually set, if at all, by authentication plugins and not by wiki site administrators. If set by a wiki site administrator, the relevant message pages in the MediaWiki namespace will need to be created with the localized message values.
`$wgPluggableAuth_ButtonLabel`	`null`	If `$wgPluggableAuth_ButtonLabelMessage` is not set and `$wgPluggableAuth_ButtonLabel` is set to a string value, this string value will be used as the label of the login button on the `Special:UserLogin` form. This allows a wiki site administrator to set the label if a localizable Message is not provided by an authentication plugin. Note that this string is NOT localizable.
`$wgPluggableAuth_ExtraLoginFields`	`[]`	An array of extra fields to be added to the login form at `Special:UserLogin`. See the documentation for AuthenticationRequest:getFieldInfo() for the format of the array. This configuration variable may be set by authentication plugins and should not be set by wiki site administrators.
`$wgPluggableAuth_Class`	no default value	The name of a class that extends the abstract `PluggableAuth` class to provide authentication. This configuration variable must be set by authentication plugins and should not be set by wiki site administrators.

开发者手账

创建一个认证插件

Version 6.0 and later:

Authentication plugins subclass the abstract MediaWiki\Extension\PluggableAuth\PluggableAuth class provided by PluggableAuth.
In version 6.0 and later, an authentication plugin must specify at attributes section in extension.json. For example:

"attributes": {
   "PluggableAuth": {
      "OpenIDConnect": {
         "class": "MediaWiki\\Extension\\OpenIDConnect\\OpenIDConnect",
         "services": [
            "MainConfig",
            "AuthManager",
            "OpenIDConnectStore"
         ]
      }
   }
},

Version 5.7 and earlier:

Authentication plugins subclass the abstract PluggableAuth class provided by PluggableAuth.
An authentication plugin must set $PluggableAuth_Class to the name of this subclass.

The authentication plugin subclass must implement the following methods:

public function authenticate( ?int &$id, ?string &$username, ?string &$realname, ?string &$email, ?string &$errorMessage ): bool;

调用以验证用户。
The parameters are used to return the user id, username, real name, and email address of the authenticated user and, if the user cannot be authenticated, an optional error message. $id is an integer and the remaining parameters are all strings. If the user cannot be authenticated and no value is set for $errorMessage, a default error message is displayed.
$id must be set to null if the user is new, in which case PluggableAuth will add the user to the database.
Must return true if the user has been authenticated and false otherwise.
If the return to URL, the name of the page, or the query parameters from the page that login was initiated from are necessary in the authenticate() function, they may be accessed as follows:

$returnToUrl = $this->authManager->getAuthenticationSessionData(
    PluggableAuthLogin::RETURNTOURL_SESSION_KEY
);
$returnToPage = $this->authManager->getAuthenticationSessionData(
    PluggableAuthLogin::RETURNTOPAGE_SESSION_KEY
);
$returnToQuery = $this->authManager->getAuthenticationSessionData(
    PluggableAuthLogin::RETURNTOQUERY_SESSION_KEY
);

public function saveExtraAttributes( int $id ): void

Called after a new user has been authenticated and added to the database to add any additional information to the database required by the authentication mechanism.

public function deauthenticate( UserIdentity &$user ): void

Called when the user logs out to notify the identity provider, if necessary, that cleanup such as removing the user's session should be done.

Special:UserLogin and extra login fields

The Special:UserLogin page will only be displayed to the user during authentication if user interaction is required.

That is, if there is only a single configured authentication provider, its authentication plugin does not add extra fields to the Special:UserLogin form using the PluggableAuth::getExtraLoginFields() static function (or $wgPluggableAuth_ExtraLoginFields in version 5.7 or earlier), and local login (which enables the username and password fields on the Special:UserLogin form) is not enabled by a site administrator using $wgPluggablAuth_EnableLocalLogin, the Special:UserLogin page will not be displayed.

Even if Special:UserLogin is not displayed, it may be necessary for an authentication plugin to gather user input using a web page provided by an enterprise authentication system. This would be accomplished by a redirect, often from within the authentication library used by the authentication plugin.

If no such library exists and you need to implement the authentication mechanism from scratch, the redirect should not go to Special:UserLogin. Instead, it should go to a custom, unlisted special page based on PluggableAuthLogin.php. Finally, if there is no user input required by the user as part of authentication from either Special:UserLogin or the remote authentication system, clicking on the Log in link will simply re-render the current page in a logged in state.

If an authentication plugin adds extra fields to the Special:UserLogin form using the PluggableAuth::getExtraLoginFields() static function (or $wgPluggableAuth_ExtraLoginFields in version 5.7 or earlier), the fields can be accessed in the authenticate() function in an authentication plugin as follows:

...
$authManager = MediaWikiServices::getInstance()->getAuthManager();
$extraLoginFields = $authManager->getAuthenticationSessionData(
    PluggableAuthLogin::EXTRALOGINFIELDS_SESSION_KEY
);

This will return an array of field values indexed by the name of the field from the field descriptor array.

创建一个认证插件

Authorization hooks use the PluggableAuthUserAuthorization hook to register an implementation of the following function:

function authorize( UserIdentity $user, bool &$authorized ): void

$user is the UserIdentity object for the user requesting authorization
$authorized must be set to true if the user is authorized and false otherwise.

发行说明

Version 6.3

Fixed MW 1.35 incompatibility in deauthenticate

Version 6.2

added compatibility with MW 1.39
- Switch from deprecated PersonalUrls hook to SkinTemplateNavigation::Universal
Only set real name if it is not null
Use setter and getter for user's real name

Version 6.1

restored backward compatibility with MW 1.35 (T308865)

Version 6.0

Support multiple authentication plugins using $wgPluggableAuth_Config
需要1.35或更高版本的MediaWiki
Drop support for the following configuration variables:
- $wgPluggableAuth_ButtonLabelMessage (use the buttonLabelMessage field in the corresponding $wgPluggableAuth_Config entry)
- $wgPluggableAuth_ButtonLabel (use the index of the corresponding $wgPluggableAuth_Config entry)
- $wgPluggableAuth_ExtraLoginFields (use static function in PluggableAuth class)
- $wgPluggableAuth_Class (now specified by an attribute in the authentication plugin's extension.json and referred to by the plugin field in the corresponding $wgPluggableAuth_Config entry)

Version 5.7

Added error message when there is a rare fatal session error

Version 5.6

Fixed autologin so it returns to the correct page after authentication.

Version 5.5

Fixed issue with PluggableAuthPopulateGroups hook.

Version 5.4

增加了$wgPluggableAuth_ButtonLabelMessage和$wgPluggableAuth_ButtonLabel。
Coding style fixes.

Version 5.3

加入了$wgPluggableAuth_ExtraLoginFields。

Version 5.2

Converted auto login to PHP from JavaScript.

Version 5.1

Added PluggableAuthPopulateGroups hook. Thank you to Poikilotherm for contributing this functionality.

Version 5.0

Added $wgPluggableAuth_EnableLocalProperties and removed use of editmyprivateinfo
Added debug statement when returntourl is not set

Version 4.2

Fixed exception when returntoquery is undefined.

Version 4.1

Added session variables to hold the name of the page and the query parameters of the page from which login was initiated for use in authenticate()

Version 4.0

Added optional error message to authenticate()
Bumped version number to synchronize with SimpleSAMLphp and OpenIDConnect extensions

Version 2.2

Confirm email addresses coming from external authentication sources

Version 2.1

Update file naming conventions

Version 2.0

Almost completely rewritten to support the new MediaWiki 1.27 authentication and session management framework
Switched to new extension registration
Configuration variable names changed to add $wg prefix
$PluggableAuth_Timeout removed
$PluggableAuth_AutoLogin renamed to $wgPluggableAuth_EnableAutoLogin
$wgPluggableAuth_EnableLocalLogin added to support local password-based login to the wiki in addition to PluggableAuth

Version 1.2

Moved the addition of a new user to the wiki database to after successful authorization of the user
Added editmyprivateinfo check

Version 1.1

Added call to logout when session times out to ensure that the deauthenticate function in implementing classes gets called

Version 1.0

Initial version

此擴充功能包含在以下包或/和wiki農場：

這不是一份權威名單。即使一些wiki農場/託管者沒有被列在這裡，他們也可能包含這個extension。請以各wiki農場/託管者或包的狀態為準。