Extension:WSOAuth
WSOAuth リリースの状態: 安定 |
|
---|---|
実装 | 利用者識別 , 利用者権限 |
説明 | Extends the PluggableAuth extension to provide authentication using an OAuth provider |
作者 | Xxmarijnw (Wikibase Solutions) and others |
最新バージョン | 9.0.0 (2023-06-16) |
互換性の方針 | MediaWiki とともにリリースされるスナップショット。 master には後方互換性がありません。 |
MediaWiki | 1.35+ |
PHP | 7.3+ |
データベースの変更 | はい |
ライセンス | MIT ライセンス |
ダウンロード | |
|
|
四半期ごとのダウンロード数 | 93 (Ranked 58th) |
WSOAuth 拡張機能の翻訳にご協力ください | |
Vagrant role | wsoauth |
問題点 | 未解決のタスク · バグを報告 |
The WSOAuth extension (Wikibase Solutions OAuth) provide authentication using an OAuth provider. It provides a layer on top of the PluggableAuth extension to enable authentication via OAuth.[1]
The following OAuth providers are currently available by default:
- MediaWiki (MediaWiki instance running OAuth )
WSOAuth makes it easy to add new OAuth providers. You can read more about how to add a new OAuth provider on WSOAuth for Developers .
Compatibility
WSOAuth | PluggableAuth | MediaWiki | ||
---|---|---|---|---|
9.0+ | 7.0+ |
| ||
6.0-8.x | 6.0-6.x |
| ||
1.0-5.x | 5.7 |
|
設定
Values must be provided for the following mandatory configuration variables:
フラグ | 既定値 | 説明 | ||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
$wgPluggableAuth_Config (see Extension:PluggableAuth#Configuration)
|
[]
|
A mandatory array of arrays specifying the OAuth providers and their configuration. The data field of the array should be an array with the following keys:
|
In addition, the following optional configuration variables are provided:
フラグ | 既定値 | 説明 |
---|---|---|
$wgOAuthCustomAuthProviders |
false |
An array containing a list of custom OAuth providers together with their class name (see WSOAuth for Developers for more information). |
$wgOAuthAutoPopulateGroups |
[] |
An array containing a list of MediaWiki group names that must be automatically assigned to the user after they are authenticated. Since WSOAuth 9.0, this requires you to also configure how groups are synchronised. |
$wgOAuthMigrateUsersByUsername |
false |
Whether or not to allow usurpation of existing accounts. If a user is already registered on your wiki before installing WSOAuth with the same username as a user that is logging in via OAuth, this setting will determine whether that existing account will be given to the user signing in (true), or whether the user singing in through OAuth will be prevented from doing so because the user already exists (false). Once an account has been migrated, the user associated with that account will always be able to sign in through OAuth, even after this setting is changed to false. It is safer to leave this value as false and let the user connect their remote account manually through Special:Preferences.
|
$wgOAuthDisallowRemoteOnlyAccounts |
false |
Whether or not to allow accounts to not have a local counterpart. |
$wgOAuthUseRealNameAsUsername |
false |
Whether to use the real name as the username. |
An example of the $wgPluggableAuth_Config
for a single providers is as follows:
$wgPluggableAuth_Config['nlwiki'] = [
'plugin' => 'WSOAuth',
'data' => [
'type' => 'mediawiki',
'uri' => 'https://nl.wikipedia.org/wiki/Special:OAuth',
'clientId' => '...',
'clientSecret' => '...'
],
'buttonLabelMessage' => 'dutch-wikipedia-login-button-label'
];
nlwiki
) is used to identify the OAuth provider internally and MUST NOT change.An example of the $wgPluggableAuth_Config
for multiple providers is as follows:
$wgPluggableAuth_Config['nlwiki'] = [
'plugin' => 'WSOAuth',
'data' => [
'type' => 'mediawiki',
'uri' => 'https://nl.wikipedia.org/wiki/Special:OAuth',
'clientId' => '...',
'clientSecret' => '...'
],
'buttonLabelMessage' => 'dutch-wikipedia-login-button-label'
];
$wgPluggableAuth_Config['facebook'] = [
'plugin' => 'WSOAuth',
'data' => [
'type' => 'facebook',
'clientId' => '...',
'clientSecret' => '...',
'redirectUri' => '...'
],
'buttonLabelMessage' => 'facebook-login-button-label'
];
Group synchronisation
To configure group synchronisation, you need to add a groupsyncs
array to the $wgPluggableAuth_Config
array.
This array must contain zero or more sub-arrays that specify how groups are synced.
For detailed information, see Extension:PluggableAuth#Group Synchronization.
The most common use-case is to synchronise all groups, which can be achieved using the syncall
group synchronisation algorithm.
The configuration below will achieve similar functionality to older version of WSOAuth (<= 8.0.0).
$wgPluggableAuth_Config['nlwiki'] = [
'plugin' => 'WSOAuth',
'data' => [
'type' => 'mediawiki',
'uri' => 'https://nl.wikipedia.org/wiki/Special:OAuth',
'clientId' => '...',
'clientSecret' => '...',
'autoPopulateGroups' => ['mygroups' => ['sysop', 'bureaucrat']]
],
'groupsyncs' => [
'mygroupsync' => [
'type' => 'syncall',
'groupattributename' => 'mygroups'
]
]
'buttonLabelMessage' => 'dutch-wikipedia-login-button-label'
];
OAuth providers
Currently, the following OAuth providers are supported:
- MediaWiki OAuth (MediaWiki instance running OAuth )
MediaWiki OAuth
Follow the steps below to enable authentication and authorization via MediaWiki OAuth.
- Register a new OAuth 1.0a application on the wiki you are delegating access to.
- For example - to register with wikimedia visit: https://meta.wikimedia.org/wiki/Special:OAuthConsumerRegistration/propose
- Do not use an RSA key pair for authentication and let MediaWiki generate the secret for you. Use
https://<local wiki url>/wiki/index.php?title=Special:PluggableAuthLogin
as OAuth "callback" URL[3]. SelectUser identity verification only, no ability to read pages or act on a user's behalf.
under Types of grants being requested.
- Write down the key and secret you received from MediaWiki.
- Set the following in your LocalSettings.php:
$wgPluggableAuth_Config['mywikiauth'] = [ 'plugin' => 'WSOAuth', 'data' => [ 'type' => 'mediawiki', 'uri' => 'https://<central wiki>/w/index.php?title=Special:OAuth', 'clientId' => '<The client ID (key) you received from MediaWiki when you registered your app>', 'clientSecret' => '<The secret you received from MediaWiki when you registered your app>' ] ];
The key of the configuration (in the example abovemywikiauth
) is used to identify the OAuth provider internally and MUST NOT change.
To exclusively use MediaWiki as your sign-on system and to automatically log in when visiting the wiki, also set the following in LocalSettings.php:
$wgPluggableAuth_EnableAutoLogin = true;
$wgPluggableAuth_EnableLocalLogin = false;
For OAuth applications that utilize a "callback" prefix, a redirect URI[2] must be set through the redirectUri
key.
This redirect URI must have the prefix specified.
Follow the steps below to enable authentication and authorization via Facebook.
- Create a new app on Facebook for Developers.
- Under Add a Product, select Facebook Login.
- In the menu on the left, select Settings under Facebook Login.
- Add the domain of your wiki to the list of Valid OAuth Redirect URIs and hit save.
- In the menu on the left, click Settings, then Basic and write down the App ID and App Secret.
- Set the following in your LocalSettings.php:
$wgPluggableAuth_Config['myfacebookauth'] = [ 'plugin' => 'WSOAuth', 'data' => [ 'type' => 'facebook', 'clientId' => '<The App ID>', 'clientSecret' => '<The App Secret>', 'redirectUri' => 'https://<wiki domain>/index.php/Special:PluggableAuthLogin' ] ];
The key of the configuration (in the example abovemyfacebookauth
) is used to identify the OAuth provider internally and MUST NOT change.
To exclusively use Facebook as your sign-on system and to automatically log in when visiting the wiki, also set the following in LocalSettings.php:
$wgPluggableAuth_EnableAutoLogin = true;
$wgPluggableAuth_EnableLocalLogin = false;
Upgrading from before 6.0
The database schema had to be changed in order to support multiple authentication providers after version 6.0.
If you are running a MediaWiki instance with a version of WSOAuth older than 6.0, you must migrate your existing external users to the new database schema if you want to upgrade.
You can use the maintenance script multiAuthMigrate.php
located in the extension's maintenance
folder to migrate:
$ php extensions/WSOAuth/maintenance/multiAuthMigrate.php --provider=mywikiauth
The provider
option in the example above determines which provider to migrate existing users to.
System messages
Here some useful system messages, related to this extension, that can be personalized:
Message title | Default message | Position | Tip |
---|---|---|---|
wsoauth-user-already-exists-message |
The username "{{{1}}}" is already taken. | Text displayed is the login screen error message when an user tries to login with OAuth, but there is a user in that wiki who has the same username. | It may happen that a user first registers on the wiki via the regular user registration and then tries to login through OAuth, encountering this error message. If this may happen in your wiki, you can personalize this message to invite users to authorize remote logins from their preferences. Here a screenshot:[upref 1] |
- ↑ restricted preferences
MediaWiki:Message title
page on your wiki.
インストール
- ダウンロードして、ファイルを
extensions/
フォルダー内のWSOAuth
という名前のディレクトリ内に配置します。
開発者とコード寄稿者は、上記の代わりに以下を使用してGitからインストールします:cd extensions/
git clone https://gerrit.wikimedia.org/r/mediawiki/extensions/WSOAuth - Gitでのインストールの場合のみ、PHPの依存関係をインストールするためComposerを実行します。 (合併症の可能性についてはタスク T173141を参照。)
- 以下のコードを LocalSettings.php ファイルの末尾に追加します:
$wgGroupPermissions['*']['autocreateaccount'] = true; wfLoadExtension( 'PluggableAuth' ); wfLoadExtension( 'WSOAuth' );
- 更新スクリプトを実行します。このスクリプトは、この拡張機能が必要とするデータベーステーブルを自動的に作成します。
- 必要に応じて設定します。
- 完了 – ウィキの「Special:Version」に移動して、拡張機能が正しくインストールされたことを確認します。
Vagrantでのインストール:
- Vagrant を使用している場合は、
vagrant roles enable wsoauth --provision
でインストールしてください。
Notes
Gallery
-
Login page with local and remote authentication enabled.
この拡張機能は以下のウィキ ファーム/ウィキ ホスト/パッケージに含まれています: これは正式な一覧ではありません。 一部のウィキ ファーム/ウィキ ホスト/パッケージは、ここに記載されていなくてもこの拡張機能を含んでいる場合があります。 必ずご利用のウィキ ファーム、ウィキ ホスト、バンドルで確認してください。 |