MediaWiki

Extension talk:OATHAuth

About this board

Start a new topic
You are not logged in. To receive attribution with your name instead of your IP address, you can log in or create an account.

MediaWiki version

3 comments • 12:39, 20 August 2024 3 months ago
3
TattooedLeprechaun (talkcontribs)

Says MediaWiki version required is >= 1.43, but the latest is 1.42.1... so I'm confused.

Reply Edited 16:06, 19 August 2024 3 months ago
TheDJ (talkcontribs)

That is probably for the current unreleased version. These tables are automatically constructed and it is difficult to reflect all information for each version of Mediawiki.

Reply 09:46, 20 August 2024 3 months ago
TattooedLeprechaun (talkcontribs)

Okie dokie. Thank you.

Reply 12:39, 20 August 2024 3 months ago
Reply to "MediaWiki version"

MediaWiki 1.35.8 (2f77810) "wgOATHRequiredForGroups" not work.

3 comments • 15:44, 11 March 2024 8 months ago
3
Mkepler (talkcontribs)

I set in LocalSettings: $wgOATHRequiredForGroups = ['editor']; and no effect.

Reply 12:34, 30 May 2023 1 year ago
174.95.149.12 (talkcontribs)

Looking for something similar, would like to know the correct syntax for $wgOATHRequiredForGroups

Reply 23:35, 11 December 2023 11 months ago
School4schools (talkcontribs)

Any luck w/ this? I'm trying to enforce TFA for all users, and it's unclear how to do that:

$wgOATHRequiredForGroups[] = 'user';

does nothing different from

$wgGroupPermissions['*']['oathauth-enable'] = true;

Reply 15:44, 11 March 2024 8 months ago
Reply to "MediaWiki 1.35.8 (2f77810) "wgOATHRequiredForGroups" not work."

How to enforce MFA to all users, any examples will be useful

5 comments • 01:35, 24 December 2023 11 months ago
5
Wikiusr23 (talkcontribs)

I have the following config

##Users should be given access to the oathauth-enable user right so that they can enable it at Special:OATHAuth

$wgGroupPermissions['user']['oathauth-enable'] = true;

##Set MFA for all logged in users

#$wgOATHRequiredForGroups[] = ['user','WIKI-PSWiki-Admins'];

##Remove 'read' right until auth with MFA

$wgOATHExclusiveRights = ['read'];


But with this the users are being asked to do MFA but they don't have the rights to see the preferences page

Reply 23:38, 11 December 2023 11 months ago
TheDJ (talkcontribs)

As MediaWiki in general is architected for situations where users have read rights, you might run into unexpected problems when they don't, this being one of them. Manual:Preventing_access suggests Manual:$wgWhitelistRead. I'm not sure anyone has ever tested for a situation like the one you are describing, so unsure if that suggestion will work.

Reply 10:26, 12 December 2023 11 months ago
Wikiusr23 (talkcontribs)

Is my syntax in configuration correct?

The user are not able to see the login page as well though I have

$wgWhitelistRead = array ("Special:Userlogin");

Say I remove $wgOATHExclusiveRights, will $wgOATHRequiredForGroups take care of enforcing the user to have MFA on login, like register to MFA if they don't have it set.

Reply 14:26, 12 December 2023 11 months ago
This post was hidden by Wikiusr23 (history)
Nu77p0int3r (talkcontribs)

I had the same issue with my installation, so I edited the plugin.


In extensions/OATHAuth/src/Hook/HookHandler.php replace, from line 220 to 228:

$session = $user->getRequest()->getSession();

$WhitelistArray = $this->config->get( 'WhitelistRead' );
               if ( !is_array( $WhitelistArray ) ) {
                       $WhitelistArray = array();
               }

		if (
			!(bool)$session->get( OATHAuth::AUTHENTICATED_OVER_2FA, false ) &&
			in_array( $action, $this->config->get( 'OATHExclusiveRights' ) ) &&
			!in_array( $title, $WhitelistArray )
		) {
			$result = 'oathauth-action-exclusive-to-2fa';
			return false;
		}
		return true;


then, in LocalSettings.php:

$wgOATHExclusiveRights = ['read'];
$wgOATHRequiredForGroups = ['user'];
$wgWhitelistRead = [
   'Special:UserLogin',
   'Special:Preferences',
   'Special:Manage Two-factor authentication',
   'Special:OATHAuth',
   'MediaWiki:Common.css',
   'MediaWiki:Common.js'
]


Once 2FA is enabled, user must logout and login again

Reply Edited 01:35, 24 December 2023 11 months ago
Reply to "How to enforce MFA to all users, any examples will be useful"

Two factor authentication disable

2 comments • 20:26, 23 August 2023 1 year ago
2
Caiovernaglia (talkcontribs)

There's any way to prevent an user to disable the two factor authentication?

Reply 18:09, 12 March 2018 6 years ago
Tgr (talkcontribs)

Not at the moment but probably soon. See T150562.

Reply 07:25, 8 December 2018 5 years ago
Reply to "Two factor authentication disable"

OATH

2 comments • 09:19, 21 August 2023 1 year ago
2
Novem Linguae (talkcontribs)

Anyone know what OATH stands for? Perhaps we can work this into the page somewhere, to help folks remember the extension name.

Reply 08:03, 21 August 2023 1 year ago
TheDJ (talkcontribs)
Reply 09:19, 21 August 2023 1 year ago
Reply to "OATH"

PHP Fatal Error Occurred

4 comments • 08:26, 22 July 2023 1 year ago
4
Zorua Fox (talkcontribs)

When I use the latest version of OATHAuth on MediaWiki1.39.4,an error occurred.

2023/07/21 00:34:54 [error] 12943#0: *2494 FastCGI sent in stderr: "PHP message: PHP Fatal error:  Uncaught Exception: Unable to open file /www/wwwroot/wiki.youshouyan.org/extensions/OATHAuth/extension.json: filemtime(): stat failed for /www/wwwroot/wiki.youshouyan.org/extensions/OATHAuth/extension.json in /www/wwwroot/wiki.youshouyan.org/includes/registration/ExtensionRegistry.php:199
Stack trace:


# 0 /www/wwwroot/wiki.youshouyan.org/includes/GlobalFunctions.php(49): ExtensionRegistry->queue()
# 1 /www/wwwroot/wiki.youshouyan.org/LocalSettings.php(218): wfLoadExtension()
# 2 /www/wwwroot/wiki.youshouyan.org/includes/Setup.php(218): require_once('...')
# 3 /www/wwwroot/wiki.youshouyan.org/includes/WebStart.php(86): require_once('...')
# 4 /www/wwwroot/wiki.youshouyan.org/index.php(44): require('...')
# 5 {main}

 thrown in /www/wwwroot/wiki.youshouyan.org/includes/registration/ExtensionRegistry.php on line 199" while reading response header from upstream, client: 103.15.97.139, server: wiki.zorua.top, request: "GET /wiki/有兽档案馆:首页 HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-cgi-81.sock:"
Reply Edited 17:00, 20 July 2023 1 year ago
TheDJ (talkcontribs) 
Unable to open file /www/wwwroot/wiki.youshouyan.org/extensions/OATHAuth/extension.json

Make sure your php process is allowed to open this file.

Reply 20:09, 20 July 2023 1 year ago
Zorua Fox (talkcontribs)

I've changed the permission code of extension.js from 655 to 755, and PHP stopped throwing the error above. However, when I click the "enable" button on Special:OATHAuth page, the website still returns code 404, without any further explanation in the error log. Actually, this is the original bug that drove me to look into the error log yesterday.

I've performed an investigation into the source code, and I found that 404 is thrown when PHP is executing Line 121 of src/Module/TOTP.php, i.e., creating a TOTPEnableForm object. I hope this information is helpful for debugging, and I'm always glad to provide more information when needed.

Reply 08:24, 22 July 2023 1 year ago
This post was hidden by Zorua Fox (history)
Reply to "PHP Fatal Error Occurred"

Can 2FA be enforced for all users?

2 comments • 12:46, 30 May 2023 1 year ago
2
81.89.197.85 (talkcontribs)

As it is already possible to force users to login before reading pages, is it possible to have 2FA also mandatory for this?

Reply 15:35, 3 January 2023 1 year ago
Mkepler (talkcontribs)
  1. $wgOATHExclusiveRights=['read'];

But try first.

Reply 12:46, 30 May 2023 1 year ago
Reply to "Can 2FA be enforced for all users?"

Error: Class 'Base32\Base32' not found

One comment 16:24, 23 December 2022 1 year ago
1
Summary by Lotusccong

After relogin . It works.

Lotusccong (talkcontribs)

When I want to enable the TOTP.

I got this error - [c884f5c00ef4a4497ae26590] /index.php?title=Special:OATH%E9%AA%8C%E8%AF%81&action=enable&module=totp&warn=1 Error: Class 'Base32\Base32' not found

even I have check that the all required dependency has been installed like christian-riesen/base32 .


MW 1.39 . Did I missed out any setting ?

15:54, 23 December 2022 1 year ago

Disabling OATHAuth

One comment • 00:51, 1 October 2022 2 years ago
1
Cojoilustrado (talkcontribs)

Any secondary effects from disabling this?

Reply 00:51, 1 October 2022 2 years ago
Reply to "Disabling OATHAuth"

How long can a user stay "signed in" to the wiki with 2FA enabled?

One comment • 21:00, 6 July 2022 2 years ago
1
BryanAtCrystal (talkcontribs)

I recently added this extension to my wiki and my users can get setup and work well. I have noticed that sometimes it seems like user rights disappear and I am wondering if this is due to the 2FA login "expiring"?

I usually tick the "Keep me signed in" box on the logon page. Does having 2FA change the functionality of this checkbox?

It seems that the rights in $wgOATHExclusiveRights, which I have set to move and delete, get removed after some period of time.

Is this the proper behavior? How long do rights stay active after adding 2FA?

Reply 21:00, 6 July 2022 2 years ago
Reply to "How long can a user stay "signed in" to the wiki with 2FA enabled?"
Load more
Retrieved from "https://www.mediawiki.org/wiki/Extension_talk:OATHAuth"
Return to "OATHAuth" page.