Extension talk:WSOAuth

About this board

Vector (2022) search issue

2
Felagoth (talkcontribs)

The recomandation feature doesn't work in the main search bar of Vector (2022) when WSOAuth is active, but it works well in the Special:Search page and with Vector (2010) with WSOAuth active and in general when WSOAuth isn't active.

Using : MW 1.41.0, Vector 1.0.0, PluggableAuth 7.0.0, WSOAuth 9.0.0

Am I the only one facing this issue ? Does someone have an idea of what could cause that or something I could have done wrong ?

Felagoth (talkcontribs)

As in this this bug report, it was because of the psr/http-message installed in the extension vendor. Changing the name of the folder solved it.

Reply to "Vector (2022) search issue"

Question about token key names

5
Revansx (talkcontribs)

Environment:

  • MW 1.35
  • PluggableAuth: 7.0.0
  • WSOAuth: 9.0.0

I'm trying to do a PluggableAuth integration with Wikimedia and the configuration documentation example refers to receiving:

  • A "clientId" and "clientSecret"

however upon completion of my OAuth 1.0a application I only get:

  • A Consumer token and a Consumer secret, and
  • An Access token and an Access secret

It is not clear to me how to configure my wgPluggableAuth_Config.

Is the nlwiki example [0] out of date? Please advise. Thank you!

[0] Extension:WSOAuth#Configuration

Xxmarijnw (talkcontribs)

Hi, using the latest version of OAuth for MW1.39 (1.1.0 c129a70), I get the following:

Response from the OAuth extension when registering an OAuth 1.0a application.

The first token is the clientId and the second token is the clientSecret. Does this differ from the response that you get?

Revansx (talkcontribs)

It does differ.. It doesn't give me a clientId or clientSecret, rather if gave me 4 different things:

  1. A Consumer Token
  2. A Consumer Secret
  3. An Access Token
  4. An Access Secret
Xxmarijnw (talkcontribs)

Just to be sure: Are you registering an OAuth 1.0a consumer, and not an OAuth 2.0 client?

Revansx (talkcontribs)

OAuth 1.0a consumer. per the instructions

Reply to "Question about token key names"

rereading: connect a remote account

2
Wladek92 (talkcontribs)

@Valerio Bozzolan Hi, According to the screenshot of section 6 there are two items : 'real name' and 'real account' in the Special page -> user preference-> user profile page but if i open my Preferences, i just see Username, my groups, connected apps, number of edits... but without these two referenced items.

So 1.either the screenshot must be actualized,
or 2.the two items appear only under certain conditions - user rights, extension installled... which ones ?. Is it possible to clarify ? Thanks.

--Christian 🇫🇷 FR (talk) 08:16, 12 December 2023 (UTC)

Valerio Bozzolan (talkcontribs)

The screenshot is modern but the MediaWiki is legacy. If you have another screenshot, feel free to share :)

Reply to "rereading: connect a remote account"
Summary by Wladek92

done, URI.

Wladek92 (talkcontribs)

@Xxmarijnw Hi, $wgPluggableAuth_Config uri is 'The OAuth application authentication URL'. Should it be better 'The OAuth application authentication URI' in the description text ? Same case for redirectUri. --Christian 🇫🇷 FR (talk) 16:53, 11 December 2023 (UTC)

Xxmarijnw (talkcontribs)

Hi, I think that would indeed be better. Feel free to make changes to the documentation!

1.35 missing from ExtensionDistributor

1
Valerio Bozzolan (talkcontribs)
Reply to "1.35 missing from ExtensionDistributor"
Bonkipedia (talkcontribs)

hey guys, I wrote a Twitter OAuth Provider and included it in the WSOAuth default providers list for myself. It's based on the Facebook example from the docs, and makes use of the smolblog twitter oauth2 plugin provided as a 3rd party integration by the PHP League.



<?php

namespace WSOAuth\AuthenticationProvider;

use Smolblog\OAuth2\Client\Provider\Twitter;

use MediaWiki\User\UserIdentity;

class TwitterAuth extends AuthProvider {

    /**

     * @var Twitter

     */

    private $provider;

    /**

     * @inheritDoc

     */

    public function __construct( string $clientId, string $clientSecret, ?string $authUri, ?string $redirectUri ) {

        $this->provider = new Twitter( [

            'clientId' => $clientId,

            'clientSecret' => $clientSecret,

            'redirectUri' => $redirectUri

        ] );

    }

    /**

     * @inheritDoc

     */

    public function login( ?string &$key, ?string &$secret, ?string &$authUrl ): bool {

        $authUrl = $this->provider->getAuthorizationUrl( [

            'scope' => [ 'users.read', 'offline.access', 'tweet.read' ]

        ] );

        $secret = $this->provider->getState();

        // We also need to store the PKCE Verification code so we can send it with

        // the authorization code request.

        $_SESSION['oauth2verifier'] = $this->provider->getPkceVerifier();

        return true;

    }

    /**

     * @inheritDoc

     */

    public function logout( UserIdentity &$user ): void {

    }

    /**

         * @inheritDoc

         */

    public function getUser( string $key, string $secret, &$errorMessage ) {

        if ( !isset( $_GET['code'] ) ) {

            unset($_SESSION['oauth2verifier']);

            return false;

        }

        if ( !isset( $_GET['state'] ) || empty( $_GET['state'] ) || ( $_GET['state'] !== $secret ) ) {

            return false;

        }

        try {

            $token = $this->provider->getAccessToken('authorization_code', [

            'code' => $_GET['code'],

            'code_verifier' => $_SESSION['oauth2verifier'],

        ]);

            $user = $this->provider->getResourceOwner( $token );

            return [

                'name' => $user->getUsername(),

                'realname' => $user->getName(),

                'email' => $user->getUsername() . '@bonkipedia.dev',

            ];

        } catch ( \Exception $e ) {

            return false;

        }

    }

    /**

     * @inheritDoc

     */

    public function saveExtraAttributes( int $id ): void {

    }

}

Bonkipedia (talkcontribs)

Here's Google as well. Hope this saves someone the misery I went through



<?php

namespace WSOAuth\AuthenticationProvider;

use League\OAuth2\Client\Provider\Google;

use MediaWiki\User\UserIdentity;

class GoogleAuth extends AuthProvider {

    /**

     * @var Google

     */

    private $provider;

    /**

     * @inheritDoc

     */

    public function __construct( string $clientId, string $clientSecret, ?string $authUri, ?string $redirectUri ) {

        $this->provider = new Google( [

            'clientId' => $clientId,

            'clientSecret' => $clientSecret,

            'redirectUri' => $redirectUri,

'hostedDomain' => <Optional, set to limit to only GCP hosted domains...>

        ] );

    }

    /**

     * @inheritDoc

     */

    public function login( ?string &$key, ?string &$secret, ?string &$authUrl ): bool {

        $authUrl = $this->provider->getAuthorizationUrl( [

            'scope' => [ 'email' ]

        ] );

        $secret = $this->provider->getState();

        return true;

    }

    /**

     * @inheritDoc

     */

    public function logout( UserIdentity &$user ): void {

    }

    /**

     * @inheritDoc

     */

    public function getUser( string $key, string $secret, &$errorMessage ) {

        if ( !isset( $_GET['code'] ) ) {

            return false;

        }

        if ( !isset( $_GET['state'] ) || empty( $_GET['state'] ) || ( $_GET['state'] !== $secret ) ) {

            return false;

        }

        try {

            $token = $this->provider->getAccessToken( 'authorization_code', [ 'code' => $_GET['code'] ] );

            $user = $this->provider->getResourceOwner( $token );

            return [

                'name' => $user->getName(),

                'realname' => $user->getName(),

                'email' => $user->getEmail()

            ];

        } catch ( \Exception $e ) {

            return false;

        }

    }

    /**

     * @inheritDoc

     */

    public function saveExtraAttributes( int $id ): void {

    }

}

Sen-Sai (talkcontribs)

I'll pass it on to my colleague!

Reply to "twitter OAuth Provider"

Github Oauth Provider

2
Wulfda02 (talkcontribs)

I recently created a Github Oauth provider for my organization's wiki (mediawiki 1.37.2, PluggableAuth 6.0, WSOauth 6.0.2), using the PHP League's Oauth2 client for GitHub. Is there interest in adding this as a default option, or are there only two defaults on purpose (e.g. for maintainability)?

Xxmarijnw (talkcontribs)

Thank you! Please create a pull request on Gerrit and assign me, so I can take a look at it.

Reply to "Github Oauth Provider"
Summary by Valerio Bozzolan

It's "Wikibase Solutions" Auth.

Valerio Bozzolan (talkcontribs)

I'm just curious. What does it mean "WS" in "WSOAuth"? Thank you!

Valerio Bozzolan (talkcontribs)

Ouch, understood. That's Wikibase Solutions.

Trust local logged-in user

5
Summary by Valerio Bozzolan
Valerio Bozzolan (talkcontribs)

Question for User:Xxmarijnw. See this screenshot. I think that if the user is already logged-in in both wikis, we should just trust the account saving it in the wsoauth_users table, instead of treat him/her as a usurper.

Another question. I don't understand how the user (already logged in) says that a central account is his/her.

What do you think about?

Xxmarijnw (talkcontribs)

Hello, thank you for your bug report and my apologies it has been sitting here for so long. Could you describe a use-case where it would be desirable the account is usurped if the user is already logged in locally? If you are already logged in locally, I am not sure if it would be logical/desirable to usurp the account if you logged in again through OAuth. One use-case I can think of is when you do not want to enable automatic account usurpation, but do want to allow existing users to migrate to OAuth when they desire. Is that what you are going for?

Thank you.

Sincerely,

Marijn

Valerio Bozzolan (talkcontribs)

Have you a GitLab account? This kind of websites can have 5+ identity providers but their sysadmins are not involved in any user-per-user verification. That's a great example.

Instead, as far as I noticed, for already existing wikis introducing OAuth, a server sysadmin should manually verify each user to prevent accounts usurpation. This is an amazing feature but the current manual verification workflow is not feasible because:

  • manual verification activity takes time
  • every hour of a server sysadmin costs ($$)
  • it's somehow hacky (contact each user via Special:SendEmail via both wikis or something like that?)
  • this can be the cause of human errors and social engineering
  • this is not the real-world workflow

Well, instead, this could be the workflow:

  1. user Foo logins into the local website with an already trusted method (like legacy credentials) - refusing other methods of course
  2. user Foo navigates in preferences
  3. user Foo clicks on connect your profile to AwesomeSocial
  4. (user Foo triggers authentication into AwesomeSocial)
  5. thank you! Now you are verified and next time you can quick-login via AwesomeSocial
  6. user Foo organizes a really hard party 🎉

Now. Instead of a brand-new preferences page, for now we can just trust an user already logged-in locally if she/he is able to complete an authentication from her/his favorite identity provider. From that moment, she/he can use that identity provider for future logins.

What do you think about?

Xxmarijnw (talkcontribs)

Hello,

Again, apologies for the wait. I think this would be a nice feature to add to the extension. I will add it once my time allows it.

Sincerely,

Marijn

Valerio Bozzolan (talkcontribs)

Just for transparency, I contacted you in private via email yesterday and, thanks to your quick response, probably we have found an investor.

To speed up the process I tried to describe this feature in phab:T283908. Feel free to edit whatever you want. See you in the next days :)

Valerio Bozzolan (talkcontribs)

Is there an issue tracker for this project?

Can I help you opening a Phabricator tag to put down some feature requests and issues?

Thank you :)

Xxmarijnw (talkcontribs)

Hello Valerio,

There currently is no Phabricator project associated with WSOAuth. If you can create one, that would be great!

Kind regards,

Marijn

AKlapper (WMF) (talkcontribs)
There are no older topics
Return to "WSOAuth" page.