Extension:OpenID

From MediaWiki.org
(Redirected from OpenID)
Jump to: navigation, search
shortcut: OPENID
MediaWiki extensions manual
Crystal Clear action run.png
OpenID

Release status: stable

OpenID logo.svg
Implementation User identity, Special page
Description Allow users with accounts on other OpenID-enabled sites to log in; if enabled, it also allows to use OpenID identities on other sites
Author(s) E. Prodromou, T. Gries, S. Chernyshev, A. Emsenhuber
Latest version 4.4.0 (2014-04-01)
MediaWiki all versions since MediaWiki 1.21 (with MySQL)
(older versions)
PHP 5.3+
Database changes yes
License GPL
Download see "Download" section

README
Parameters

(see below)

Hooks used
PersonalUrls

BeforePageDisplay
ArticleViewHeader
SpecialPage_initList
LoadExtensionSchemaUpdates
GetPreferences
DeleteAccount
MergeAccountFromTo

Translate the OpenID extension if it is available at translatewiki.net

Check usage and version matrix; code metrics
Bugs: list open list all report

The extension makes a MediaWiki installation OpenID 2.0-aware and lets users log in using their OpenID identity - a special URL - instead of (or as an alternative to) standard username/password log in. In that way, the MediaWiki acts as the Relying party (RP) = OpenID consumer.[1] As an option, it also allows the MediaWiki to act as OpenID provider, so that users with an account on that wiki can use a special identity URL as their OpenID for logging in to other OpenID-aware web sites.

Pre-requisites and dependencies[edit | edit source]

Databases[edit | edit source]

The OpenID extension has been confirmed to work with MySQL databases since the beginning, and with PostgreSQL databases since version 3.43, November 2013.

php-openid library[edit | edit source]

The extension depends on the OpenID PHP library from https://github.com/openid/php-openid . Clone a recent version and move the Auth subdirectory as explained below in the Installation section.

PHP extensions or modules[edit | edit source]

You need to install a few additional dependencies as PHP extensions or recompile your PHP if these are not part of your standard PHP installation. When running a server with OpenSUSE you will likely have to add (via YaST or manually) at least the modules gmp, mcrypt, curl, openssl, xml.

Download[edit | edit source]

☉ recommended

Installation[edit | edit source]

  • Download and extract the file(s) in a directory called OpenID in your extensions/ folder. If you're a developer and this extension is in a Git repository, then instead you should clone the repository using:
git clone https://gerrit.wikimedia.org/r/p/mediawiki/extensions/OpenID.git
  • Add the following code at the bottom of your LocalSettings.php:
require_once "$IP/extensions/OpenID/OpenID.php";
  • Install the Auth subdirectory of the required OpenID PHP library in $IP/extensions/OpenID/Auth as explained in the following.
  • Run the update.php script in in your MediaWiki maintenance folder $IP/maintenance to create a new table in the MediaWiki database which is used by the OpenID extension.
cd $IP/extensions/OpenID
git clone git://github.com/openid/php-openid.git
mv php-openid/Auth/ Auth
rm -r php-openid
cd $IP/maintenance
php update.php
  • Done! Navigate to "Special:Version" on your wiki to verify that the extension is successfully installed.

It should work out of the box, but you'll almost definitely want to set the trust root and access controls (see Configuration below).

  • If you restrict general access to wiki pages, you must add anonymous access for Special:OpenIDLogin and Special:OpenIDFinish or the OpenID Verification will fail. Typically this is done by adding those pages to $wgWhitelistRead in LocalSettings.php.
  • The user account must have a password associated to it: in Special:Preference Password Reset is added as new link.

Configuration[edit | edit source]

Usually, you will be able to start using the extension with the built-in standard settings, i.e. without adding personal parameters in your LocalSettings.

If you want to use personal parameters, then add them after the require_once line in your LocalSettings.php.

Configuration parameters for OpenID extension version 4.00 (parameters for older versions are here)
relevant for

consumer (C)
provider (P)
mode

variable default description
C $wgOpenIDLoginOnly false With this enabled, the default login personal_urls will be removed and additionally the options for linking your OpenID to an existing account will be removed from the registration form. Users then can only login via their OpenID accounts. This is perhaps the most important option.
C+P $wgOpenIDMode (since v4.00) array( 'consumer', 'provider' )
  • 'provider' - if you want to allow Users of this wiki to use their identity as OpenIDs for logins on other sites
  • 'consumer' - if you want to allow logins to this wiki with OpenID from elsewhere, or OpenID from a forced provider
  • array( 'consumer', 'provider' ) - consumer and provider
  • false - (extension disabled)
P $wgOpenIDAllowServingOpenIDUserAccounts true With this enabled, it allows to use a special URL as OpenID to other sites even if user is using OpenID already for login to the wiki. Users can use their OpenIDs of this site A as OpenID on another site B even if user is using OpenID on A already. Some users might want to do that for vanity purposes or whatever. If false, serving OpenID accounts is prevented.
P $wgOpenIDIdentifiersURL "" When used as OpenID provider, you can optionally define a template for a customized fully specified url (CFSU) as identity url for delegation.

This allows differently looking "nice OpenID urls" in addition to the generic urls /User:Username and /Special:OpenIDIdentifier/<id> .

The CFSU template must contain a placeholder string "{ID}". The placeholder is substituted with the authenticated user's internal ID during the OpenID authentication process.

To make this working you need also to set up a suited rewrite rule in your web server which redirects the CFSU with the replaced user id to Special:OpenIDIdentifier/<id>.

The default value is str_replace( "$1", "Special:OpenIDIdentifier/{ID}", $wgServer . $wgArticlePath );

C $wgOpenIDTrustRoot null This is a string that identifies your wiki (as consumer) in your OpenID account at the OpenID server. It is the "root" of your consumer site and looks like "https://www.mywiki.org/w/" or "http://www.yourwiki.org/wiki/". If you leave the null default, the software makes a guess. It is recommended not to change the default value if your wiki (as consumer) works with other OpenID servers.
C $wgOpenIDConsumerDenyByDefault false The administrator can decide which OpenIDs are allowed to login to their server. If this flag is true, only those OpenIDs that match one of the $wgOpenIDConsumerAllow and not one of the $wgOpenIDConsumerDeny patterns will be allowed to log in. If it is false, all OpenIDs are allowed to log in, unless they are matched by an $wgOpenIDConsumerDeny pattern and not an $wgOpenIDConsumerAllow. Typically you'll set this to true for testing and then false for general use. When using deny and allow arrays, defines how the security works. If true, works like "Order Allow,Deny" in Apache; deny by default, allow items that match allow that don't match deny to pass. If false, works like "Order Deny,Allow" in Apache; allow by default, deny items in deny that aren't in allow.
C $wgOpenIDConsumerAllow array() Which partners to allow; regexps here. See above. An array of regular expressions that match OpenIDs you want to allow to log in. For example, "@^(http://)?wikitravel.org/@" will allow OpenIDs from the Wikitravel domain.
C $wgOpenIDConsumerDeny array() Which partners to deny; regexps here. See above. An array of regular expressions that match OpenIDs you want to deny access to. This is mostly useful for servers that are known to be bad. Example: "#^(http://)?example.com/#".
C $wgOpenIDServerForceAllowTrust array() an array of regular expressions that match trust roots that you want to skip trust checks for when the user logs in from those sites. A typical example would be a closely federated cluster of sites (like Wikimedia, Wikia, or Wikitravel) where the personal data is available to the trusting server anyways. Be very careful using this across organizational boundaries.
C $wgOpenIDUseEmailAsNickname false when first-time logging-in with OpenID, use the part before the @ in any given e-mail address as the username if a nickname is not given by the OpenID. This works well with $wgOpenIDConsumerForce where all users have a unique e-mail address at the same domain.
C $wgOpenIDProposeUsernameFromSREG true when first-time logging in with OpenID, propose and allow new account names from OpenID SREG data such as fullname or nickname
C $wgOpenIDAllowNewAccountname true when first-time logging in with OpenID, show option to enter and to allow a manually chosen username (only if permission 'createaccount' is set true)
C $wgOpenIDAllowExistingAccountSelection true when first-time logging in with OpenID, show option to select an existing MediaWiki user
C $wgOpenIDTrustEmailAddress false Implicitly trust the e-mail address sent from the OpenID server, and don't ask the user to verify it. This can lead to people with a nasty OpenID provider setting up accounts and spamming
C $wgOpenIDAllowAutomaticUsername true when first-time logging in with OpenID, show option to choose and to allow an automatically generated username (only if permission 'createaccount' is set true)
C+P $wgOpenIDConsumerStoreType 'file' strings denoting the type of storage to be used to store OpenID association data when acting as an OpenID relying party (consumer) and server, respectively. Only valid value is "file"; "memc" is no longer valid.
C+P $wgOpenIDServerStoreType 'file' strings denoting the type of storage to be used to store OpenID association data when acting as an OpenID relying party (consumer) and server, respectively. Only valid value is "file"; "memc" is no longer valid.
C+P $wgOpenIDConsumerStorePath false see $wgOpenIDServerStorePath
C+P $wgOpenIDServerStorePath false strings specifying the paths where OpenID assocation data should be stored when acting as a relying party (consumer) or server, respectively. Each of these need only be set if the store type settings (above) are set to "file", respectively. These strings, if both are set, MUST NOT be equal. If the store type is "file", the default here is "/$wgTmpDirectory/$wgDBname/openid-consumer-store/" and "/$wgTmpDirectory/$wgDBname/openid-server-store/" respectively. Paths will be automatically created if they doesn't exist.
C+P $wgOpenHideOpenIDLoginLink false boolean that says whether or not to hide the OpenID login link in the personal URLs. Typically you'd use this if you've already got some other method for showing the OpenID login link, like in your skin. Note that it will not prevent login if the user navigates to Special:OpenIDLogin directly; it's simply cosmetic. This is mostly a backwards-compatibility option.
C+P $wgOpenIDSmallLogoUrl false Url of a small OpenID logo; The default (false) uses a built-in logo.
P $wgOpenIDShowUrlOnUserPage "never" whether to show the OpenID identity URL on a user's home page. Possible values are
  • "never"
  • "user" (let the users decide in their preferences)
  • "always"
C $wgOpenIDShowProviderIcons true With this enabled, users will see button icons instead of just links on the OpenID provider selection page.
C $wgOpenIDForcedProvider (since 3.40) null Url of required OpenID provider. When this is set, it bypasses the OpenID provider selection form.
  • Force this server to only allow authentication against one server and hide the selection form entirely.
  • @param string|null $wgOpenIDForcedProvider Name of hard-coded provider, or fully qualified Provider Id selection page Url
  • null: (default) show the extension's OpenID provider selection screen based on internal $wgOpenIDProviders list
  • (string) fully qualified Url: a fully qualified Url to the Providers' Id selection page
  • use "http://mediawiki-provider-server/wiki/Special:OpenIDServer/id"
  • in case you want to force the use of another mediawiki-provider-server (not this wiki!) as OpenID provider
  • (string) OpenID provider Name: use data for provider "Name" from the internal $wgOpenIDProviders list
C $wgOpenIDProviders (since 3.40) array() array of providers and their parameters

Bugs and common pitfalls[edit | edit source]

Please check our First aid checklist before asking for help, and please file bugs directly in the bugzilla bugtracker.
  • After having created an account with OpenID on an OpenID-login-only enabled wiki, account changes which requires a password like Special:ChangeEmail won't work because no password is set, and account changes which require an email (e.g. Special:PasswordReset) won't work because no email is set; see Bug 34357.
  • one MediaWiki acting as OpenID server Bob does not work with another or same MediaWiki acting as OpenID consumer Alice on the same server. Advice for the moment: use two different servers while playing with the extension.
  • when you want to log in to your OpenID-consuming MediaWiki Alice as user X:
make sure that you are not logged in to the OpenID identity server Bob as another user Z ; otherwise you will see an error, which is intended.
I recommend you log out every persona you may have on server Bob while testing the extension
clear your browser cache of all Bob-related cookies, and session cookie.


Specific providers[edit | edit source]

myOpenID[edit | edit source]

The OpenID provider myOpenID shut down in February 2014; its users will have to go elsewhere.[2][3]

Google[edit | edit source]

Google stopped allowing registration of OpenID accounts from new domains in May 2014. It is slated to be shut down completely in April 2015. They are attempting to switch over all their users to use Google+ Sign-In instead.[4]

For those wikis where Google login with OpenID still works (for now), you can opt-in there to "2-step verification" ("two-factor authentication") because it is compatible with the OpenID extension.

Yahoo![edit | edit source]

In June 2013, Yahoo! began allowing users to regain other users e-mail addresses when they are not used for a certain time. This broke the security of OpenID. The use of Yahoo OpenID therefore became deprecated and was discontinued in the OpenID extension.[5][6]

References[edit | edit source]

  1. Relying party (RP) = consumer: The site that wants to verify the end-user's identifier; other terms include "service provider" or the now obsolete "consumer" - which is still used here (this will be changed soon)
  2. http://www.theregister.co.uk/2013/09/05/myopenid_closes_for_good_2014/
  3. https://news.ycombinator.com/item?id=6329158
  4. Migrating to Google+ Sign-In > Migration timetable
  5. Yahoo OpenID soon untrustable due to plans to release unused accounts after one year of inactivity - forbid logins with Yahoo OpenID?
  6. Yahoo! wants to recycle unused email accounts
Language: English  • 한국어