Extension:OpenID Connect

The OpenID Connect extension extends the PluggableAuth extension to provide authentication using OpenID Connect.

Special thanks to jumbojett for the OpenID Connect PHP library used by this extension.

Installation
This extension requires PluggableAuth to be installed first. It also requires the OpenID Connect PHP library, which may be installed using composer.

Configuration parameters
A simple example of the  configuration for a single issuer is as follows:

$wgOpenIDConnect_Config['https://id.mycompany_abc.com/connect/'] = array(   'clientID' => '.....',    'clientsecret' => '.....' );

An example of the  configuration for multiple issuers is as follows:

$wgOpenIDConnect_Config['https://id.mycompany_abc.com/connect/'] = array(   'clientID' => '.....',    'clientsecret' => '.....',    'name' => "My Company's Connect Server",    'icon' => 'http://www.mycompany_abc.com/images/logo.png' );

$wgOpenIDConnect_Config['https://id.partnercompany_def.com/connect/'] = array(   'clientID' => '.....',    'clientsecret' => '.....',    'name' => "Partner Company's Connect Server",    'icon' => 'http://www.partnercompany_def.com/images/logo.png' );

Example: Google as an Issuer

 * 1) Using the Google Developer Console create a project.
 * 2) Click on the project and click on   on the sidebar.
 * 3) Click the   button and select  . Fill in the consent screen information and save.
 * 4) Fill in the root URL (no wild cards or paths) or your wiki in.
 * 5) Fill in the URL of the Special:UserLogin page of your wiki in.
 * 6) Click.
 * 7) Note the   and   that are assigned.

The Google issuer is now configured. Add the corresponding configuration to your LocalSettings.php file, filling in the  and   fields with the values assigned above.

$wgOpenIDConnect_Config['https://accounts.google.com'] = array(   'clientID' => '.....',    'clientsecret' => '.....',    'scope' => array( 'openid', 'profile', 'email' ) );

You may also assign values for,  ,   and.

Using it against Azure ADFS
Three parameters are required to use this extension to authenticate against Azure ADFS: a tenant id, a client id, and a secret.

Version 2.3

 * Fixed whitelist implementation
 * Changes migration flags to allow migration by email address in addition to migration by user name

Version 2.2

 * Fixes related to PluggableAuth MediaWIki 1.27 upgrade
 * Array coding conventions

Version 2.1

 * Update to MediaWiki 1.27 session management
 * Added default values for configuration variables to extension.json

Version 2.0

 * Updated extension registration
 * Changed configuration variables to use "wg" prefix


 * Added composer.json to get OpenID Connect library using composer

Version 1.2

 * Added ability to specify auth params and added support for table prefixes

Version 1.1

 * Added support for Google

Version 1.0

 * Ini (i.e. having the page title provided as a query parameter) will not be redirected correctly to complete the authentication flow. Instead, URLs must be of the form , which can be accomplished by using short URLs or by setting $wgArticlePath appropriately.
 * This extension may not work correctly with  (see T147161).
 * This extension does not work on non-standard ports unless you manually update the underlying Openid connect client, see: https://github.com/jumbojett/OpenID-Connect-PHP/issues/58. Issue also applies when to other webserver than IIS.