Extension:OAuthAuthentication

The OAuthAuthentication extension lets your wiki delegate authentication to another wiki that is running Extension:OAuth. Various configuration flags let you set policies about the times of users who can register (restrict it to a set of names, or a particular group).

Before you begin
Before you begin, you need to register a new OAuth 1 application on the wiki where you are delegating authentication. For example, register your app on meta.wikimedia.org to use any WMF wiki as the remote wiki.

One information required during registration is the so called OAuth "callback" URL: this is the address where OAuth must redirect the authentication result. It must be a sub page called  of the special page   of the wiki where OAuthAuthentication is installed: the full URl would look like.

Once you have registered your app, you will receive a consumer key and secret to be securely noted (it can't be retrieved at a later time) and used for the OAuthAuthentication configuration as below

Also insure that the  module is installed in your system.

Configuration parameters

 * $wgOAuthAuthenticationCanonicalUrl: If you are seeing exceptions saying the JWT didn't validate, set this to the canonical url ($wgCanonicalServer) of the wiki where you delegated authentication. Note, the URL must match exactly - if that wiki uses http:// for the canoncial url, you must also use that, even if you set https:// in $wgOAuthAuthenticationUrl. This will not actually use http for any data transfer, it merely is used to confirm that the user's identity assertion came from the wiki you expected it from.
 * $wgOAuthAuthenticationAccountUsurpation: Whether you want to allow usurpation of existing accounts. So if User:Foo is already registered on your wiki, then you setup this extension, and User:Foo on the wiki where you delegated authentication signs in, this option determines if your local User:Foo account is given to the user signing in ($wgOAuthAuthenticationAccountUsurpation = true), or if they will be prevented from signing in because the account already exists ($wgOAuthAuthenticationAccountUsurpation = false).
 * $wgOAuthAuthenticationUsernameWhitelist: To restrict the users who are allowed to sign in to your wiki to a list of specific usernames, set this to an array of usernames. False allows any username to sign in, assuming they also satisfy the group whitelist.
 * $wgOAuthAuthenticationGroupWhitelist: To restrict the users who are allowed to sign in to your wiki to the users who are members of a specific group, set this to an array of group names. False allows any group to sign in, assuming they also satisfy the username whitelist.
 * $wgOAuthAuthenticationAllowLocalUsers: If non-OAuth accounts are allowed. Keep this to the default (true) if you want to allow power users to visit Special:UserLogin directly and create a new account.
 * $wgOAuthAuthenticationRemoteName: A simple name for the wiki where you have delegated authentication, used in several error messages. For example, setting this to "Wikipedia" would show "Login on Wikipedia" instead of the normal login link. Html is allowed in this string, if you want to include a logo.
 * $wgOAuthAuthenticationMaxIdentityAge: How long a user's session is valid without re-validating their session. For wikis where the username/group policies need to be strictly enforced (e.g., you only allow sysops to login, and if a user is desysop'ed on the wiki where you delegated authentication, they need to have their access here revoked soon after), set this to a short number of seconds. The default of 1 hour is a good balance for most wikis.

Known issues
After the successful authentication to the server wiki, the client one could report an error similar to the following instead of the expected confirmation of the successful login: Error from line 98 of /srv/mediawiki/extensions/OAuthAuthentication/specials/SpecialOAuthLogin.php: Call to undefined method LoginForm::successfulLogin The result might or might not be a correct login into the client wiki. For further information please see https://phabricator.wikimedia.org/T207351 : should the login constantly fails, it is possible to workaround the issue by applying the small patch as described in that same task.

How to workaround incompatibility with MW 1.34 onwards
The extension, as released, is impossible to use with MediaWiki version beyond 1.33. Anyway a simple workaround is available as explained in Phabricator task 250626.

Single Sign-On with Wikipedia
I just want to do single sign-on with Wikipedia, how do I do that??


 * 1) Register a new OAuth application on meta.wikimedia.org. Don't use an RSA key pair for authentication, but let mediawiki.org generate your shared secret for you.
 * 2) Set the following in your LocalSettings.php:

To exclusively use Wikipedia as your sign-on system (to keep things simple), also set in LocalSettings.php: