Extension:OpenID Connect

The OpenID Connect extension extends the PluggableAuth extension to provide authentication using OpenID Connect.

Special thanks to jumbojett for the OpenID Connect PHP library used by this extension.

Installation
This extension requires PluggableAuth to be installed first. It also requires the OpenID Connect PHP library, which may be installed using composer.

Install Dependencies
Add the line  to the "composer.local.json" file in the root directory of your wiki, e.g.

Then run  in the root directory of your wiki. This will install any dependencies (i.e. the jumbojett OpenID Connect PHP library).

Configuration parameters
When configuring the identity provider, it will ask for a redirect URL or callback URL. Use the full URL to the Special:PluggableAuthLogin page for that value.

A simple example of the  configuration for a single issuer is as follows:

An example of the  configuration for multiple issuers is as follows:

Example: Google as an Issuer

 * 1) Using the Google Developer Console create a project.
 * 2) Click on the project and click on   on the sidebar.
 * 3) Click the   button and select  . Fill in the consent screen information and save.
 * 4) Fill in the root URL (no wild cards or paths) or your wiki in.
 * 5) Fill in the URL of the Special:PluggableAuthLogin page of your wiki in.
 * 6) Click.
 * 7) Note the   and   that are assigned.

The Google issuer is now configured. Add the corresponding configuration to your LocalSettings.php file, filling in the  and   fields with the values assigned above.

You may also assign values for,  ,   and.

Example: Using it against Azure ADFS
Three parameters are required to use this extension to authenticate against Azure ADFS: a tenant id, a client id, and a secret.

Release Notes

 * Version 4.1
 * Added namespace for library class
 * Version 4.0
 * Added optional error message to authenticate
 * Bumped version number to synchronize with PluggableAuth and SimpleSAMLphp extensions
 * Version 2.3
 * Fixed whitelist implementation
 * Changes migration flags to allow migration by email address in addition to migration by user name
 * Version 2.2
 * Fixes related to PluggableAuth MediaWIki 1.27 upgrade
 * Array coding conventions
 * Version 2.1
 * Update to MediaWiki 1.27 session management
 * Added default values for configuration variables to extension.json
 * Version 2.0
 * Updated extension registration
 * Changed configuration variables to use "wg" prefix
 * Added composer.json to get OpenID Connect library using composer
 * Version 1.2
 * Added ability to specify auth params and added support for table prefixes
 * Version 1.1
 * Added support for Google
 * Version 1.0
 * Initial version

Known Bugs

 * Wikis that use URLs of the form  (i.e. having the page title provided as a query parameter) will not be redirected correctly to complete the authentication flow. Instead, URLs must be of the form , which can be accomplished by using short URLs or by setting $wgArticlePath appropriately.
 * This extension may not work correctly with  (see T147161).
 * This extension does not work on non-standard ports unless you manually update the underlying Openid connect client, see: https://github.com/jumbojett/OpenID-Connect-PHP/issues/58. Issue also applies when to other webserver than IIS.