Extension:PluggableAuth

The PluggableAuth extension provides a framework for creating authentication and authorization extensions. PluggableAuth provides the shared code necessary to implement these extensions. PluggableAuth is especially useful for use with enterprise authentication servers accessed through layered mechanisms such as OpenID Connect or SimpleSAMLphp. Authentication extensions subclass the abstract  class. Because wiki sysops may wish to limit access to a subset of all authenticated users, PluggableAuth provides an authorization hook, PluggableAuthUserAuthorization.

Configuration parameters
The class specified by  must implement the following functions:

use \MediaWiki\Auth\AuthManager;
 * Called to authenticate the user.
 * The parameters are used to return the user id, username, real name, and email address of the authenticated user and, if the user cannot be authenticated, an optional error message.  is an integer and the remaining parameters are all strings. If the user cannot be authenticated and no value is set for , a default error message is displayed.
 * must be set to  if the user is new, in which case   will add the user to the database.
 * Must return true if the user has been authenticated and false otherwise.
 * If the return to URL, the name of the page, or the query parameters from the page that login was initiated from are necessary in the authenticate function, they may be accessed as follows:

...

$authManager = AuthManager::singleton; $returnToUrl = $authManager->getAuthenticationSessionData(     PluggableAuthLogin::RETURNTOURL_SESSION_KEY ); $returnToPage = $authManager->getAuthenticationSessionData(     PluggableAuthLogin::RETURNTOPAGE_SESSION_KEY ); $returnToQuery = $authManager->getAuthenticationSessionData(     PluggableAuthLogin::RETURNTOQUERY_SESSION_KEY );


 * Called after a new user has been authenticated and added to the database to add any additional information to the database required by the authentication mechanism.


 * Called when the user logs out to notify the identity provider, if necessary, that cleanup such as removing the user's session should be done.

Authorization hooks use the PluggableAuthUserAuthorization hook to register an implementation of the following function:


 * is the User object for the user requesting authorization
 * must be set to true if the user is authorized and false otherwise.
 * Return true to call other authorization hook implementations and false to skip them.

Note that after the call to , PluggableAuth checks to see if the real name or email address returned are different from those saved in the wiki database. If either is different, it checks to see if the user has the  right. The  right is understood by PluggableAuth to indicate whether the real name and email address are managed in the wiki on the   page (if the user has the right) or by the authentication provider (if the user does not have the right). Therefore, if the user does not have the  right, the new real name and email address values are saved to the wiki database.

Version 4.1

 * Added session variables to hold the name of the page and the query parameters of the page from which login was initiated for use in authenticate

Version 4.0

 * Added optional error message to authenticate
 * Bumped version number to synchronize with SimpleSAMLphp and OpenIDConnect extensions

Version 2.2

 * Confirm email addresses coming from external authentication sources

Version 2.1

 * Update file naming conventions

Version 2.0

 * Almost completely rewritten to support the new MediaWiki 1.27 authentication and session management framework
 * Switched to new extension registration
 * Configuration variable names changed to add $wg prefix
 * $PluggableAuth_Timeout removed
 * $PluggableAuth_AutoLogin renamed to $wgPluggableAuth_EnableAutoLogin
 * $wgPluggableAuth_EnableLocalLogin added to support local password-based login to the wiki in addition to PluggableAuth

Version 1.2

 * Moved the addition of a new user to the wiki database to after successful authorization of the user
 * Added   check

Version 1.1

 * Added call to logout when session times out to ensure that the deauthenticate function in implementing classes gets called

Version 1.0

 * Initial version