Phabricator のプロジェクト名 #GoogleLogin

Extension:GoogleLogin

From MediaWiki.org
Jump to navigation Jump to search
This page is a translated version of the page Extension:GoogleLogin and the translation is 13% complete.

Other languages:
Deutsch • ‎English • ‎日本語
MediaWiki 拡張機能マニュアル
OOjs UI icon advanced.svg
GoogleLogin
リリースの状態: ベータ
Googlelogin.PNG
実装 User identity , 特別ページ
説明 Provides login with your Google account.
作者 Florian Schmidt (Florianschmidtwelzowtalk)
最新バージョン 0.4.0-git
MediaWiki 1.28+
PHP 5.5+
データベースの変更 はい
ライセンス MIT ライセンス
ダウンロード
README
See the version lifecycle for an compatibility overview
translatewiki.net で翻訳を利用できる場合は、GoogleLogin 拡張機能の翻訳にご協力ください
使用状況とバージョン マトリクスを確認してください。
問題点 未解決のタスク · バグを報告

The GoogleLogin extension allows wiki users to login with their Google account. The extension uses the Google API to request basic profile information from Google (such as the account ID, the full name and the e-mail address).

要件

To use this extension you need at least:

  • MediaWiki 1.27+
  • MySQL (no PostgreSQL or SQLite support for now!)
  • PHP 5.5+
  • Google Developer Access
  • API Credentials for Webapplication (Client ID and Client Secret)
  • Able to run composer update --no-dev

インストール

  • ダウンロードして、ファイルを extensions/ フォルダー内の GoogleLogin という名前のディレクトリ内に配置します。
  • 以下のコードを LocalSettings.php の末尾に追加します:
    wfLoadExtension( 'GoogleLogin' );
    
  • 更新スクリプトを実行します。このスクリプトは、この拡張機能が必要とするデータベース テーブルを自動的に作成します。
  • Configure the required parameters
  • Make sure ./wiki/extensions/GoogleLogin/cache is writeable for the Webserver's user
  • Yes 完了 – ウィキの「Special:Version」に移動して、拡張機能が正しくインストールされたことを確認します。

MediaWiki 1.24 以前を稼働させている利用者へ:

上記の手順では、wfLoadExtension() を使用してこの拡張機能をインストールする新しい方法を記載しています。 この拡張機能をこれらの過去のバージョン (MediaWiki 1.24 以前) にインストールする必要がある場合は、wfLoadExtension( 'GoogleLogin' ); の代わりに以下を使用する必要があります:

require_once "$IP/extensions/GoogleLogin/GoogleLogin.php";

Configuration

注 注: Ensure that all settings reside under the "require_once" directive added for this plugin. Otherwise any custom settings will be overwritten by the default settings, as referenced here: Topic:Si6ituq6hmxb07xm

The extension provides two configuration variables to set the Client ID and Client Secret (you get this pair in the Google Developer Console, remove "<" and ">").

$wgGLSecret = '<your-client-secret>';
$wgGLAppId = '<your-client-id>';

Additional Configuration parameter

Configuration variable since version 既定値 説明
$wgGLAllowedDomains[gerrit 1] v0.1.1 '' An array of mail domains, which are allowed to use with GoogleLogin, e.g. array( 'example.com' );. Default: all domains are allowed. If set, you need to run the updatePublicSuffixArray.php maintenance script.
$wgGLAllowedDomainsDB[gerrit 2] v0.4.0 false If set to true, GoogleLogin uses the database to check, if an e-mail domain of the primary e-mail-address of a Google account is allowed to login.
$wgGLAllowedDomainsStrict[gerrit 1] v0.1.1 false Only observed, if $wgGLAllowedDomains is an array. If set to true, the email domain will be checked completely against the allowed domains (instead of only the TLD), e.g.:

test.example.com isn't allowed if $wgGLAllowedDomainsStrict is true and example.com is an allowed domain.
test.example.com is allowed if $wgGLAllowedDomainsStrict is false and example.com is an allowed domain.

$wgGLAPIKey[gerrit 3] v0.2.1 '' Key for public API access. Used only for admin actions to check, if the user has a Google Plus profile or not.

Settings in Google Developer Console

To use this extension you need a Google developer account and access to the developer console. This is a simple (a very simple!) step-by-step guide (use Step 1 of the official step-by-step example with these settings):

  1. Open Google developer console
  2. Read and accept the terms of service
  3. Create your first project
  4. Go to APIS & AUTH
  5. Go to Credentials
  6. In Section OAuth click Create new Client ID
  7. Select as Web application as APPLICATION TYPE, as Authorized JavaScript origins type in your domain name (no wildcards and directories allowed!)
  8. Type in your Authorized redirect URI like this example:
    If your domain is example.com and you have installed MediaWiki in Root of your domain, the redirect URI is as follows: http://example.com/index.php/Special:GoogleLoginReturn
  9. Click create and copy the Client ID and Client Secret to the configuration variables in LocalSettings.php

"Special:GoogleLoginReturn" or (in german for example) "Spezial:GoogleLoginReturn"

The allowed redirect URI in Google developer console must be in the content language. So, if your wiki has german as the content language, then use Spezial:GoogleLoginReturn. If you used the wrong language, all authentication requests will fail with the error code redirect uri mismatch.

デバッグ

Normally, you can see the error message on all generic error pages. Sometimes there are Internal Errors, called Exceptions. In this case, please add $wgShowExceptionDetails with value true in LocalSettings.php to see the complete Exception message. For a support request, please provide always the lines of the Exception.

Use on a private wiki

If you have set your Wiki to private with

$wgGroupPermissions['*']['read'] = false;

you have to whitelist the "Special:GoogleLoginReturn" page, so that anonymous users can access the callback URL after being redirected from the authentication provider. You can do this by adding the following line to your LocalSettings.php:

$wgWhitelistRead = array( 'Special:GoogleLoginReturn' );

Administer allowed domains on-wiki

The user interface to manage the list of allowed domains.

GoogleLogin provides a feature to restrict the login with Google to specific E-Mail address domains (such as gmail.com, googlemail.com or every other (own) domain). This feature is especially interesting for companies, who use their own domain names with Google Apps. The list of domains, which are allowed to login with Google, are managed in an array in the LocalSettings.php (the $wgGLAllowedDomains configuration option). Since version 0.4.0, GoogleLogin also provides a way to manage the list of allowed domains on the wiki itself. The allowed domains are saved in the database when this feature is enabled and can be change (remove/add) through a graphical user interface (a special page) or through the MediaWiki API.

Note: The list of allowed domains can not be managed in LocalSettings.php anymore, once the administration of the domains in the database is enabled.

To enable the feature to manage the allowed domains in the database, just set the $wgGLAllowedDomainsDB configuration variable to true in your LocalSettings.php. You also want to assign the new managegooglelogindomains user right to one group you're a member of (please keep in mind, that all users with this user right are allowed to change the list of allowed domains, so consider to add this right to an administrator-level group only!). An example configuration could look like:

$wgGLSecret = 'your-secret';
$wgGLAppId = 'your-app-id';
$wgGLAllowedDomainsDB = true;
$wgGroupPermissions['sysop']['managegooglelogindomains'] = true;

You now need to run the update.php script again, so that the necessary database changes are applied to your database. After the update process is completed, you can navigate to the special page Special:GoogleLoginAllowedDomains on your wiki. You'll get a page where you can add new domains, which are allowed to login with their Google account and you can remove them, once they was added.


Upgrade from 0.3.1 or older

With version 0.4.0, GoogleLogin implements a PrimaryAuthenticationProvider for the new authentication system of MediaWiki (called AuthManager). This makes it easier for the development of GoogleLogin and you can configure a lot more things in a standard way. However, upgrading from an older version of GoogleLogin may take some more time and effort as with upgrades in the past, as some configuration options in GoogleLogin were removed in the update (and mostly replaced by configurations of AuthManager). In the following sections you'll find some instructions about how you can configure your wiki to achieve the same goal as with the removed configuration options.

$wgGLShowCreateReason

Removed without replacement.

$wgGLShowKeepLogin

Removed without replacement (the Keep me logged in checkbox now applies to all authentication methods, including GoogleLogin).

$wgGLAllowAccountCreation

The whole account creation and login process is managed and covered by AuthManager. This means, if you don't want, that your users can create wiki accounts, you should disable it in your LocalSettings.php:

$wgGroupPermissions['*']['createaccount'] = false;

Currently, that would mean, that no one can create an account anymore (including GoogleLogin). There's also タスク T138678, which tracks the process of a login -> signup -> login workflow, where an account creation with a link provider (such as GoogleLogin) with a disabled account creation should be covered.

$wgGLReplaceMWLogin

You should simply remove any other authentication provider in your LocalSettings.php:

$wgAuthManagerAutoConfig['primaryauth'] = [];

GoogleLogin will automatically setup itself for AuthManager, so you don't need to do any further steps.

$wgGLForceKeepLogin

Obsolete, see #$wgGLShowKeepLogin.

$wgGLAPIKey

This configuration option still exists, but it's now used for more than just the Special:ManageGoogleLogin special page. It's now used to get the name of a user on Special:RemoveCredentials to make it easier to the user to identify the correct Google account (instead of just showing the Google ID). If the key isn't correct or isn't supplied, GoogleLogin will show the Google ID only. For a good user experience, it's highly suggested to supply this api key now.

$wgGLShowRight

Removed without replacement as the login and signup forms are now fully handled by AuthManager. If you still want to show the Login with Google at the right side of the login form, you should create a new extension (and probably share it with us ;)) which hooks into the form generation and accomplishes the form manipulation.

$wgGLNeedsConfirmEmail

Removed without replacement.

Google API PHP クライアント

This Extension uses the Google API PHP Client (included in versions before 0.2.1), distributed under the Apache 2.0 License. The Client can be downloaded from GitHub.

updatePublicSuffixArray.php

The updatePublicSuffixArray.php maintenance script downloads a list of domain names which are valid to be used in the world. This is required in order for GoogleLogin to allow subdomains of a specific email domain when you've restricted the login with GoogleLogin for specific domains. This is only needed if $wgGLAllowedDomainsStrict is set to false (which is the default).

バージョン ライフサイクル

In the following table you'll find versions of the GoogleLogin extension, the corresponding MediaWiki version for which the GoogleLogin version was built for and if it's still supported (and until when) or not. Mostly the support of a version is nearly the same as the lifecycle of the corresponding MediaWiki version.

バージョン Corresponding MediaWiki version 状態 リリース End-of-life
0.4.x 1.28.x 現行バージョン 2016-06-18 2017年11月
0.4.0 1.27.x (LTS) 現行バージョン 2016-07-20 2019年6月
0.3.1 1.27.x (LTS) obsolete (replaced by 0.4.0) 2016-06-10 2017-07-20
0.3.0 1.26.x 旧バージョン n/a 2016年11月
0.2.1 1.25.x discountinued n/a 2016-06-18
0.2.0 1.24.x discountinued n/a 2016-06-18
0.1.3 1.23.x (LTS) discountinued n/a 2016-06-18

Versions included in the above table that are marked as discontinued will not receive any fixes. They may contain critical security vulnerabilities and other major bugs, including the threat of possible data loss and/or corruption. The developer has also issued a strong recommendation that only versions listed above as current version or at least legacy version should be used in a production environment. Legacy versions will most likely get fixes for reported bugs that harms the core functionality of the extension, while current versions get fixes for most of the reported bugs (even if they're not part of the core functionality). New features will most likely be part of new versions. Backporting features to older versions of GoogleLogin is up to the developer(s).


References

Gerrit Code review