Extension:OAuth
From MediaWiki.org
 Release status: beta |
|||
|---|---|---|---|
| Implementation | User identity, User rights, API | ||
| Description | Allow users to safely authorize another application (Consumer) to use the MediaWiki action API on their behalf. | ||
| MediaWiki | 1.22+ | ||
| Database changes | Yes | ||
| License | GNU General Public License 2.0 or later | ||
| Download | |||
|
|||
|
|||
|
Translate the OAuth extension if it is available at translatewiki.net |
|||
| Check usage and version matrix. | |||
| Open tasks · Report a bug | |||
The OAuth extension implements OAuth 1.0a in MediaWiki. It allows third party developers to securely develop applications (Consumer), which users can grant a limited set of permissions (Grants) to, so that the application can use the MediaWiki action API on the user's behalf.
If you're attempting to develop an application that uses OAuth on a wiki, see OAuth for Developers. If you are trying to use an OAuth-enabled tool on a Wikimedia wiki, see Help:OAuth.
Contents
Requirements[edit]
- OAuth relies on memcached for temporary tokens and sessions
- The manual of setting up memcached: Memcached#Setup
- Currently, only mysql database backend is supported
- If the mediawiki installation is private (I.E. Users need to log in to have read access), Special: OAuth need to be added to white list. Add the following line to LocalSettings.php
$wgWhitelistRead = array('Special:OAuth' );
Installation[edit]
- Download and place the file(s) in a directory called
OAuthin yourextensions/folder. - Add the following code at the bottom of your LocalSettings.php:
require_once "$IP/extensions/OAuth/OAuth.php";
- Run the update script which will automatically create the necessary database tables that this extension needs.
- Configure the general parameters as required.
- Configure the user rights by putting them into the relevant groups in
$wgGroupPermissions. 
Done - Navigate to Special:Version on your wiki to verify that the extension is successfully installed.
User rights[edit]
| Right | Description |
|---|---|
| mwoauthproposeconsumer | User can propose a new Consumer |
| mwoauthupdateownconsumer | Modify a Consumer |
| mwoauthmanageconsumer | Approve a Consumer |
| mwoauthsuppress | Hide details about a Consumer |
| mwoauthviewsuppressed | View hidden details about a Consumer |
| mwoauthviewprivate | View private details about a Consumer, such as the hmac secret |
| mwoauthmanagemygrants | Right for users to manage what rights they have authorized for each Consumer. Typically, this right will not be granted to an OAuth Consumer. |
Configuration[edit]
| Variable name | Default value | Description |
|---|---|---|
| $wgMWOAuthCentralWiki | false | Wiki where OAuth grants are stored and Consumers registered, if this is a multi-wiki cluster |
| $wgMWOAuthSharedUserIDs | false | |
| $wgMWOAuthSharedUserSource | false | Central ID provider |
| $wgMWOAuthRequestExpirationAge | 30 days (30 * 86400 seconds) | Seconds after which an idle request for a new Consumer is marked as "expired" |
| $wgMWOAuthSecureTokenTransfer | false | Require SSL/TLS for returning Consumer and user secrets. This is required by RFC 5849, however if a wiki wants to use OAuth, but doesn't support SSL, this option makes this configuration possible. This should be set to true for most production settings. |
| $wgOAuthSecretKey | $wgSecretKey | A secret configuration string used to hmac the database-stored secret to produce the shared secrets for Consumers. This provides some protection against an attacker reading the values out of the consumer table (the attacker would also need $wgOAuthSecretKey to generate valid secrets), and some protection against potential weaknesses in the secret generation. If this string is compromised, the site should generate a new $wgOAuthSecretKey, which will invalidate Consumer authorizations that use HMAC/shared secret signatures instead of public/private keys. Consumers can regenerate their new shared secret by using the "Reset the secret key to a new value" option under Special:MWOAuthConsumerRegistration/update. |
| $wgOAuthGroupsToNotify | [] | The list of user groups which should be notified about new consumer proposals. Setting this will only have an effect when Echo is installed. |
Using OAuth[edit]
See also: Extension:OAuth/Usage
In order to use OAuth to make MediaWiki action API calls on behalf of another user, you need to:
- Register your application (Consumer), and get it approved by a wiki admin
- Get the user's permission, and get a set of authorized tokens
- When making API calls, include an Authorization: HTTP header, which identify the user and prove your possession of the authorized token
Developing your App[edit]
An introduction to writing OAuth applications, including demos in PHP and Golang, can be found at User:CSteipp/OAuth_Training_Dec2013
An example using flask-oauth: wikitech:Setting_up_Flask_cgi_app_as_a_tool/OAuth
There is also a generic Python library (on top of requests-oauthlib): MediaWiki-OAuth
There is also a PHP library to make implementing PHP clients easier, using the same interfaces as MediaWiki-OAuth: mwoauth-php. A demo to use the library is included in the repo here.
Register your Consumer[edit]
- To propose your Consumer, you must have the 'mwoauthproposeconsumer' right
- On WMF wikis, this right is given to autoconfirmed accounts
- Visit m:Special:OAuthConsumerRegistration/propose
- Fill in the required information
- Name and description: This is what your users will see when authorizing your application, along with your wiki username
- Version: The permissions you grant are tied to a specific version of your application. You will increase the version number if you need to change grants later.
- Callback URL: This is the url where user will be redirected after they have authorized your application in their web browser, with the verification code added as a GET parameter, and the temporary token to identify the user to you.
- For bots, you will probably want to redirect the user to a page that will show the verification code back to the user, and have them cut-and-paste the verification code into the bot.
- Grants: These are the permissions your application will use, if your user also has these rights.
- Unless this is a demo application, you will need "Basic Rights" to use the MediaWiki action API
- Users can revoke individual grants from your application, so your application always needs to handle permission errors gracefully
- Restrictions: The OAuth specification recommends that OAuth Consumers are restricted to a limited set of IP addresses. This protects your users, in case your secret key is compromised, and an attacker attempts to use the MediaWiki action API on behalf of your users. This can be updated after your application is approved.
Get Your User's Permission[edit]
For a user (who you have authenticated in your application) to allow your application to use MediaWiki on their behalf, you will need to complete the 3-step OAuth protocol, and store the user-specific token and secret for that user. You will use the user-specific token, along with your application's token and secret on each API call, for MediaWiki to act on behalf of the user.
- Step 1: Obtain a temporary token by calling
Special:OAuth/initiatefrom your application- Caveat: When constructing your url, use
/w/index.php?title=Special:OAuth/initiateinstead of/wiki/Special:OAuth/initiate, because MediaWiki silently will create a title parameter that isn't included in your signature calculation.
- Caveat: When constructing your url, use
- Step 2: Direct the user's browser to
/wiki/Special:OAuth/authorize, with the token from Step #1 as a GET parameter - Step 3: After the user has authorized your application and been redirected back to your application, exchange the verification code and the temporary token for a permanent authorized token
import requests, requests_oauthlib, webbrowser
mw_url = "http://en.wikipedia.org/w/index.php"
r = requests.get(
url=mw_url,
params={'title': 'Special:OAuth/initiate'},
auth=requests_oauthlib.OAuth1(
"YOUR_CONSUMER_TOKEN",
client_secret="YOUR_CONSUMER_SECRET_TOKEN",
callback_uri='oob' #
)
)
webbrowser.open("%s?title=Special:OAuth/authorize&%s" % (mw_url, r.text))
Identify the User (optional)[edit]
Your application can optionally identify the user who has authorized it by making a signed request to Special:OAuth/identify. The request is signed with both your application's key/secret, and the authorized token/secret that you obtained in step 3 above.
MediaWiki returns a Json Web Token (JWT), which has been signed with your Consumer Secret, which was issued to you when you registered your consumer. To identify the user, you must:
- Check the signature on the JWT (you can use the JWT::decode() function included in the extension's source). This prevents an attacker from tampering with the content of the JWT. The JWT will be signed with the HS256 (hmac sha256) signature. You should reject any JWT's that specify a different signature scheme (such as, "none").
- Verify that the token was issued by the expected wiki, to your application, within a valid time frame, with a valid nonce. This prevents an attacker from responding to your request with an old JWT, or a JWT for another consumer. The token contains fields for you to validate:
- iss: The issuing MediaWiki's $wgCanonicalServer
- aud: Your application's Consumer Key
- iat: Timestamp the token was issued at
- exp: Timestamp when this token expires
- nonce: The nonce from your OAuth request
If the JWT has a valid signature, and you have verified the JWT, you can know that the MediaWiki user had the following attributes at the time of the check:
- username: The MediaWiki username
- sub: The MediaWiki user_id
- editcount: The user's edit count
- confirmed_email: The user has a confirmed email set in MediaWiki
- registered: The date when the user registered
- groups: A list of groups to which the user belongs
- rights: A list of user rights that this user has been granted on the wiki
Use the API, setting Authorization header[edit]
- MediaWiki requires that you use the http Authorization header, instead of including the OAuth parameters your GET or POST values
- You will still need to get and use CSRF tokens to make edits, just as if you were using the action API normally. Your application does not need to keep track of the wiki's session cookie-- the OAuth extension will create and use a session based on the user's authorized token, which will last up to 1 hour
- Your API calls will be limited to the user rights that were both given to the user, and granted by the user to your application during the authorization step
- Edits from your application will be tagged with your Consumer's id number
See also[edit]
- Extension:OAuthAuthentication – A MediaWiki extension that lets your wiki delegate authentication to another wiki that is running Extension:OAuth.
- oauthclient-php – a client library for OAuth consumers.
 |
This extension is being used on one or more Wikimedia projects. This probably means that the extension is stable and works well enough to be used by such high-traffic websites. Look for this extension's name in Wikimedia's CommonSettings.php and InitialiseSettings.php configuration files to see where it's installed. A full list of the extensions installed on a particular wiki can be seen on the wiki's Special:Version page. |
