Phabricator project: #MediaWiki-extensions-OAuth
Extension:OAuth
Not to be confused with Extension:OATHAuth.
 Release status: stable |
|||
|---|---|---|---|
| Implementation | User identity, User rights, API | ||
| Description | Allow users to safely authorize another application ("consumer") to use the MediaWiki action API on their behalf. | ||
| Compatibility policy | release branches | ||
| Database changes | Yes | ||
| License | GNU General Public License 2.0 or later | ||
| Download | |||
|
|||
|
|||
|
Translate the OAuth extension if it is available at translatewiki.net |
|||
| Check usage and version matrix. | |||
| Vagrant role | oauth | ||
| Open tasks · Report a bug | |||
The OAuth extension implements an OAuth 1.0a server in MediaWiki. It allows third party developers to securely develop applications ("consumers"), to which users can give a limited set of permissions ("grants") to, so that the application can use the MediaWiki action API on the user's behalf.
Note: If you're attempting to develop an application that uses OAuth on a wiki, see OAuth for Developers. If you are trying to use an OAuth-enabled tool on a wiki which has this extension installed, see Help:OAuth.
Requirements[edit]
- OAuth relies on the object cache for temporary tokens and sessions. This should work as long as cache configuration settings are sane. (Older versions required Memcached explicitly.)
- Currently, only mysql and sqlite database backends are supported
- If the mediawiki installation is private (i.e. users need to log in to have read access), Special:OAuth will need to be added to the white list.
Installation[edit]
- Download and place the file(s) in a directory called
OAuthin yourextensions/folder. - Add the following code at the bottom of your LocalSettings.php:
wfLoadExtension( 'OAuth' );
- Run the update script which will automatically create the necessary database tables that this extension needs.
- Configure the general parameters as required.
- Configure the user rights by putting them into the relevant groups in
$wgGroupPermissions. 
Done - Navigate to Special:Version on your wiki to verify that the extension is successfully installed.
To users running MediaWiki 1.24 or earlier:
The instructions above describe the new way of installing this extension using wfLoadExtension() If you need to install this extension on these earlier versions (MediaWiki 1.24 and earlier), instead of wfLoadExtension( 'OAuth' );, you need to use:
require_once "$IP/extensions/OAuth/OAuth.php";
User rights[edit]
| Right | Description |
|---|---|
| mwoauthproposeconsumer | User can propose a new Consumer |
| mwoauthupdateownconsumer | Modify a Consumer |
| mwoauthmanageconsumer | Approve a Consumer |
| mwoauthsuppress | Hide details about a Consumer |
| mwoauthviewsuppressed | View hidden details about a Consumer |
| mwoauthviewprivate | View private details about a Consumer, such as the hmac secret |
| mwoauthmanagemygrants | Right for users to manage what rights they have authorized for each Consumer. Typically, this right will not be granted to an OAuth Consumer. |
To assign a permission to some group, for example to sysops, you add following line to LocalSettings.php:
$wgGroupPermissions['sysop']['mwoauthproposeconsumer'] = true;
Configuration[edit]
| Variable name | Default value | Description |
|---|---|---|
| $wgMWOAuthCentralWiki | false | Wiki where OAuth grants are stored and Consumers registered, if this is a multi-wiki cluster |
| $wgMWOAuthSharedUserIDs | false | |
| $wgMWOAuthSharedUserSource | false | Central ID provider |
| $wgMWOAuthRequestExpirationAge | 30 days (30 * 86400 seconds) | Seconds after which an idle request for a new Consumer is marked as "expired" |
| $wgMWOAuthSecureTokenTransfer | false | Require SSL/TLS for returning Consumer and user secrets. This is required by RFC 5849, however if a wiki wants to use OAuth, but doesn't support SSL, this option makes this configuration possible. This should be set to true for most production settings. |
| $wgOAuthSecretKey | $wgSecretKey | A secret configuration string used to hmac the database-stored secret to produce the shared secrets for Consumers. This provides some protection against an attacker reading the values out of the consumer table (the attacker would also need $wgOAuthSecretKey to generate valid secrets), and some protection against potential weaknesses in the secret generation. If this string is compromised, the site should generate a new $wgOAuthSecretKey, which will invalidate Consumer authorizations that use HMAC/shared secret signatures instead of public/private keys. Consumers can regenerate their new shared secret by using the "Reset the secret key to a new value" option under Special:MWOAuthConsumerRegistration/update. |
| $wgOAuthGroupsToNotify | [] | The list of user groups which should be notified about new consumer proposals. Setting this will only have an effect when Echo is installed. |
See also[edit]
- Extension:OAuthAuthentication – A MediaWiki extension that lets your wiki delegate authentication to another wiki that is running Extension:OAuth.
- Extension:OATHAuth - A similarly named extension which implements a second authentication factor using OATH-based one-time passwords.
- oauthclient-php – a client library for OAuth consumers.
 |
This extension is being used on one or more Wikimedia projects. This probably means that the extension is stable and works well enough to be used by such high-traffic websites. Look for this extension's name in Wikimedia's CommonSettings.php and InitialiseSettings.php configuration files to see where it's installed. A full list of the extensions installed on a particular wiki can be seen on the wiki's Special:Version page. |
