Extension:开放授权
OAuth 发行状态: 稳定版 |
|
---|---|
实现 | 用户身份 , 用户权限 , API |
描述 | |
作者 | Aaron Schulz, Chris Steipp, Brad Jorsch, Robert Vogel, Dejan Savuljesku |
最新版本 | 1.1.0 (continuous updates) |
兼容性政策 | 快照跟随MediaWiki发布。 master分支不向后兼容。 |
MediaWiki | >= 1.43 |
数据库更改 | 是 |
表 | oauth_accepted_consumer oauth_registered_consumer |
许可协议 | GNU通用公眾授權條款2.0或更新版本 |
下載 | |
帮助 | Help:OAuth |
|
|
|
|
|
|
季度下載量 | 79 (Ranked 60th) |
正在使用的公开wiki数 | 982 (Ranked 246th) |
前往translatewiki.net翻譯OAuth扩展 | |
Vagrant角色 | oauth |
問題 | 开启的任务 · 报告错误 |
OAuth扩展在MediaWiki中实现了一个OAuth服务器,同时支持OAuth 1.0a和OAuth 2.0协议版本。 它可讓第三方开发者安全地开发应用程序("消费者"),用户可以向其授予一组有限的权限("授权"),这样应用程序就可以代表用户使用MediaWiki動作API。
要求
- OAuth 依赖对象缓存来获取临时令牌和会话。 只要缓存配置设置是正常的,就应该能正常工作。 (旧版本明确需要Memcached 。)
- 目前仅支持 MySQL 和 SQLite 数据库后端
- 如果 MediaWiki 安装是私有的(即用户需要登录才有读取权限),则需要将Special:OAuth添加到白名单。
安裝
- 下载文件,并将解压后的
OAuth
文件夹移动到extensions/
目录中。
开发者和代码贡献人员应从Git安装扩展,输入:cd extensions/
git clone https://gerrit.wikimedia.org/r/mediawiki/extensions/OAuth - 只有從git安裝才运行Composer来安装PHP依赖,通过发行
composer install --no-dev
至扩展目录。 (参见工單T173141了解潜在问题。) - 将下列代码放置在您的LocalSettings.php 的底部:
wfLoadExtension( 'OAuth' );
- 运行更新脚本,它将自动创建此扩展必须依赖的数据库表。
- 根据需要配置常规参数。
- 将用户归入
$wgGroupPermissions
中的相关组,以配置其权限。 - 完成 – 在您的wiki上导航至Special:Version,以验证已成功安装扩展。
使用Vagrant安装:
- 如果使用Vagrant ,请通过
vagrant roles enable oauth --provision
安装
要为某个组(例如系统管理员)分配权限,可在LocalSettings.php
中添加以下一行:
$wgGroupPermissions['sysop']['mwoauthproposeconsumer'] = true;
配置
Parameters
变量名称 | 默认值 | 描述 |
---|---|---|
$wgMWOAuthCentralWiki
|
false
|
OAuth 管理维基的维基ID。 在维基農場中,将其设置为入口站点、专门用于管理或仅处理登录/身份验证的维基站点是合理的。 不过,它可以设置为农场中的任何维基。 对于单维基网站或每个维基单独管理消费者的农场,应将其保留为false 。
|
$wgMWOAuthSharedUserIDs
|
false
|
(已弃用) 改用$wgMWOAuthSharedUserSource
全域共享用户ID是否存储在oauth表中。
在共享单个 OAuth 管理维基的具有中央身份验证系统(具有整数用户 ID)的维基场中,必须将此设置为 true。
如果维基有一个中央认证系统,但有自己的 OAuth 管理系统,那么这可以是 |
$wgMWOAuthSharedUserSource
|
null
|
Central ID provider when sharing OAuth credentials over a wiki farm
Source of shared user IDs, if enabled. If CentralIdLookup is available, this is the $providerId for CentralIdLookup::factory(). Generally null would be what you want, to use the default provider. If that class is not available or the named provider is not found, this is passed to the OAuthGetUserNamesFromCentralIds, OAuthGetLocalUserFromCentralId, OAuthGetCentralIdFromLocalUser, OAuthGetCentralIdFromUserName hooks. This has no effect if $wgMWOAuthSharedUserIDs is set to false. |
$wgMWOAuthRequestExpirationAge
|
2,592,000 (30 days)
|
Seconds after which an idle request for a new Consumer is marked as "expired" |
$wgMWOAuthSecureTokenTransfer
|
true
|
Require SSL/TLS for returning Consumer and user secrets. This is required by RFC 5849, however if a wiki wants to use OAuth, but doesn't support SSL, this option makes this configuration possible. This should be set to true for most production settings. |
$wgOAuthSecretKey
|
$wgSecretKey
|
A secret configuration string (random 32-bit string generated using "base64_encode(random_bytes(32))") used to hmac the database-stored secret to produce the shared secrets for Consumers. This provides some protection against an attacker reading the values out of the consumer table (the attacker would also need $wgOAuthSecretKey to generate valid secrets), and some protection against potential weaknesses in the secret generation. If this string is compromised, the site should generate a new $wgOAuthSecretKey, which will invalidate Consumer authorizations that use HMAC/shared secret signatures instead of public/private keys. Consumers can regenerate their new shared secret by using the "Reset the secret key to a new value" option under Special:MWOAuthConsumerRegistration/update. If null, the value is set to $wgSecretKey. |
$wgOAuthGroupsToNotify
|
[]
|
The list of user groups which should be notified about new consumer proposals. Setting this will only have an effect when Echo is installed. |
$wgMWOauthDisabledApiModules
|
[]
|
List of API module classes to disable when OAuth is used for the request |
$wgMWOAuthReadOnly
|
false
|
Prevent write activity to the database. When this is set, consumers cannot be added or updated, and new authorizations are prohibited. Authorization headers for existing authorizations will continue to work. Useful for migrating database tables |
$wgMWOAuthSessionCacheType
|
$wgSessionCacheType
|
The storage mechanism for session data. If null, it defaults to $wgSessionCacheType. |
$wgOAuthAutoApprove
|
[]
|
Allows automatic immediate approval of low-risk apps. In the form of [ 'grants' => [ 'grant1', 'grant2', ... ] ]
|
$wgOAuth2EnabledGrantTypes
|
[
"authorization_code",
"refresh_token",
"client_credentials"
]
|
List of OAuth2 grants that client applications can be allowed to use. Actual grants client application will be allowed to use can be any subset of grants listed here. Grants, other than the ones listed here, are considered legacy grants, and are not supported by this extension |
$wgOAuth2PrivateKey
|
""
|
Private key or a path to the private key used to sign OAuth2 JWT being transmitted. See the OAuth 2.0 Server documentation for how to generate the keys. |
$wgOAuth2PublicKey
|
""
|
Public key or a path to the public key used to verify OAuth2 resource requests. |
$wgOAuth2RequireCodeChallengeForPublicClients
|
true
|
Controls whether clients are required to send code challenges with OAuth2 requests. This only applies to non-confidential clients. |
$wgOAuth2GrantExpirationInterval
|
"PT1H" (1 hour)
|
Controls validity period for access tokens (stored in the cache configured in MWOAuthSessionCacheType). Does not apply to owner-only clients, whose access tokens are always non-expiring. Accepts ISO 8601 durations or can be set to "infinity" or false for non-expiring tokens. |
$wgOAuth2RefreshTokenTTL
|
"P1M" (1 month)
|
Controls validity period for refresh tokens (stored in the cache configured in MWOAuthSessionCacheType). Accepts ISO 8601 durations or can be set to "infinity" or false for non-expiring tokens. |
用户权限
权限 | 描述 |
---|---|
mwoauthproposeconsumer |
提议新的OAuth消费方 |
mwoauthupdateownconsumer |
更新您控制的OAuth消费方 |
mwoauthmanageconsumer |
管理OAuth消费方 |
mwoauthsuppress |
隐藏OAuth消费方 |
mwoauthviewsuppressed |
查看已隐藏的OAuth消费方 |
mwoauthviewprivate |
查看私有OAuth数据 |
mwoauthmanagemygrants |
管理OAuth功能 |
Endpoints
OAuth 2.0 REST endpoints
The following REST endpoints are provided for OAuth 2.0 interaction
Path | Description | Allowed parameters | Allowed method | ||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
/oauth2/authorize | Used for retrieving authorization code when using authorization_code grant. |
|
GET | ||||||||||||||||||||||||||||||||||||||||||||||||||
/oauth2/access_token | Used for requesting access tokens |
|
POST | ||||||||||||||||||||||||||||||||||||||||||||||||||
/oauth2/resource/{{type}} | Used for retrieving protected resources using the access token issued previously.
Currently, two resource types can be retrieved using this endpoint, by replacing
|
No parameters are allowed, apart from the {{type}} parameter that is included in the path
|
GET/POST | ||||||||||||||||||||||||||||||||||||||||||||||||||
/oauth2/client | Lists OAuth 1.0a or 2.0 clients for the logged-in user. Authentication can be achieved over CentralAuth or by including an access token in the authorization header.
|
|
GET | ||||||||||||||||||||||||||||||||||||||||||||||||||
/oauth2/client/{client_key}/reset_secret | Resets a client secret. For owner-only clients, this endpoint also resets the access token.
|
|
POST | ||||||||||||||||||||||||||||||||||||||||||||||||||
/oauth2/client | Creates an OAuth 2.0 client.
|
|
POST |
參見
- Extension:OATHAuth - A similarly named extension which implements a second authentication factor using OATH-based one-time passwords.
- Extension:WSOAuth – A MediaWiki extension that lets your wiki delegate authentication to any OAuth provider using PluggableAuth, including a wiki that is running Extension:OAuth.
- oauthclient-php – A client library for OAuth consumers.
此扩展用于一个或多个维基媒体项目。 这可能意味着扩展足够稳定、运作足够良好,可以用在这样的高流量的网站上。 请在维基媒体的CommonSettings.php和InitialiseSettings.php配置文件中查找此扩展的名称以查看哪些网站安装了该扩展。 特定wiki上的已安装的扩展的完整列表位于Special:Version页面。 |
此扩展在以下wiki农场/托管网站和/或软件包中提供: 這不是一份權威名單。 即使某些wiki农场/托管网站和/或软件包未在这里列出,它们也可能提供此扩展。 请检查你的wiki农场/托管网站或软件包以确认提供情况。 |
- Stable extensions/zh
- User identity extensions/zh
- User rights extensions/zh
- API extensions/zh
- Pages using deprecated NoteTA template
- GPL licensed extensions/zh
- Extensions in Wikimedia version control/zh
- Extensions which add rights/zh
- AbuseFilter-builder extensions/zh
- AbuseFilter-computeVariable extensions/zh
- AbuseFilter-generateUserVars extensions/zh
- ApiRsdServiceApis extensions/zh
- BeforeCreateEchoEvent extensions/zh
- ChangeTagCanCreate extensions/zh
- ChangeTagsListActive extensions/zh
- GetPreferences extensions/zh
- ListDefinedTags extensions/zh
- LoadExtensionSchemaUpdates extensions/zh
- LoginFormValidErrorMessages extensions/zh
- MergeAccountFromTo extensions/zh
- MessagesPreLoad extensions/zh
- SetupAfterCache extensions/zh
- SpecialPageAfterExecute extensions/zh
- SpecialPageBeforeFormDisplay extensions/zh
- SpecialPage initList extensions/zh
- TestCanonicalRedirect extensions/zh
- All extensions/zh
- Extensions requiring Composer with git/zh
- Extensions used on Wikimedia/zh
- Extensions included in Miraheze/zh
- Extensions included in MyWikis/zh
- Extensions included in ProWiki/zh
- Extensions included in wiki.gg/zh
- Extensions included in WikiForge/zh