Release status: beta
|Implementation||Hook, Special page|
|Description||Use the MediaWiki OAuth extension on another wiki as authentication on your wiki.|
|License||GNU General Public License 2.0|
|Translate the OAuthAuthentication extension if it is available at translatewiki.net|
|Check usage and version matrix.|
|Issues||Open tasks · Report a bug|
The OAuthAuthentication extension lets your wiki delegate authentication to another wiki that is running Extension:OAuth. Various configuration flags let you set policies about the times of users who can register (restrict it to a set of names, or a particular group).
Before you begin, you need to register a new OAuth application on the wiki where you are delegating authentication. For example, register your app on meta.wikimedia.org to use any WMF wiki as the remote wiki. Once you have registered your app, received a consumer key and secret:
- Download and place the file(s) in a directory called
- Run Composer to install PHP dependencies, by issuing
composer installin the extension directory. (See T173141 for potential complications.)
- Add the following code at the bottom of your LocalSettings.php:
wfLoadExtension( 'OAuthAuthentication' );
- Additionally, set the following in your LocalSettings.php:
- $wgOAuthAuthenticationUrl - the path to the Special:OAuth page on the wiki where you are delegating authentication. E.g., http://en.wikipedia.org/w/index.php?title=Special:OAuth if you're delegating authentication to English Wikipedia.
- $wgOAuthAuthenticationConsumerKey - The key that you received when you registered your app
- wgOAuthAuthenticationConsumerSecret - The secret that you received when you registered your app. At this time, RSA private keys are not supported (it would be easy to add, patches welcome).
- Done – Navigate to Special:Version on your wiki to verify that the extension is successfully installed.
- If you are seeing exceptions saying the JWT didn't validate, set this to the canonical url ($wgCanonicalServer) of the wiki where you delegated authentication. Note, the URL must match exactly - if that wiki uses http:// for the canoncial url, you must also use that, even if you set https:// in $wgOAuthAuthenticationUrl. This will not actually use http for any data transfer, it merely is used to confirm that the user's identity assertion came from the wiki you expected it from.
- Whether you want to allow usurpation of existing accounts. So if User:Foo is already registered on your wiki, then you setup this extension, and User:Foo on the wiki where you delegated authentication signs in, this option determines if your local User:Foo account is given to the user signing in ($wgOAuthAuthenticationAccountUsurpation = true), or if they will be prevented from signing in because the account already exists ($wgOAuthAuthenticationAccountUsurpation = false).
- To restrict the users who are allowed to sign in to your wiki to a list of specific usernames, set this to an array of usernames. False allows any username to sign in, assuming they also satisfy the group whitelist.
- To restrict the users who are allowed to sign in to your wiki to the users who are members of a specific group, set this to an array of group names. False allows any group to sign in, assuming they also satisfy the username whitelist.
- If non-OAuth accounts are allowed. Keep this to the default (true) if you want to allow power users to visit Special:UserLogin directly and create a new account.
- A simple name for the wiki where you have delegated authentication, used in several error messages. For example, setting this to "Wikipedia" would show "Login on Wikipedia" instead of the normal login link. Html is allowed in this string, if you want to include a logo.
- How long a user's session is valid without re-validating their session. For wikis where the username/group policies need to be strictly enforced (e.g., you only allow sysops to login, and if a user is desysop'ed on the wiki where you delegated authentication, they need to have their access here revoked soon after), set this to a short number of seconds. The default of 1 hour is a good balance for most wikis.
Single Sign-On with Wikipedia
I just want to do single sign-on with Wikipedia, how do I do that??
- Register a new OAuth application on meta.wikimedia.org. Don't use an RSA key pair for authentication, but let mediawiki.org generate your shared secret for you.
- Set the following in your LocalSettings.php:
$wgOAuthAuthenticationUrl = 'https://en.wikipedia.org/w/index.php?title=Special:OAuth'; $wgOAuthAuthenticationConsumerKey = '<The key that you received when you registered your app>'; $wgOAuthAuthenticationConsumerSecret = '<The secret that you received when you registered your app.>'; $wgOAuthAuthenticationCanonicalUrl = 'https://en.wikipedia.org'; $wgOAuthAuthenticationRemoteName = 'Wikipedia';
To only use Wikipedia as your signon system (to keep things simple), also set in LocalSettings.php:
- $wgOAuthAuthenticationAllowLocalUsers = false;