shortcut: OPENID
From mediawiki.org
MediaWiki extensions manual
Release status: unmaintained
Implementation User identity , Special page
Description Allow users with accounts on other OpenID-enabled sites to log in; if enabled, it also allows to use OpenID identities on other sites
Author(s) E. Prodromou, T. Gries, S. Chernyshev, A. Emsenhuber
Latest version 4.5.0 (2016-03-12)
MediaWiki all versions since MediaWiki 1.21 (with MySQL)
(older versions)
PHP 5.3+
Database changes Yes
License GNU General Public License 2.0 or later
Download see "Download" section

(see below)
Quarterly downloads 3 (Ranked 161st)
Translate the OpenID extension if it is available at translatewiki.net
Issues Open tasks · Report a bug

이 확장 기능은 미디어위키가 OpenID 2.0를 인식할 수 있도록 동작하며, 일반적인 아이디/패스워드 로그인 방식 대신 OpenID(특수한 URL)를 통해 로그인하는 기능을 제공한다. 이에 따라 미디어위키는 Relying part (RP) = OpenID consumer로써 동작한다.[1] 미디어위키가 OpenID provider(제공자)의 역할을 하게 하는 옵션도 있는데, 이 경우 위키 계정을 가진 사용자는 OpenID가 적용된 다른 웹 사이트에 특정 URL을 통해 로그인 할 수 있다.

필요 조건[edit]

MySQL ok, PostgreSQL ok[edit]

이 확장 기능은 MySQL에서 잘 동작하도록 개발 및 테스트되었다. PostgreSQL에 대해서는 3.43.20131103 버전 이후부터 확인되었다.

준비 사항 1: php-openid 라이브러리[edit]

https://github.com/openid/php-openid의 OpenID PHP library가 필요하다. 아래의 설치 문단에 설명된 Auth 하위 디렉토리에 최신 버전을 복사해 넣는다.

준비 사항 2: PHP 확장 기능 or 모듈[edit]

PHP extensions 같은 몇 가지 의존 항목들을 설치하거나 PHP 표준 설치 항목에 포함되어 있지 않은 항목인 경우 PHP를 다시 컴파일해야 한다. OpenSUSE에서 서버를 운영하는 경우, 최소한 gmp, mcrypt, curl, openssl, xml 모듈들을 (YaST를 통해 혹은 수동으로) 추가해야 한다.


☉ 권장됨


  • Download and place the file(s) in a directory called OpenID in your extensions/ folder.
  • Add the following code at the bottom of your LocalSettings.php file:
    require_once "$IP/extensions/OpenID/OpenID.php";
  • OpenID PHP 라이브러리 내 Auth디렉토리를 $IP/extensions/OpenID/Auth에 복사한다.
  • OpenID 확장 기능이 사용할 데이터베이스 생성을 위해, 미디어위키 maintenance 폴더인 $IP/maintenance에서 update.php 스크립트를 실행한다.
    cd $IP/extensions/OpenID
    git clone git://github.com/openid/php-openid.git
    mv php-openid/Auth/ Auth
    rm -r php-openid
    cd $IP/maintenance
    php update.php
  • Yes Done – Navigate to Special:Version on your wiki to verify that the extension is successfully installed.

It should work out of the box, but you'll almost definitely want to set the trust root and access controls (see Configuration below).

  • If you restrict general access to wiki pages, you must add anonymous access for Special:OpenIDLogin and Special:OpenIDFinish or the OpenID Verification will fail. Typically this is done by adding those pages to $wgWhitelistRead in LocalSettings.php.
  • The user account must have a password associated to it: in Special:Preference Password Reset is added as new link.


"LocalSetting.php 쪽에 별도의 설정 추가 없이, 기본 설정만으로 사용하는 것이 일반적이다."

추가적인 설정은 LocalSetting.php 파일의 require_once 부분의 다음 줄에 한다.

OpenID 확장 기능 버전 4.00 이후의 설정 파라미터 (과거 버전은 여기(한글 문서 없음))
consumer (C)

provider (P)
모드 관련성

변수 기본값 설명
C $wgOpenIDLoginOnly false 활성화 된 경우, 기본 로그인 personal_urls는 제거될 것이고, 추가로 OpenID를 기존의 위키 계정에 연결시키는 옵션 또한 사용자 가입 화면에서 제거될 것이다. 사용자는 OpenID 계정으로만 로그인 할 수 있다. 이 옵션이 가장 중요한 옵션이다.
C+P $wgOpenIDMode (since v4.00) [ 'consumer', 'provider' ]
  • 'provider' - 이 위키의 사용자가 그들의 계정을 다른 사이트에서 OpenID로 사용하려는 경우
  • 'consumer' - 다른 사이트 또는 특정 provider의 OpenID를 가지고 이 위키에 로그인하려는 경우
  • array( 'consumer', 'provider' ) - consumer 그리고 provider
  • false - (확장 기능 사용하지 않는 경우)
P $wgOpenIDAllowServingOpenIDUserAccounts true 활성화 된 경우, 사용자가 위키 로그인을 위해 OpenID를 이미 사용하고 있다 할지라도 특정 url을 OpenID로 사용할 수 있다. 사용자는 사이트 A에서 OpenID를 이미 사용하고 있더라도, 사이트 A의 OpenID를 사이트 B에서도 사용할 수 있다. 사용자들은 어떠한 이유에서든 그런 사용 방식을 원할 수도 있다. 비활성화 된 경우, OpenID를 제공하는 것은 불가능하다.
P $wgOpenIDIdentifiersURL "" When used as OpenID provider, you can optionally define a template for a customized fully specified url (CFSU) as identity url for delegation.

This allows differently looking "nice OpenID urls" in addition to the generic urls /User:Username and /Special:OpenIDIdentifier/<id>.

The CFSU template must contain a placeholder string "{ID}". The placeholder is substituted with the authenticated user's internal ID during the OpenID authentication process.

To make this working you need also to set up a suited rewrite rule in your web server which redirects the CFSU with the replaced user id to Special:OpenIDIdentifier/<id>.

The default value is str_replace( "$1", "Special:OpenIDIdentifier/{ID}", $wgServer . $wgArticlePath );

C $wgOpenIDTrustRoot null This is a string that identifies your wiki (as consumer) in your OpenID account at the OpenID server. It is the "root" of your consumer site and looks like "https://www.mywiki.org/w/" or "http://www.yourwiki.org/wiki/". If you leave the null default, the software makes a guess. It is recommended not to change the default value if your wiki (as consumer) works with other OpenID servers.
C $wgOpenIDConsumerDenyByDefault false The administrator can decide which OpenIDs are allowed to login to their server. If this flag is true, only those OpenIDs that match one of the $wgOpenIDConsumerAllow and not one of the $wgOpenIDConsumerDeny patterns will be allowed to log in. If it is false, all OpenIDs are allowed to log in, unless they are matched by an $wgOpenIDConsumerDeny pattern and not an $wgOpenIDConsumerAllow. Typically you'll set this to true for testing and then false for general use. When using deny and allow arrays, defines how the security works. If true, works like "Order Allow,Deny" in Apache; deny by default, allow items that match allow that don't match deny to pass. If false, works like "Order Deny,Allow" in Apache; allow by default, deny items in deny that aren't in allow.
C $wgOpenIDConsumerAllow [] Which partners to allow; regexps here. See above. An array of regular expressions that match OpenIDs you want to allow to log in. For example, "@^(http://)?wikitravel.org/@" will allow OpenIDs from the Wikitravel domain.
C $wgOpenIDConsumerDeny [] Which partners to deny; regexps here. See above. An array of regular expressions that match OpenIDs you want to deny access to. This is mostly useful for servers that are known to be bad. Example: "#^(http://)?example.com/#".
C $wgOpenIDServerForceAllowTrust [] an array of regular expressions that match trust roots that you want to skip trust checks for when the user logs in from those sites. A typical example would be a closely federated cluster of sites (like Wikimedia, Wikia, or Wikitravel) where the personal data is available to the trusting server anyways. Be very careful using this across organizational boundaries.
C $wgOpenIDUseEmailAsNickname false when first-time logging-in with OpenID, use the part before the @ in any given e-mail address as the username if a nickname is not given by the OpenID. This works well with $wgOpenIDConsumerForce where all users have a unique e-mail address at the same domain.
C $wgOpenIDProposeUsernameFromSREG true when first-time logging in with OpenID, propose and allow new account names from OpenID SREG data such as fullname or nickname
C $wgOpenIDAllowNewAccountname true OpenID로 처음 로그인 한 경우, 사용자 이름을 선택하거나 직접 입력하는 옵션을 보여주기 (createaccount 권한이 true인 경우}
C $wgOpenIDAllowExistingAccountSelection true OpenID로 처음 로그인 한 경우, 기존 위키 사용자 목록에서 고르는 옵션을 보여주기
C $wgOpenIDTrustEmailAddress false Implicitly trust the e-mail address sent from the OpenID server, and don't ask the user to verify it. This can lead to people with a nasty OpenID provider setting up accounts and spamming
C $wgOpenIDAllowAutomaticUsername true OpenID로 처음 로그인 한 경우, 자동으로 생성된 사용자명을 선택하고 승인하는 옵션을 보여주기 (createaccount 권한이 true인 경우}
C+P $wgOpenIDConsumerStoreType 'file' strings denoting the type of storage to be used to store OpenID association data when acting as an OpenID relying party (consumer) and server, respectively. Only valid value is "file"; "memc" is no longer valid.
C+P $wgOpenIDServerStoreType 'file' strings denoting the type of storage to be used to store OpenID association data when acting as an OpenID relying party (consumer) and server, respectively. Only valid value is "file"; "memc" is no longer valid.
C+P $wgOpenIDConsumerStorePath false see $wgOpenIDServerStorePath
C+P $wgOpenIDServerStorePath false strings specifying the paths where OpenID assocation data should be stored when acting as a relying party (consumer) or server, respectively. Each of these need only be set if the store type settings (above) are set to "file", respectively. These strings, if both are set, MUST NOT be equal. If the store type is "file", the default here is "/$wgTmpDirectory/$wgDBname/openid-consumer-store/" and "/$wgTmpDirectory/$wgDBname/openid-server-store/" respectively. Paths will be automatically created if they doesn't exist.
C+P $wgOpenHideOpenIDLoginLink false boolean that says whether or not to hide the OpenID login link in the personal URLs. Typically you'd use this if you've already got some other method for showing the OpenID login link, like in your skin. Note that it will not prevent login if the user navigates to Special:OpenIDLogin directly; it's simply cosmetic. This is mostly a backwards-compatibility option.
C+P $wgOpenIDSmallLogoUrl false Url of a small OpenID logo; The default (false) uses a built-in logo.
P $wgOpenIDShowUrlOnUserPage 'user'() whether to show the OpenID identity URL on a user's home page. Possible values are
  • 'never'
  • 'user' (let the users decide in their preferences)
  • 'always'
C $wgOpenIDShowProviderIcons true With this enabled, users will see button icons instead of just links on the OpenID provider selection page.
C $wgOpenIDForcedProvider (since 3.40) null Url of required OpenID provider. When this is set, it bypasses the OpenID provider selection form.
  • Force this server to only allow authentication against one server and hide the selection form entirely.
  • @param string|null $wgOpenIDForcedProvider Name of hard-coded provider, or fully qualified Provider Id selection page Url
  • null: (default) show the extension's OpenID provider selection screen based on internal $wgOpenIDProviders list
  • (string) fully qualified Url: a fully qualified Url to the Providers' Id selection page
  • use "http://mediawiki-provider-server/wiki/Special:OpenIDServer/id"
  • in case you want to force the use of another mediawiki-provider-server (not this wiki!) as OpenID provider
  • (string) OpenID provider Name: use data for provider "Name" from the internal $wgOpenIDProviders list
C $wgOpenIDProviders (since 3.40) [] array of providers and their parameters

Bugs and common pitfalls[edit]

Please check our First aid checklist before asking for help, and please file bugs directly in the Wikimedia bug tracker.
  • After having created an account with OpenID on an OpenID-login-only enabled wiki, account changes which requires a password like Special:ChangeEmail won't work because no password is set, and account changes which require an email (e.g. Special:PasswordReset) won't work because no email is set; see Bug 34357.
  • one MediaWiki acting as OpenID server Bob does not work with another or same MediaWiki acting as OpenID consumer Alice on the same server. Advice for the moment: use two different servers while playing with the extension.
  • when you want to log in to your OpenID-consuming MediaWiki Alice as user X:
make sure that you are not logged in to the OpenID identity server Bob as another user Z ; otherwise you will see an error, which is intended.
I recommend you log out every person you may have on server Bob while testing the extension
clear your browser cache of all Bob-related cookies, and session cookie.

Specific providers[edit]


The OpenID provider myOpenID shut down in February 2014; its users will have to go elsewhere.[2][3]


Google stopped allowing registration of OpenID accounts from new domains in May 2014. It is slated to be shut down completely in April 2015. They are attempting to switch over all their users to use Google+ Sign-In instead.[4]

For those wikis where Google login with OpenID still works (for now), you can opt-in there to "2-step verification" ("two-factor authentication") because it is compatible with the OpenID extension.


In June 2013, Yahoo! began allowing users to regain other users' e-mail addresses when they are not used for a certain time. This broke the security of OpenID. The use of Yahoo OpenID therefore became deprecated and was discontinued in the OpenID extension.[5][6]