| OpenID Connect|
Release status: stable
|Description||Extends the PluggableAuth extension to provide authentication using OpenID Connect.|
|Author(s)||Cindy Cicalese (cindy.cicalesetalk)|
|Latest version||4.0 (2017-04-19)|
Translate the OpenID Connect extension if it is available at translatewiki.net
|Check usage and version matrix.|
|Open tasks · Report a bug|
- Download and place the file(s) in a directory called
- Add the following code at the bottom of your LocalSettings.php:
wfLoadExtension( 'OpenIDConnect' );
- Run the update script which will automatically create the necessary database tables that this extension needs.
- In the extension directory run "composer update".
- Configure as required
- Done - Navigate to Special:Version on your wiki to verify that the extension is successfully installed.
|$wgOpenIDConnect_Config||no default value|| A mandatory array of arrays specifying the OpenID Connect issuers. They key of the containing array entry is the URL of the issuer. The contained array has the following keys: |
|$wgOpenIDConnect_UseRealNameAsUserName||false|| If a new user is being created in the database and no preferred username was provided by the issuer, a value of |
|$wgOpenIDConnect_UseEmailNameAsUserName||false|| If a new user is being created in the database, and no preferred username was provided by the issuer, and either no real name was provided by the issuer or |
|$wgOpenIDConnect_MigrateUsersByUserName||false|| If a user already exists in the database with the same user name as the authenticated user and has |
|$wgOpenIDConnect_MigrateUsersByEmail||false|| If a user already exists in the database with the same email address as the authenticated user and has |
|$wgOpenIDConnect_ForceLogout||false|| Upon logout, request authentication passing attribute |
When configuring the identity provider, it will ask for a redirect URL or callback URL. Use the full URL to the Special:PluggableAuthLogin page for that value.
A simple example of the
$wgOpenIDConnect_Config configuration for a single issuer is as follows:
$wgOpenIDConnect_Config['https://id.mycompany_abc.com/connect/'] = [ 'clientID' => '.....', 'clientsecret' => '.....' ];
An example of the
$wgOpenIDConnect_Config configuration for multiple issuers is as follows:
$wgOpenIDConnect_Config['https://id.mycompany_abc.com/connect/'] = [ 'clientID' => '.....', 'clientsecret' => '.....', 'name' => "My Company's Connect Server", 'icon' => 'http://www.mycompany_abc.com/images/logo.png' ]; $wgOpenIDConnect_Config['https://id.partnercompany_def.com/connect/'] = [ 'clientID' => '.....', 'clientsecret' => '.....', 'name' => "Partner Company's Connect Server", 'icon' => 'http://www.partnercompany_def.com/images/logo.png' ];
Example: Google as an Issuer
- Using the Google Developer Console create a project.
- Click on the project and click on
APIs & auth/Credentialson the sidebar.
- Click the
Create new Client IDbutton and select
Web application. Fill in the consent screen information and save.
- Fill in the root URL (no wild cards or paths) or your wiki in
- Fill in the URL of the Special:PluggableAuthLogin page of your wiki in
Authorized redirect URIs.
Create Client ID.
- Note the
Client Secretthat are assigned.
The Google issuer is now configured. Add the corresponding configuration to your LocalSettings.php file, filling in the
clientsecret fields with the values assigned above.
$wgOpenIDConnect_Config['https://accounts.google.com'] = [ 'clientID' => '.....', 'clientsecret' => '.....', 'scope' => [ 'openid', 'profile', 'email' ] ];
You may also assign values for
Using it against Azure ADFS
Three parameters are required to use this extension to authenticate against Azure ADFS: a tenant id, a client id, and a secret.
$wgOpenIDConnect_Config['https://sts.windows.net/ReplaceWithYourTenantID/'] = [ 'clientID' => 'ReplaceWithYourClientID', 'clientsecret' => 'ReplaceWithYourSecret' ];
- Version 4.0
- Added optional error message to authenticate()
- Bumped version number to synchronize with PluggableAuth and SimpleSAMLphp extensions
- Version 2.3
- Fixed whitelist implementation
- Changes migration flags to allow migration by email address in addition to migration by user name
- Version 2.2
- Fixes related to PluggableAuth MediaWIki 1.27 upgrade
- Array coding conventions
- Version 2.1
- Update to MediaWiki 1.27 session management
- Added default values for configuration variables to extension.json
- Version 2.0
- Updated extension registration
- Changed configuration variables to use "wg" prefix
- Added composer.json to get OpenID Connect library using composer
- Version 1.2
- Added ability to specify auth params and added support for table prefixes
- Version 1.1
- Added support for Google
- Version 1.0
- Initial version
- Wikis that use URLs of the form
http://example.org/w/index.php?title=Page_title(i.e. having the page title provided as a query parameter) will not be redirected correctly to complete the authentication flow. Instead, URLs must be of the form
http://example.org/w/index.php/Page_title, which can be accomplished by using short URLs or by setting $wgArticlePath appropriately.
- This extension may not work correctly with
$wgMainCacheType = CACHE_ACCEL(see T147161).
- This extension does not work on non-standard ports unless you manually update the underlying Openid connect client, see: https://github.com/jumbojett/OpenID-Connect-PHP/issues/58. Issue also applies when to other webserver than IIS.