Extension:OpenID Connect

From MediaWiki.org
Jump to: navigation, search
MediaWiki extensions manualManual:Extensions
Crystal Clear action run.png
OpenID Connect

Release status:Extension status stable

ImplementationTemplate:Extension#type User identity
DescriptionTemplate:Extension#description Extends the PluggableAuth extension to provide authentication using OpenID Connect.
Author(s)Template:Extension#username Cindy Cicalese (cindy.cicalesetalk)
Latest versionTemplate:Extension#version 4.0 (2017-04-19)
Compatibility policyCompatibility#mediawiki_extensions master
MediaWikiTemplate:Extension#mediawiki 1.27+
PHPTemplate:Extension#php 5.3+
Database changesTemplate:Extension#needs-updatephp Yes
ComposerComposer jumbojett/openid-connect-php
LicenseTemplate:Extension#license MIT License
Download
ParametersTemplate:Extension#parameters
  • $wgOpenIDConnect_Config
  • $wgOpenIDConnect_UseRealNameAsUserName
  • $wgOpenIDConnect_UseEmailNameAsUserName
  • $wgOpenIDConnect_MigrateUsers
  • $wgOpenIDConnect_ForceLogout

Translate the OpenID Connect extension if it is available at translatewiki.net

Check usage and version matrix.

IssuesPhabricator

Open tasks · Report a bug

The OpenID Connect extension extends the PluggableAuth extension to provide authentication using OpenID Connect.

Special thanks to jumbojett for the OpenID Connect PHP library used by this extension.

Installation[edit]

Note Note: This extension requires PluggableAuth to be installed first. It also requires the OpenID Connect PHP library, which may be installed using composer.

  • Download and place the file(s) in a directory called OpenIDConnect in your extensions/ folder.
  • Add the following code at the bottom of your LocalSettings.php:
    wfLoadExtension( 'OpenIDConnect' );
    
  • Run the update script which will automatically create the necessary database tables that this extension needs.
  • In the extension directory run "composer update".
  • Configure as required
  • YesY Done - Navigate to Special:Version on your wiki to verify that the extension is successfully installed.

Configuration parameters[edit]

Flag Default Description
$wgOpenIDConnect_Config no default value A mandatory array of arrays specifying the OpenID Connect issuers. They key of the containing array entry is the URL of the issuer. The contained array has the following keys: clientID (mandatory), clientsecret (mandatory), name (optional label text), icon (optional URL), proxy (optional URL), scope (optional string or array of strings to be passed to the issuer), and authparam (optional associative array of authentication parameters to be passed to the issuer). If multiple issuers are provided, a selection special page will be presented to the user upon login. name and icon are used on that page to display the issuers.
$wgOpenIDConnect_UseRealNameAsUserName false If a new user is being created in the database and no preferred username was provided by the issuer, a value of true for this flag indicates that the user's real name, if provided by the issuer, should be used as the new user's username.
$wgOpenIDConnect_UseEmailNameAsUserName false If a new user is being created in the database, and no preferred username was provided by the issuer, and either no real name was provided by the issuer or $wgOpenIDConnect_UseRealNameAsUserName was undefined or set to false, a value of true for this flag indicates that the name portion of the user's email address, if provided by the issuer, should be used as the new user's username.
$wgOpenIDConnect_MigrateUsersByUserName false If a user already exists in the database with the same user name as the authenticated user and has null values for subject and issuer, use this user, setting the subject and issuer in the database to those of the authenticated user. This is useful when the wiki previously used a different authentication mechanism.
$wgOpenIDConnect_MigrateUsersByEmail false If a user already exists in the database with the same email address as the authenticated user and has null values for subject and issuer, use this user, setting the subject and issuer in the database to those of the authenticated user. This is useful when the wiki previously used a different authentication mechanism.
$wgOpenIDConnect_ForceLogout false Upon logout, request authentication passing attribute prompt with a value of login (not fully supported by all OpenID Connect servers yet).

A simple example of the $wgOpenIDConnect_Config configuration for a single issuer is as follows:

$wgOpenIDConnect_Config['https://id.mycompany_abc.com/connect/'] = [
    'clientID' => '.....',
    'clientsecret' => '.....'
];

An example of the $wgOpenIDConnect_Config configuration for multiple issuers is as follows:

$wgOpenIDConnect_Config['https://id.mycompany_abc.com/connect/'] = [
    'clientID' => '.....',
    'clientsecret' => '.....',
    'name' => "My Company's Connect Server",
    'icon' => 'http://www.mycompany_abc.com/images/logo.png'
];

$wgOpenIDConnect_Config['https://id.partnercompany_def.com/connect/'] = [
    'clientID' => '.....',
    'clientsecret' => '.....',
    'name' => "Partner Company's Connect Server",
    'icon' => 'http://www.partnercompany_def.com/images/logo.png'
];

Example: Google as an Issuer[edit]

  1. Using the Google Developer Console create a project.
  2. Click on the project and click on APIs & auth/Credentials on the sidebar.
  3. Click the Create new Client ID button and select Web application. Fill in the consent screen information and save.
  4. Fill in the root URL (no wild cards or paths) or your wiki in Authorized JavaScript origins.
  5. Fill in the URL of the Special:PluggableAuthLogin page of your wiki in Authorized redirect URIs.
  6. Click Create Client ID.
  7. Note the Client ID and Client Secret that are assigned.

The Google issuer is now configured. Add the corresponding configuration to your LocalSettings.php file, filling in the clientID and clientsecret fields with the values assigned above.

$wgOpenIDConnect_Config['https://accounts.google.com'] = [
    'clientID' => '.....',
    'clientsecret' => '.....',
    'scope' => [ 'openid', 'profile', 'email' ]
];

You may also assign values for name, icon, proxy and authparam.

Using it against Azure ADFS[edit]

Three parameters are required to use this extension to authenticate against Azure ADFS: a tenant id, a client id, and a secret.

$wgOpenIDConnect_Config['https://sts.windows.net/ReplaceWithYourTenantID/'] = [

        'clientID' => 'ReplaceWithYourClientID',

        'clientsecret' => 'ReplaceWithYourSecret'

    ];

Release Notes[edit]

Version 4.0
  • Added optional error message to authenticate()
  • Bumped version number to synchronize with PluggableAuth and SimpleSAMLphp extensions
Version 2.3
  • Fixed whitelist implementation
  • Changes migration flags to allow migration by email address in addition to migration by user name
Version 2.2
  • Fixes related to PluggableAuth MediaWIki 1.27 upgrade
  • Array coding conventions
Version 2.1
  • Update to MediaWiki 1.27 session management
  • Added default values for configuration variables to extension.json
Version 2.0
  • Updated extension registration
  • Changed configuration variables to use "wg" prefix
  • Added composer.json to get OpenID Connect library using composer
Version 1.2
  • Added ability to specify auth params and added support for table prefixes
Version 1.1
  • Added support for Google
Version 1.0
  • Initial version

Known Bugs[edit]

  • Wikis that use URLs of the form http://example.org/w/index.php?title=Page_title (i.e. having the page title provided as a query parameter) will not be redirected correctly to complete the authentication flow. Instead, URLs must be of the form http://example.org/w/index.php/Page_title, which can be accomplished by using short URLs or by setting $wgArticlePath appropriately.
  • This extension may not work correctly with $wgMainCacheType = CACHE_ACCEL (see T147161).
  • This extension does not work on non-standard ports unless you manually update the underlying Openid connect client, see: https://github.com/jumbojett/OpenID-Connect-PHP/issues/58. Issue also applies when to other webserver than IIS.

See also[edit]