Extension:OpenID Connect

From mediawiki.org
Jump to navigation Jump to search
This page is a translated version of the page Extension:OpenID Connect and the translation is 29% complete.
Other languages:
MediaWiki Stakeholders' Group Logo.svg この拡張機能は MediaWiki Stakeholders' Group のメンバーが保守しています。
PluggableAuth Icon.svg この拡張機能では、先に PluggableAuth 拡張機能をインストールする必要があります。
MediaWiki 拡張機能マニュアル
OOjs UI icon advanced-invert.svg
OpenID Connect
リリースの状態: 安定
実装 利用者識別
説明 Extends the PluggableAuth extension to provide authentication using OpenID Connect
作者 Cindy Cicalese (cindy.cicaleseトーク)
最新バージョン 5.4 (2021-01-23)
互換性ポリシー master は後方互換性を維持しています。
MediaWiki 1.27+
PHP 5.3+
データベースの変更 はい
ライセンス MIT ライセンス
  • $wgOpenIDConnect_Config
  • $wgOpenIDConnect_UseRealNameAsUserName
  • $wgOpenIDConnect_UseEmailNameAsUserName
  • $wgOpenIDConnect_MigrateUsers
  • $wgOpenIDConnect_ForceLogout
translatewiki.net で翻訳を利用できる場合は、OpenID Connect 拡張機能の翻訳にご協力ください

使用状況とバージョン マトリクスを確認してください。

問題点 未解決のタスク · バグを報告

The OpenID Connect extension extends the PluggableAuth extension to provide authentication using OpenID Connect.

Special thanks to jumbojett for the OpenID Connect PHP library used by this extension.


注 注: This extension requires PluggableAuth to be installed first. It also requires the CURL PHP extension and the OpenID Connect PHP library, which may be installed using composer.

  • ダウンロードして、ファイルを extensions/ フォルダー内の OpenIDConnect という名前のディレクトリ内に配置します。
  • 以下のコードを LocalSettings.php の末尾に追加します:
    wfLoadExtension( 'OpenIDConnect' );
  • 更新スクリプトを実行します。このスクリプトは、この拡張機能が必要とするデータベース テーブルを自動的に作成します。
  • Install dependencies.
  • Configure as required.
  • Yes 完了 – ウィキの「Special:Version」に移動して、拡張機能が正しくインストールされたことを確認します。

Install Dependencies

Add the line "extensions/OpenIDConnect/composer.json" to the "composer.local.json" file in the root directory of your wiki, e.g.

	"extra": {
		"merge-plugin": {
			"include": [

Then run composer update in the root directory of your wiki. This will install any dependencies (i.e. the jumbojett OpenID Connect PHP library).


Most configuration for OpenID Connect is handled by a file found at /.well-known/openid-provider on the provider's domain. This contains most of the settings that are needed to handle authentication.

Flag Default Description
$wgOpenIDConnect_Config no default value A mandatory array of arrays specifying the OpenID Connect issuers and their configuration. The key of the containing array entry is the URL (e.g. https://accounts.google.com/) of the issuer. The URL is used to find the "well-known" file mentioned above. The contained array has the following keys:
  • clientID (mandatory)
  • clientsecret (mandatory)
  • name (optional label text)
  • icon (optional URL)
  • proxy (optional URL)
  • scope (optional string or array of strings to be passed to the issuer)
  • preferred_username (optional preferred username field from issuer to use)
  • verifyHost (optional boolean to enable/disable host verification; default: true)
  • verifyPeer (optional boolean to enable/disable SSL peer verification; default: true)
  • authparam (optional associative array of authentication parameters to be passed to the issuer)

If multiple issuers are provided, a selection special page will be presented to the user upon login. name and icon are used on that page to display the issuers.

$wgOpenIDConnect_UseRealNameAsUserName false If a new user is being created in the database and no preferred username was provided by the issuer, a value of true for this flag indicates that the user's real name, if provided by the issuer, should be used as the new user's username.
$wgOpenIDConnect_UseEmailNameAsUserName false If a new user is being created in the database, and no preferred username was provided by the issuer, and either no real name was provided by the issuer or $wgOpenIDConnect_UseRealNameAsUserName was undefined or set to false, a value of true for this flag indicates that the name portion of the user's email address, if provided by the issuer, should be used as the new user's username.
$wgOpenIDConnect_MigrateUsersByUserName false If a user already exists in the database with the same user name as the authenticated user and has null values for subject and issuer, use this user, setting the subject and issuer in the database to those of the authenticated user. This is useful when the wiki previously used a different authentication mechanism.
$wgOpenIDConnect_MigrateUsersByEmail false If a user already exists in the database with the same email address as the authenticated user and has null values for subject and issuer, use this user, setting the subject and issuer in the database to those of the authenticated user. This is useful when the wiki previously used a different authentication mechanism.
$wgOpenIDConnect_ForceLogout false Upon logout, request authentication passing attribute prompt with a value of login (not fully supported by all OpenID Connect servers yet).

When configuring the identity provider, it will ask for a redirect URL or callback URL. Use the full URL to the Special:PluggableAuthLogin page for that value.

A simple example of the $wgOpenIDConnect_Config configuration for a single issuer is as follows:

$wgOpenIDConnect_Config['https://id.mycompany_abc.com/connect/'] = [
    'clientID' => '.....',
    'clientsecret' => '.....',
    'scope' => [ 'openid', 'profile', 'email' ]

An example of the $wgOpenIDConnect_Config configuration for multiple issuers is as follows:

$wgOpenIDConnect_Config['https://id.mycompany_abc.com/connect/'] = [
    'clientID' => '.....',
    'clientsecret' => '.....',
    'name' => "My Company's Connect Server",
    'icon' => 'http://www.mycompany_abc.com/images/logo.png',
    'scope' => [ 'openid', 'profile', 'email' ]

$wgOpenIDConnect_Config['https://id.partnercompany_def.com/connect/'] = [
    'clientID' => '.....',
    'clientsecret' => '.....',
    'name' => "Partner Company's Connect Server",
    'icon' => 'http://www.partnercompany_def.com/images/logo.png',
    'scope' => [ 'openid', 'profile', 'email' ]

Example: Google as an Issuer

  1. Using the Google Developer Console create a project.
  2. Click on the project, click on the hamburger menu (three horizontal lines in the top left), and click on APIs & Services -> Credentials on the menu.
  3. Click the Create credentials -> OAuth client ID button and select Web application. Fill in the consent screen information and save.
  4. Provide the redirect URI in Authorized redirect URIs:
  5. Click Create Client ID.
  6. Note the Client ID and Client Secret that are assigned.

The Google issuer is now configured. Add the corresponding configuration to your LocalSettings.php file, filling in the clientID and clientsecret fields with the values assigned above.

$wgOpenIDConnect_Config['https://accounts.google.com'] = [
    'clientID' => '.....',
    'clientsecret' => '.....',
    'scope' => [ 'openid', 'profile', 'email' ]

You may also assign values for name, icon, proxy and authparam.

Example: Using it against Azure Active Directory

  1. In the Azure portal, go to 'Active Directory' and then 'App Registrations'
  2. Register a new Application
    1. Provide a Name
    2. Likely specify 'Accounts in this org directory only'
    3. Provide redirect URI:
  3. In the new app, go to 'Certificates and secrets' and create a new Client secret
  4. Using the 'Application (client) ID', Directory (tenant) ID, and Secret from the application, populate your LocalSettings.php:
    $wgOpenIDConnect_Config['https://login.microsoftonline.com/[tenantID]/v2.0/'] = [
        'clientID' => '[Application (Client) ID]',
        'clientsecret' => '[Secret from Certs and Secrets]',
        'scope' => [ 'openid', 'email', 'profile' ]
    $wgOpenIDConnect_UseRealNameAsUserName = true;
Important Notes
  • Using the Client secret will result in the expiration of the key
  • The .well-known/openid-configuration location was derived from the 'OpenID Connect metadata document' endpoint in the app Endpoints.

Example: Using it against Keycloak


  • Your Keycloak realm name is acme
  • Your Keycloak URL and Port is https://keycloak.local:8080
  • Your Keycloak Client ID is set to mediawiki
  • Your auto-genertated client secret is 12345
$wgOpenIDConnect_Config['https://keycloak.local:8080/auth/realms/acme/'] = [
    'clientID' => 'mediawiki',
    'clientsecret' => '12345',
    'scope' => [ 'openid', 'profile', 'email' ]


  • If you´re running into trouble, like "The provider {$param} could not be fetched. Make sure your provider has a well known configuration available.", your URI is wrong. You can test the corretness by calling https://keycloak.local:8080/auth/realms/acme/.well-known/openid-configuration in your browser. If you get back a long JSON, the path is correct.
  • Make sure the redirect uri provided by this OIDC plugin is set valid for your keycloak-server under acme -> Clients -> mediawiki -> Settings -> valid redirect uris . For testing purposes you can add a wildcard "*".

Example: Using it with Okta

注 注: As of the date this example was written, a bug exists in the OpenID Connect PHP library which causes stricter OIDC providers like Okta to reject certain requests. This should be resolved in the future when the library is updated to incorporate the change. The solution is to add a single line of code to $MEDIAWIKI_ROOT/extensions/OpenIDConnect/vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php as follows: right below: unset($token_params['client_secret']); simply add: unset($token_params['client_id']); # see https://github.com/jumbojett/OpenID-Connect-PHP/pull/208/commits/dd44c1ca7e45d35dcd8f32ea503b545149bc6562

To authenticate your users against Okta, you must first create a new OIDC app in your Okta org and assign it to the relevant users/groups, etc.

Okta OIDC app settings

Allowed grant types: (all)
Login redirect URIs: the full URL to Special:PluggableAuthLogin, e.g. https://www.example.com/wiki/index.php/Special:PluggableAuthLogin
Login flow: "Redirect to app to initiate login (OIDC compliant)"
Initiate login URI: the full URL to Special:UserLogin, e.g. https://www.example.com/wiki/index.php/Special:UserLogin

Extension settings

You must specify the openid, profile, and email scopes to communicate with Okta. If you omit the appropriate scopes, Okta will gladly authenticate your users but will not return any useful claims.

$wgOpenIDConnect_Config['https://your-okta-org.okta.com'] = [
        'clientID' => '(paste the client ID Okta assigned your new app here)',
        'clientsecret' => '(paste the client secret Okta assigned your new app here)',
        'scope' => [ 'openid', 'profile', 'email' ]

Auto-creating users

If you want to take advantage of MediaWiki's user auto-creation (e.g. $wgGroupPermissions['*']['autocreateaccount'] = true;), be aware that Okta's preferred_username claims take the format of an email address.

If you do not want your users to have an @ character in their usernames (this is forbidden by MediaWiki by default), you will need to specify an alternative claim to use via the 'preferred_username' key in your $wgOpenIDConnect_Config.

Allowing @ in usernames may break your wiki's Interwiki compatibility (if you rely on that). To allow the use of the @ character, just set $wgInvalidUsernameCharacters = ' '; and $wgUserrightsInterwikiDelimiter = '#'; in LocalSettings.php.

Example: Using it with Gitlab

Gitlab configuration:

  • Login to Gitlab Admin Area
  • Go to Applications -> New Application
    • Name: MediaWiki
    • Redirect URI: <<wiki server>>/wiki/Special:PluggableAuthLogin
    • Trusted: yes
    • Confidential: yes
    • Scopes: openid, profile, email
  • Submit
  • Copy Application ID and Secret to LocalSettings.php

MediaWiki Configuration

Open LocalSettings.php

# Extension:OpenID Connect
wfLoadExtension( 'PluggableAuth' );
# set to false to deactivate local logins
$wgPluggableAuth_EnableLocalLogin = true; #= false;

wfLoadExtension( 'OpenIDConnect' );
$wgOpenIDConnect_Config['...'] = [ # Add your gitlab server here (main page)
    'clientID' => '...',     # Insert Gitlab Application ID here!
    'clientsecret' => '...', # Insert Gitlab Secret here!
    # Alternative 'nickname'
    # Alternative 'name'
    'preferred_username' => 'nickname'
$wgPluggableAuth_ButtonLabelMessage = 'Login with your Gitlab Account';

You can find more information to Gitlab's docs at OpenID Connect Provider.


Version 5.4
  • Updated jumbojett/openid-connect-php to version 0.9.1
  • Fixed bug while trying to authenticate with Okta where extra parameters are sent in the request making the request fail
Version 5.3
  • Fixed bug with migrated initial lowercase usernames (T249630)
Version 5.2
  • Added optional configuration options for disabling the verification of hostnames and certificates, for use in development environments with self-issued certificates
Version 5.1
  • Added generation of full redirect URL so OpenID Connect PHP library doesn't have to guess, which occasionally it didn't have enough information to do accurately
Version 5.0
  • Moved subject and issuer columns from user table to openid_connect table (requires database update)
  • Added support for Postgres
Version 4.1
  • Added namespace for library class
Version 4.0
  • Added optional error message to authenticate()
  • Bumped version number to synchronize with PluggableAuth and SimpleSAMLphp extensions
Version 2.3
  • Fixed whitelist implementation
  • Changes migration flags to allow migration by email address in addition to migration by user name
Version 2.2
  • Fixes related to PluggableAuth MediaWIki 1.27 upgrade
  • Array coding conventions
Version 2.1
  • Update to MediaWiki 1.27 session management
  • Added default values for configuration variables to extension.json
Version 2.0
  • Updated extension registration
  • Changed configuration variables to use "wg" prefix
  • Added composer.json to get OpenID Connect library using composer
Version 1.2
  • Added ability to specify auth params and added support for table prefixes
Version 1.1
  • Added support for Google
Version 1.0
  • Initial version


  • Wikis that use URLs of the form http://example.org/w/index.php?title=Page_title (i.e. having the page title provided as a query parameter) will not be redirected correctly to complete the authentication flow. Instead, URLs must be of the form http://example.org/w/index.php/Page_title, which can be accomplished by using short URLs or by setting $wgArticlePath appropriately.
  • This extension may not work correctly with $wgMainCacheType = CACHE_ACCEL (see T147161).
  • This extension does not work on non-standard ports unless you manually update the underlying Openid connect client, see: https://github.com/jumbojett/OpenID-Connect-PHP/issues/58. Issue also applies when to other webserver than IIS.

See also