Extension:Ticket Authentication

From MediaWiki.org
Jump to navigation Jump to search
MediaWiki extensions manual
OOjs UI icon advanced.svg
Ticket Authentication
Release status: stable
Implementation User identity, MyWiki
Description Allows to create accounts and authenticate users using ticket-based authentication
Author(s) Iaroslav Vassiliev (CodeMonktalk)
Latest version 1.13 (2016-12-13)
MediaWiki MediaWiki 1.13 or higher
Database changes No
License GNU General Public License 2.0
Download
Parameters
  • $wgTktAuth_SecretKey
  • $wgTktAuth_TicketExpiryMinutes
  • $wgTktAuth_AllowPasswordChange
Hooks used
UserLoadFromSession
Translate the Ticket Authentication extension if it is available at translatewiki.net
Check usage and version matrix.

The Ticket Authentication extension creates accounts and authenticates users using ticket-based authentication. The ticket-based authentication is the most simple and efficient type of authentication, it is used in many single sign-on (SSO) solutions, it can be easily implemented and adjusted to meet custom demands. Ticket in this case is a special web link which is generated by trusted external site and then validated by this MediaWiki extension. All necessary user information including login name, real name, e-mail address and possibly password hash is embedded into this ticket-link and digitally signed to verify that the ticket was issued by trusted source and that the ticket was not modified.

Look at the sample ticket-link:

http://mywiki.com/w/index.php/Main_Page
?user=Simon
&password=7198cda575b51b68a0dc83f5d66c2aee
&name=Simon+Sayler
&email=simon%40example.org
&time=1389005243
&sign=4522098027f3af0e4e19340c84224ed6 

In the example above you can see a ticket-link that was generated, say, by some external script http://sso.myportal.com/directory.php. The link points to the Main page of mywiki.com MediaWiki installation. The link contains several parameters: user (user's login name), password (user's password MD5 hash), name (user's real name), email, time (the time when the ticket-link was generated) and sign (MD5 digital signature for verification). When a user clicks on this ticket-link, he gets to MediaWiki site, where the link is handled by this extension. This extension checks the digital signature and if it is all right authenticates the user with given login. If user has no account then the new account is automaticaly created and all provided user information (password, e-mail, etc.) is stored in MediaWiki's database.

Installation & Configuration[edit]

Download the extension. Unzip and save the files into TicketAuth subdirectory of your wiki's extensions directory.

All configuration settings must be specified in global variables in MediaWiki's LocalSettings.php file. Below you can see the settings and their description:

Secret key, arbitrary string. This key is used both by ticket generation script to digitally sign the ticket and by this extension to verify ticket's validity.
Note Note: Don't use the key provided here. Make your own arbitrary key.

$wgTktAuth_SecretKey = 'f36cb77394acdf45cbf725eddd53059e';

Ticket expiration time (in minutes).

$wgTktAuth_TicketExpiryMinutes = 10;

Allow user to change password (true/false). If password hash was not provided in ticket's body, a user will not be able to log into MediaWiki directly from a login page unless this option is set to true and unless user will reset the password manually.

$wgTktAuth_AllowPasswordChange = false;

Path to this file, relative to MediaWiki installation.

require_once "$IP/extensions/TicketAuth/TicketAuth.php";

Important security notice[edit]

Allthough you can provide a password hash in the ticket-link to enhance your SSO solution integrity (the password will be saved in MediaWiki's database to enable user to login to MediaWiki directly in the future), it is generally considered a bad practice because it poses a security threat. The ticket-link can be easily seen in the browser by an unauthorized person if the authorized person has forgotten to close the browser. Moreover the ticket-link is recorded in browser's history and in web server's log. That doesn't mean that a person seeing the password hash could guess a password, hash is not a password and it's virtually impossible to calculate a password from it's hash value, but the hashes for weak passwords (like 'qwerty', '112233', 'lion', 'Bob', etc.) are known and publicly available.

Also, please, note that transferring password hashes from external source requires $wgPasswordSalt global setting to be set to false.

Example ticket generation PHP script[edit]

The following script is used to generate tickets.

$target = 'http://mywiki.com/w/index.php/Main_Page';
$secretCode = 'f36cb77394acdf45cbf725eddd53059e';
$user = 'Simon';
$password = md5( 'town' );
$name = 'Simon Sayler';
$email = 'simon@example.org';
$time = time();

$sign = md5(
	$user .
	( isset($password) ? $password : '' ) .
	( isset($name) ? $name : '' ) .
	( isset($email) ? $email : '' ) .
	$time .
	$secretCode
);

$link = $target .
	'?user=' . urlencode( $user ) .
	( isset($password) ? '&password=' . $password : '' ) .
	( isset($name) ? '&name=' . urlencode( $name ) : '' ) .
	( isset($email) ? '&email=' . urlencode( $email ) : '' ) .
	'&time=' . $time .
	'&sign=' . $sign;

echo $link;

The complete script is available at SourceForge.
Note Note: Don't forget that $secretCode variable in this script must have the same value as $wgTktAuth_SecretKey global variable in MediaWiki configuration.

Example ticket generation C# script[edit]

The following script is used to generate tickets using C# and .NET Framework.

string destination = "http://mywiki.com/w/index.php/Main_Page";
string secretKey = "1107d07c946d29d64a132e38daef0cca";
string user = "Simon";
string passwordHash = "7198cda575b51b68a0dc83f5d66c2aee";
string name = "Simon Sayler";
string email = "simon@example.org";

int time = (int)(DateTime.UtcNow - new DateTime(1970, 1, 1)).TotalSeconds;

System.Text.StringBuilder link = new System.Text.StringBuilder();
link.Append(destination);
link.Append("?user=");
	link.Append(System.Web.HttpUtility.UrlEncode(user));
link.Append("&password=");
	link.Append(passwordHash);
link.Append("&name=");
	link.Append(System.Web.HttpUtility.UrlEncode(name));
link.Append("&email=");
	link.Append(System.Web.HttpUtility.UrlEncode(email));
link.Append("&time=");
	link.Append(time.ToString());

link.Append("&sign=");
string sign = user + passwordHash + name + email + time.ToString() + secretKey;
System.Security.Cryptography.MD5 md5 = System.Security.Cryptography.MD5.Create();
byte[] signHash = md5.ComputeHash(System.Text.Encoding.UTF8.GetBytes(sign));
for (int i = 0; i < 16; i++) {
	link.Append(signHash[i].ToString("x2"));
}

Response.Write(link.ToString());

Note Note: Don't forget that secretKey variable in this script must have the same value as $wgTktAuth_SecretKey global variable in MediaWiki configuration.

Feedback[edit]

If you would like to report a bug or request a feature, you can do it on discussion page or on SourceForge. By the way, if you need advanced bot functionality for your wiki project, take a look at free DotNetWikiBot Framework, that I maintain.

See also[edit]