Extension:WSOAuth

**MediaWiki extensions manual**
WSOAuth; Release status: stable
Implementation	User identity, User rights
Description	Extends the PluggableAuth extension to provide authentication using an OAuth provider
Author(s)	Xxmarijnw (Wikibase Solutions) and others
Latest version	6.0.2 (2022-05-02)
Compatibility policy	Snapshots releases along with MediaWiki. Master is not backward compatible.
MediaWiki	1.35+
PHP	7.3+
Database changes	Yes
License	MIT License
Download	Download extension ; Git [?]: Download Git master; browse repository (GitHub); commit history; repository contributors (GitHub); code review;
	Parameters $wgOAuthCustomAuthProviders; $wgOAuthAutoPopulateGroups; $wgOAuthMigrateUsersByUsername; $wgOAuthDisallowRemoteOnlyAccounts;
	Hooks used LoadExtensionSchemaUpdates; PluggableAuthPopulateGroups; GetPreferences;
	Hooks provided WSOAuthAfterGetUser; WSOAuthBeforeLogout; WSOAuthBeforeAutoPopulateGroups; WSOAuthGetAuthProviders;
	Translate the WSOAuth extension
	Check usage and version matrix.
Vagrant role	wsoauth
Issues	Open tasks · Report a bug

Translate this page

Other languages:

This extension requires the PluggableAuth extension to be installed first.

The WSOAuth extension (Wikibase Solutions OAuth) provide authentication using an OAuth provider. It provides a layer on top of the PluggableAuth extension to enable authentication via OAuth. The following OAuth providers are currently available as default:

MediaWiki OAuth (MediaWiki instance running OAuth)
Facebook

WSOAuth makes it easier to add new OAuth providers. You can read more about how to add a new OAuth provider to the extension on WSOAuth for Developers.

Configuration[edit]

Values must be provided for the following mandatory configuration variables:

Flag Default Description

$wgPluggableAuth_Config (see Extension:PluggableAuth#Configuration)

[]

A mandatory array of arrays specifying the OAuth providers and their configuration. The data field of the array should be an array with the following keys:

`type`	The OAuth provider the extension will use (e.g. `mediawiki` or `facebook`)	Required
`uri`	The OAuth application authentication URL.	optional for some providers
`clientId`	The consumer key received from the OAuth application.	Required
`clientSecret`	The consumer secret received from the OAuth application.	Required
`redirectUri`	The default callback URL to which the OAuth application returns after a successful authentication request.	required for some providers

In addition, the following optional configuration variables are provided:

Flag	Default	Description
`$wgOAuthCustomAuthProviders`	`false`	An array containing a list of custom OAuth providers together with their class name (see WSOAuth for Developers for more information).
`$wgOAuthAutoPopulateGroups`	`[]`	An array containing a list of MediaWiki group names that must be automatically assigned to the user after they are authenticated.
`$wgOAuthMigrateUsersByUsername`	`false`	Whether or not to allow usurpation of existing accounts. If a user is already registered on your wiki before installing WSOAuth with the same username as a user that is logging in via OAuth, this setting will determine whether that existing account will be given to the user signing in (true), or whether the user singing in through OAuth will be prevented from doing so because the user already exists (false). Once an account has been migrated, the user associated with that account will always be able to sign in through OAuth, even after this setting is changed to false. It is safer to leave this value as `false` and let the user connect their remote account manually through Special:Preferences.
`$wgOAuthDisallowRemoteOnlyAccounts`	`false`	Whether or not to allow accounts to not have a local counterpart.

An example of the $wgPluggableAuth_Config for a single providers is as follows:

$wgPluggableAuth_Config['nlwiki'] = [
    'plugin' => 'WSOAuth',
    'data' => [
        'type' => 'mediawiki',
        'uri' => 'https://nl.wikipedia.org/wiki/Special:OAuth',
        'clientId' => '...',
        'clientSecret' => '...'
    ],
    'buttonLabelMessage' => 'dutch-wikipedia-login-button-label'
];

The key of the configuration (in the example above nlwiki) is used to identify the OAuth provider internally and MUST NOT change.

An example of the $wgPluggableAuth_Config for multiple providers is as follows:

$wgPluggableAuth_Config['nlwiki'] = [
    'plugin' => 'WSOAuth',
    'data' => [
        'type' => 'mediawiki',
        'uri' => 'https://nl.wikipedia.org/wiki/Special:OAuth',
        'clientId' => '...',
        'clientSecret' => '...'
    ],
    'buttonLabelMessage' => 'dutch-wikipedia-login-button-label'
];

$wgPluggableAuth_Config['facebook'] = [
    'plugin' => 'WSOAuth',
    'data' => [
        'type' => 'facebook',
        'clientId' => '...',
        'clientSecret' => '...',
        'redirectUri' => '...'
    ],
    'buttonLabelMessage' => 'facebook-login-button-label'
];

OAuth providers[edit]

If you want to add a new OAuth provider, see WSOAuth for Developers.

Currently, the following OAuth providers are supported:

MediaWiki OAuth (MediaWiki instance running OAuth)
Facebook

MediaWiki OAuth[edit]

Follow the steps below to enable authentication and authorization via MediaWiki OAuth.

Register a new OAuth application on the wiki you are delegating access to. Do not use an RSA key pair for authentication and let MediaWiki generate the secret for you. Use https://<local wiki url>/wiki/index.php?title=Special:PluggableAuthLogin as OAuth "callback" URL. Select User identity verification only, no ability to read pages or act on a user's behalf. under Types of grants being requested.
Write down the key and secret you received from MediaWiki.
Set the following in your LocalSettings.php:

$wgPluggableAuth_Config['mywikiauth'] = [
    'plugin' => 'WSOAuth',
    'data' => [
        'type' => 'mediawiki',
        'uri' => 'https://<central wiki>/w/index.php?title=Special:OAuth',
        'clientId' => '<The client ID (key) you received from MediaWiki when you registered your app>',
        'clientSecret' => '<The secret you received from MediaWiki when you registered your app>'
    ]
];

The key of the configuration (in the example above mywikiauth) is used to identify the OAuth provider internally and MUST NOT change.

To exclusively use MediaWiki as your sign-on system and to automatically log in when visiting the wiki, also set the following in LocalSettings.php:

$wgPluggableAuth_EnableAutoLogin = true;
$wgPluggableAuth_EnableLocalLogin = false;

For OAuth applications that utilize a "callback" prefix, a redirect URI must be set through the redirectUri key. This redirect URI must have the prefix specified.

Facebook[edit]

Follow the steps below to enable authentication and authorization via Facebook.

Create a new app on Facebook for Developers.
Under Add a Product, select Facebook Login.
In the menu on the left, select Settings under Facebook Login.
Add the domain of your wiki to the list of Valid OAuth Redirect URIs and hit save.
In the menu on the left, click Settings, then Basic and write down the App ID and App Secret.
Set the following in your LocalSettings.php:

$wgPluggableAuth_Config['myfacebookauth'] = [
    'plugin' => 'WSOAuth',
    'data' => [
        'type' => 'facebook',
        'clientId' => '<The App ID>',
        'clientSecret' => '<The App Secret>',
        'redirectUri' => 'https://<wiki domain>/index.php/Special:PluggableAuthLogin'
    ]
];

The key of the configuration (in the example above myfacebookauth) is used to identify the OAuth provider internally and MUST NOT change.

To exclusively use Facebook as your sign-on system and to automatically log in when visiting the wiki, also set the following in LocalSettings.php:

$wgPluggableAuth_EnableAutoLogin = true;
$wgPluggableAuth_EnableLocalLogin = false;

Upgrading from before 6.0[edit]

The database schema had to be changed in order to support multiple authentication providers after version 6.0. If you are running a MediaWiki instance with a version of WSOAuth older than 6.0, you must migrate your existing external users to the new database schema if you want to upgrade.

You can use the maintenance script multiAuthMigrade.php located in the extension's maintenance folder to migrate:

$ php extensions/WSOAuth/maintenance/multiAuthMigrate.php --provider=mywikiauth

The provider option in the example above determines which provider to migrate existing users to.

System messages[edit]

Here some useful system messages, related to this extension, that can be personalized:

Message title	Default message	Position	Tip
wsoauth-user-already-exists-message	The username "{{{1}}}" is already taken.	Text displayed is the login screen error message when an user tries to login with OAuth, but there is a user in that wiki who has the same username.	It may happen that a user first registers on the wiki via the regular user registration and then tries to login through OAuth, encountering this error message. If this may happen in your wiki, you can personalize this message to invite users to authorize remote logins from their preferences. Here a screenshot: The page Special:Preferences with WSOAuth installed showing the "Connect a remote account" button

Note: to change a system message, edit the MediaWiki:Message title page on your wiki.

Installation[edit]

This extension requires the PluggableAuth extension.

If using Vagrant , install with vagrant roles enable wsoauth --provision

Manual installation

Download and place the file(s) in a directory called WSOAuth in your extensions/ folder.
Only when installing from Git, run Composer to install PHP dependencies, by issuing composer install --no-dev in the extension directory. (See task T173141 for potential complications.)

Add the following code at the bottom of your LocalSettings.php:

$wgGroupPermissions['*']['autocreateaccount'] = true;

wfLoadExtension( 'PluggableAuth' );
wfLoadExtension( 'WSOAuth' );

Run the update script which will automatically create the necessary database tables that this extension needs.
Configure as required.
Done – Navigate to Special:Version on your wiki to verify that the extension is successfully installed.

Gallery[edit]

Login page with local and remote authentication enabled.
User preferences showing the "connect a remote account" button.
Discussion: phab:T283908.

WSOAuth Release status: stable
Implementation	User identity , User rights
Description	Extends the PluggableAuth extension to provide authentication using an OAuth provider
Author(s)	Xxmarijnw (Wikibase Solutions) and others
Latest version	6.0.2 (2022-05-02)
Compatibility policy	Snapshots releases along with MediaWiki. Master is not backward compatible.
MediaWiki	1.35+
PHP	7.3+
Database changes	Yes
License	MIT License
Download	Download extension Git ^[?]: Download Git master browse repository (GitHub) commit history repository contributors (GitHub) code review
Parameters $wgOAuthCustomAuthProviders $wgOAuthAutoPopulateGroups $wgOAuthMigrateUsersByUsername $wgOAuthDisallowRemoteOnlyAccounts
Hooks used LoadExtensionSchemaUpdates PluggableAuthPopulateGroups GetPreferences
Hooks provided WSOAuthAfterGetUser WSOAuthBeforeLogout WSOAuthBeforeAutoPopulateGroups WSOAuthGetAuthProviders
Translate the WSOAuth extension
Check usage and version matrix.
Vagrant role	wsoauth
Issues	Open tasks · Report a bug