Topic on Extension talk:OpenID

OpenID with Google Apps

8
Summary by Wikinaut

I think, what you all want is what we call "forced provider". See https://gerrit.wikimedia.org/r/#/c/55287/

You can already try it:

git fetch https://wikinaut@gerrit.wikimedia.org/r/mediawiki/extensions/OpenID refs/changes/87/55287/54
git checkout FETCH_HEAD

This should tell you "OpenID version 3.40" in Special:Version . See README and OpenID.php for documentation, the manual page will be updated when this code is actually merged.

--Wikinaut (talk) 10:57, 8 August 2013 (UTC)

Okthen~mediawikiwiki (talkcontribs)

We are hoping to set up a private cloud wiki and would like to make sure that it is locked down to users within our organization. We have a domain with Google Apps and this would be ideal to use for authenticating our users into the wiki. I am using a fresh install without any content though it is a canned bitnami hosted installation rather than rolling my own from the ground up.

I have been able to configure the OpenID extension and I can log in with my own Google credentials. I am not clear on whether I have locked it down to just our own organization or from Google if it would still authenticate any OpenID from any provider. I would like the user names to be the user part before the @ of the email address.


I have tried to search for specific instructions on configuring the OpenID extension to only use Google Apps but without success, if anybody can point me to a step by step guide I will attempt that before taking up anyone's time on here. To re-iterate, I want to only allow access to people in my domain authenticating with Google. (In future I may wish to grant access to users outside our Google App domain but have them sign up with a regular login and then manually grant them access.)

Meanwhile here are some details about our installation pasted from the Version page



 MediaWiki 1.19.1
 PHP 5.3.13 (apache2handler)
 MySQL 5.5.21-log
 OpenID(Version 1.004 20120427)
 


My LocalSettings.php looks like this (Updated since first posted, I have re-read the README and figured out how to only use Google as the provider)


 #// *** OpenID Configuration ***
require_once( "$IP/extensions/OpenID/OpenID.php" );
$wgTrustRoot = "http://okthen.bitnamiapp.com/mediawiki/";
#$wgOpenIDOnly = true;
#$wgOpenIDConsumerDenyByDefault = true;
$wgOpenIDConsumerForce = "https://www.google.com/accounts/o8/id";
$wgOpenIDUseEmailAsNickname = true;
$wgOpenIDAllowExistingAccountSelection = false;
$wgOpenIDAllowNewAccountname = false;
$wgOpenIDShowProviderIcons = true;
$wgOpenIDLoginLogoUrl = "http://www.google.com/favicon.ico";

I am not clear on how I can only allow folks who are part of my domain hosted on google apps to login.

I have not modified anything in the OpenID extension folder.

This post was posted by Okthen~mediawikiwiki, but signed as Okthen.

198.177.94.250 (talkcontribs)

Did you ever get this figured out? I am trying to do the same thing but keeping getting stuck!

49.176.37.84 (talkcontribs)

Seconded. I need this also.

Wikinaut (talkcontribs)

@all reporters:

If you mean "I want only allow logins with an OpenID from Google as Provider ?", this is possible with the latest version of E:OpenID.

49.176.37.63 (talkcontribs)

Not exactly what I'm looking for. As far as I'm aware there's no way to restrict the openID's to a particular google apps acccount as google app's open id's all come from the google domain, not the domain associated with the apps account.

What would solve this is the ability to confirm accounts before they're allowed access to the wiki, or to have the administrator be the only one who could create the accounts.

Stefan2 (talkcontribs)

At Special:ListGroupRights, you can see that all users have the "createaccount" permission, which allows anyone to create an account. What you want is presumably to change the default permissions so that only administrators have the "createaccount" permission. See Manual:User rights#Manual:User rights for details. If only the administrator can create an account, then the administrator has to go to Special:CreateAccount to create all accounts and then hand over the login credentials to the person who is going to use the account.

RainDelay (talkcontribs)

I would also like to be able to restrict login access to users who are part of my domain hosted on google apps.

Stuartellis (talkcontribs)

I have the same problem as the original poster. OpenID works against our own internal OpenID server, but fails against Google Apps.

We are taking these from Git: MediaWiki 1.21 PHP-OpenID, and the OpenID extension from commit 059ad95fdd945c2156f78dc2d9af085785782963

The host system is Ubuntu 10.04 with Apache 2 and PHP 5.3.2 from packages. We get identical results on Ubuntu 12.04.

Our LocalSettings.php says:

require_once( "$IP/extensions/OpenID/OpenID.php" );
$wgOpenIDTrustRoot = <OUR-SITE>;
$wgOpenIDConsumerForce = https://www.google.com/accounts/o8/.well-known/host-meta?hd=<our-domain.tld>";
$wgOpenIDConsumerStorePath = <PATH>;
$wgOpenIDServerStorePath= <PATH>;
$wgOpenIDUseEmailAsNickname = true;
$wgOpenIDTrustEmailAddress = true;
$wgOpenIDConsumerAndAlsoProvider = false;
$wgOpenIDAllowAutomaticUsername = true;
$wgOpenIDShowUrlOnUserPage = "never";
$wgWhitelistRead = array("Special:OpenIDLogin", "Special:OpenIDFinish");
$wgOpenIDLoginOnly = true;
$wgOpenIDAllowServingOpenIDUserAccounts = false;

The error just reports that PEAR_Error is not loaded:

CACHES: EmptyBagOStuff[main] SqlBagOStuff[message] SqlBagOStuff[parser]
[cookie] session_set_cookie_params: "0", "/", "", "", "1"
Class LanguageEn_gb not found; skipped loading
LocalisationCache: using store LCStore_DB
Profiler::instance called without $wgProfiler['class'] set, falling back to ProfilerStub for safety
Connected to database 0 at localhost
Fully initialised
Connected to database 0 at localhost
MessageCache::load: Loading en-gb... got from global cache
Title::getRestrictionTypes: applicable restrictions to Main Page are {edit,move}
ContentHandler] Created handler for wikitext: WikitextContentHandler
Unstubbing $wgLang on call of $wgLang::getCode from MessageCache::get
IP: <REMOVED-FROM-QUOTE>
Unstubbing $wgParser on call of $wgParser::firstCallInit from MessageCache::getParser
Parser: using preprocessor: Preprocessor_DOM
Use of User::getSkin was deprecated in MediaWiki 1.18. [Called from OpenIDHooks::onPersonalUrls in <PATH>/extensions/OpenID/OpenID.hooks.php at line 90]
Class PEAR_Error not found; skipped loading
OutputPage::sendCacheControl: no caching **
Reply to "OpenID with Google Apps"