Extension:OAuth/tr

Şununla karıştırılmamalıdır: Extension:OATHAuth veya Extension:WSOAuth.
Category:GPL licensed extensions/tr
MediaWiki manüel uzantıları
OAuth
Sürüm durumu: kararlıCategory:Stable extensions/tr
Uygulama Kullanıcı kimliği Category:User identity extensions/tr, Kullanıcı hakları Category:User rights extensions/tr, API Category:API extensions/tr
Açıklama Kullanıcıların, MediaWiki eylem API'sini kendi adlarına kullanmaları için başka bir uygulamayı ("tüketici") güvenli bir şekilde yetkilendirmesine izin verin.
Yazar(lar) Aaron Schulz, Chris Steipp, Brad Jorsch, Robert Vogel, Dejan Savuljesku
En son sürüm 1.1.0 (continuous updates)
Uyumluluk politikası MediaWiki ile birlikte anlık görüntüler yayımlanır. Master geriye dönük olarak uyumlu değil.
Veritabanı değişiklikleri Evet
Tablolar oauth_accepted_consumer
oauth_registered_consumer
Lisans GNU Genel Kamu Lisansı 2.0 veya üstü
İndir
Uzantıyı indir
Git [?]:
Category:Extensions in Wikimedia version control/tr
Yardım Yardım:OAuth
Parametreler
  • $wgOAuth2PublicKey
  • $wgOAuth2RequireCodeChallengeForPublicClients
  • $wgMWOAuthCentralWiki
  • $wgMWOAuthSecureTokenTransfer
  • $wgMWOAuthSharedUserSource
  • $wgOAuth2GrantExpirationInterval
  • $wgOAuthAutoApprove
  • $wgMWOauthDisabledApiModules
  • $wgOAuth2EnabledGrantTypes
  • $wgMWOAuthNonceCacheType
  • $wgOAuthGroupsToNotify
  • $wgMWOAuthRequestExpirationAge
  • $wgOAuth2RefreshTokenTTL
  • $wgMWOAuthSessionCacheType
  • $wgMWOAuthReadOnly
  • $wgOAuth2PrivateKey
  • $wgMWOAuthSharedUserIDs
  • $wgOAuthSecretKey
Eklenen haklar
Kullanılan kancalar
Sağlanan kancalar
Translatewiki.net adresinde mevcutsa, OAuth uzantısını çevirin
Vagrant rolü oauth
Sorunlar Açık görevler · Hata bildir
Category:All extensions/tr

OAuth uzantısı, MediaWiki'de hem OAuth 1.0a hem de OAuth 2.0 protokol sürümlerini destekleyen bir OAuth sunucusu uygular. It allows third party developers to securely develop applications ("consumers"), to which users can give a limited set of permissions ("grants"), so that the application can use the MediaWiki API on the user's behalf.

Bir vikide OAuth kullanan bir uygulama geliştirmeye çalışıyorsanız, Geliştiriciler için OAuth'a bakın. If you are trying to use an OAuth-enabled tool on a wiki which has this extension installed, see OAuth .

Gereksinimler

  • OAuth, geçici anahtarlar ve oturumlar için nesne önbelleğini kullanır. Bu, önbellek yapılandırma ayarları makul olduğu sürece çalışmalıdır. (Older versions required Memcached explicitly.)
  • Şu anda yalnızca MySQL ve SQLite veritabanı arka uçları desteklenmektedir
  • MediaWiki kurulumu özelse (yani, kullanıcıların okuma erişimine sahip olmaları için oturum açmaları gerekiyorsa), beyaz listeye Special:OAuth eklenmesi gerekecektir.

Kurulum


Vagrant kurulumu:

  • Vagrant kullanıyorsanız, vagrant roles enable oauth --provision ile yükleyin

To assign a permission to some group, for example to sysops, you add following line to LocalSettings.php:

$wgGroupPermissions['sysop']['mwoauthproposeconsumer'] = true;


Yapılandırma

Parameters

Değişken adı Varsayılan değer Açıklama
$wgMWOAuthCentralWiki false Wiki ID of OAuth management wiki. On wiki farms, it makes sense to set this to a wiki that acts as a portal site, is dedicated to management, or just handles login/authentication. It can, however, be set to any wiki in the farm. For single-wiki sites or farms where each wiki manages consumers separately, it should be left as false.
$wgMWOAuthSharedUserIDs false (kaldırıldı) Use $wgMWOAuthSharedUserSource instead

Whether shared global user IDs are stored in the oauth tables. On wiki farms with a central authentication system (with integer user IDs) that share a single OAuth management wiki, this must be set to true. If wikis have a central authentication system but have their own OAuth management, then this can be either true or false. Otherwise it should always be set to false. Setting this to true requires CentralIdLookup or an MWOAuth aware authentication extension. This value should not be changed after the fact to avoid ambigious IDs. Proper user ID migration should be done before any such changes.

$wgMWOAuthSharedUserSource null Central ID provider when sharing OAuth credentials over a wiki farm

Source of shared user IDs, if enabled. If CentralIdLookup is available, this is the $providerId for CentralIdLookup::factory(). Generally null would be what you want, to use the default provider. If that class is not available or the named provider is not found, this is passed to the OAuthGetUserNamesFromCentralIds, OAuthGetLocalUserFromCentralId, OAuthGetCentralIdFromLocalUser, OAuthGetCentralIdFromUserName hooks. This has no effect if $wgMWOAuthSharedUserIDs is set to false.

$wgMWOAuthRequestExpirationAge 2.592.000 (30 days) Seconds after which an idle request for a new Consumer is marked as "expired"
$wgMWOAuthSecureTokenTransfer true Require SSL/TLS for returning Consumer and user secrets. This is required by RFC 5849, however if a wiki wants to use OAuth, but doesn't support SSL, this option makes this configuration possible. This should be set to true for most production settings.
$wgOAuthSecretKey $wgSecretKey A secret configuration string (random 32-bit string generated using "base64_encode(random_bytes(32))") used to hmac the database-stored secret to produce the shared secrets for Consumers. This provides some protection against an attacker reading the values out of the consumer table (the attacker would also need $wgOAuthSecretKey to generate valid secrets), and some protection against potential weaknesses in the secret generation. If this string is compromised, the site should generate a new $wgOAuthSecretKey, which will invalidate Consumer authorizations that use HMAC/shared secret signatures instead of public/private keys. Consumers can regenerate their new shared secret by using the "Reset the secret key to a new value" option under Special:MWOAuthConsumerRegistration/update. If null, the value is set to $wgSecretKey.
$wgOAuthGroupsToNotify [] The list of user groups which should be notified about new consumer proposals. Setting this will only have an effect when Echo is installed.
$wgMWOauthDisabledApiModules [] List of API module classes to disable when OAuth is used for the request
$wgMWOAuthReadOnly false Prevent write activity to the database. When this is set, consumers cannot be added or updated, and new authorizations are prohibited. Authorization headers for existing authorizations will continue to work. Useful for migrating database tables
$wgMWOAuthSessionCacheType $wgSessionCacheType The storage mechanism for session data. If null, it defaults to $wgSessionCacheType.
$wgOAuthAutoApprove [] Allows automatic immediate approval of low-risk apps. In the form of [ 'grants' => [ 'grant1', 'grant2', ... ] ]
$wgOAuth2EnabledGrantTypes 
[
"authorization_code",
"refresh_token",
"client_credentials"
]
List of OAuth2 grants that client applications can be allowed to use. Actual grants client application will be allowed to use can be any subset of grants listed here. Grants, other than the ones listed here, are considered legacy grants, and are not supported by this extension
$wgOAuth2PrivateKey "" Private key or a path to the private key used to sign OAuth2 JWT being transmitted. See the OAuth 2.0 Server documentation for how to generate the keys.
$wgOAuth2PublicKey "" Public key or a path to the public key used to verify OAuth2 resource requests.
$wgOAuth2RequireCodeChallengeForPublicClients true Controls whether clients are required to send code challenges with OAuth2 requests. This only applies to non-confidential clients.
$wgOAuth2GrantExpirationInterval "PT1H" (1 hour) Controls validity period for access tokens (stored in the cache configured in MWOAuthSessionCacheType). Does not apply to owner-only clients, whose access tokens are always non-expiring. Accepts ISO 8601 durations or can be set to "infinity" or false for non-expiring tokens.
$wgOAuth2RefreshTokenTTL "P1M" (1 month) Controls validity period for refresh tokens (stored in the cache configured in MWOAuthSessionCacheType). Accepts ISO 8601 durations or can be set to "infinity" or false for non-expiring tokens.

Kullanıcı hakları

Yetki Açıklama
mwoauthproposeconsumerYeni OAuth tüketicileri önerin
mwoauthupdateownconsumerKontrol ettiğiniz OAuth tüketicilerini güncelleyin
mwoauthmanageconsumerOAuth tüketicilerini yönet
mwoauthsuppressOAuth tüketicilerini gözetleyin
mwoauthviewsuppressedGözetlenmiş OAuth tüketicilerini görüntüle
mwoauthviewprivateÖzel OAuth verilerini görüntüle
mwoauthmanagemygrantsOAuth bağışlarını yönet

Endpoints

OAuth 2.0 REST endpoints

The following REST endpoints are provided for OAuth 2.0 interaction

Yol Açıklama İzin verilen parametreler İzin verilen yöntem
/oauth2/authorize Used for retrieving authorization code when using authorization_code grant.
Name Required? Description
response_typeEvet
client_idEvet
redirect_uriHayır if present, must match the URI that was set when client was registered exactly
scopeHayır
stateHayır
code_challengeHayır required if $wgOAuth2RequireCodeChallengeForPublicClients is true
code_challenge_methodHayır required if $wgOAuth2RequireCodeChallengeForPublicClients is true
 GET
/oauth2/access_token Used for requesting access tokens
Name Required? Description
grant_typeEvet type of grant used
client_idHayır
client_secretHayır required if client is confidential
redirect_uriHayır if present, must match the URI that was set when client was registered exactly
scopeHayır
codeHayır required if authorization_code grant is used
refresh_tokenHayır required if refresh_token grant is used
code_verifierHayır
 POST
/oauth2/resource/{{type}} Used for retrieving protected resources using the access token issued previously.

Currently, two resource types can be retrieved using this endpoint, by replacing {{type}} placeholder with the type key:

  • profile - retrieve the user profile of the user that is represented by the access token used to make the request - usually used for logging users in on 3rd party websites using MediaWiki
  • scopes - retrieve all scopes client (application) is allowed to use with the current access token
 No parameters are allowed, apart from the {{type}} parameter that is included in the path GET/POST
/oauth2/client Lists OAuth 1.0a or 2.0 clients for the logged-in user. Authentication can be achieved over CentralAuth or by including an access token in the authorization header.
Response example
{
  "clients": [
    {
      "client_key": "xxxxxxxxxxxxxx",
      "name": "TestFromCurl1807",
      "version": "2.0",
      "email": "admin@example.com",
      "callback_url": "http://example.com",
      "scopes": [
        "authonly"
      ],
      "registration": "20200818230806",
      "stage": 0,
      "oauth_version": 2,
      "description": "foo",
      "allowed_grants": [
        "authorization_code"
      ],
      "registration_formatted": "23:08, 18 August 2020"
    }
  ],
  "total": 1
}
  • oauth_version (optional) - either 1 (to return only OAuth 1.0a clients) or 2 (to return only OAuth 2.0 clients). Default: 2
  • Pagination parameters
    • limit (optional) - maximum number of clients to return. Default: 25
    • offset (optional) - number of clients to skip before returning the first result. Default: 0
 GET
/oauth2/client/{client_key}/reset_secret Resets a client secret. For owner-only clients, this endpoint also resets the access token.
Response example
{
  "name": "Example",
  "client_key": "xxxxxxxxxx",
  "secret": "xxxxxxxxxx",
  "access_token": "xxxxxxxxxx"
}
Name Required? Description Default
client_keyEvet client identifier
reasonHayır string containing the reason for resetting the secret. ''
 POST
/oauth2/client Creates an OAuth 2.0 client.
Response example
{
  "name": "Example",
  "client_key": "xxxxxxxxxx",
  "secret": "xxxxxxxxxx",
  "access_token": "xxxxxxxxxx"
}
Name Required? Description Default
nameEvet client name
descriptionEvet client description
emailEvet contact email
is_confidentialEvet set to true if the client is confidential; set to false for public clients like mobile and desktop apps
grant_typesEvet OAuth 2.0 grant types used by the client, one or more of the following: authorization_code, refresh_token, client_credentials
scopesEvet OAuth 2.0 scopes, either mwoauth-authonly, mwoauth-authonlyprivate or the set of applicable grants
versionHayır client version. 1.0
wikiHayır applicable project. * for all wikis
owner_only ? set to true for a client used only by the creating user
callback_urlHayır Return URL for authorizing users. ''
callback_is_prefixHayır set to true to allow the client to specify a callback in requests and use the callback URL as a required prefix. false
 POST
If OAuth credentials are shared over a wiki farm, make sure that real names are used/hidden consistently across all wikis (using $wgHiddenPrefs ). On wikis where real names are hidden, the OAuth permission request message that tells the user which information is shared does not mention the real name, so in that case there should not be any other wiki where the OAuth consumer may still get that information from.

Ayrıca bakınız

  • Extension:OATHAuth - OATH tabanlı tek seferlik parolaları kullanarak ikinci bir kimlik doğrulama faktörü uygulayan benzer şekilde adlandırılmış bir uzantı.
  • Extension:WSOAuth – Vikinizin, Extension:OAuth çalıştıran bir viki de dahil olmak üzere PluggableAuth kullanan herhangi bir OAuth sağlayıcısına kimlik doğrulama yetkisi vermesini sağlayan bir MediaWiki uzantısı.
  • oauthclient-php – OAuth tüketicileri için bir istemci kitaplığı.
Category:Extensions used on Wikimedia/tr#OAuth/tr Category:LoginFormValidErrorMessages extensions/tr
Category:API extensions/tr Category:AbuseFilter-builder extensions/tr Category:AbuseFilter-computeVariable extensions/tr Category:AbuseFilter-generateUserVars extensions/tr Category:All extensions/tr Category:ApiRsdServiceApis extensions/tr Category:BeforeCreateEchoEvent extensions/tr Category:ChangeTagCanCreate extensions/tr Category:ChangeTagsListActive extensions/tr Category:Extensions in Wikimedia version control/tr Category:Extensions included in Canasta/tr Category:Extensions included in Miraheze/tr Category:Extensions included in ProWiki/tr Category:Extensions included in WikiForge/tr Category:Extensions included in wiki.gg/tr Category:Extensions requiring Composer with git/tr Category:Extensions used on Wikimedia/tr Category:Extensions which add rights/tr Category:GPL licensed extensions/tr Category:GetPreferences extensions/tr Category:ListDefinedTags extensions/tr Category:LoadExtensionSchemaUpdates extensions/tr Category:LoginFormValidErrorMessages extensions/tr Category:MergeAccountFromTo extensions/tr Category:MessagesPreLoad extensions/tr Category:SetupAfterCache extensions/tr Category:SpecialPageAfterExecute extensions/tr Category:SpecialPageBeforeFormDisplay extensions/tr Category:SpecialPage initList extensions/tr Category:Stable extensions/tr Category:TestCanonicalRedirect extensions/tr Category:User identity extensions/tr Category:User rights extensions/tr