Extension:WSOAuth/cs

Nezaměňovat s Extension:OAuth.
Toto rozšíření vyžaduje, aby bylo nejprve nainstalováno rozšíření PluggableAuth .
Category:PluggableAuth plugins/cs Category:MIT licensed extensions/cs
Příručka k rozšířením MediaWiki
WSOAuth
Stav rozšíření: stabilníCategory:Stable extensions/cs
Implementace Identita uživatele Category:User identity extensions/cs, Uživatelská práva Category:User rights extensions/cs
Popis Rozšiřuje rozšíření PluggableAuth o poskytování ověřování pomocí poskytovatele OAuth
Autoři Xxmarijnw (Wikibase Solutions) and others
Nejnovější verze 9.0.0 (2023-06-16)
Zásady kompatibility Vydání snímků současně s MediaWiki. Hlavní vývojová větev není zpětně kompatibilní.
MediaWiki 1.35+Category:Extensions with manual MediaWiki version
PHP 7.3+
Změny v databázi Ano
Licence Licence MIT
Stáhnout
Stáhněte si rozšíření
Git [?]:
Category:Extensions in Wikimedia version control/cs
Parametry
  • $wgOAuthCustomAuthProviders
  • $wgOAuthAutoPopulateGroups
  • $wgOAuthMigrateUsersByUsername
  • $wgOAuthDisallowRemoteOnlyAccounts
  • $wgOAuthUseRealNameAsUsername
Použité háčky (hooks)
Poskytované háčky (hooks)
Čtvrtletní stahování 67 (Ranked 54th)
Přeložte rozšíření WSOAuth
Vagrant role wsoauth
Problémy Otevřené úkoly · Nahlásit chybu
Category:All extensions/cs

The WSOAuth extension (Wikibase Solutions OAuth) provide authentication using an OAuth provider. It provides a layer on top of the PluggableAuth extension to enable authentication via OAuth.[1]

The following OAuth providers are currently available by default:

  • MediaWiki (MediaWiki instance running OAuth)
  • Facebook

WSOAuth makes it easy to add new OAuth providers. You can read more about how to add a new OAuth provider on WSOAuth for Developers.

Compatibility

Compatibility Matrix
WSOAuth PluggableAuth MediaWiki
9.0+ 7.0+
Verze MediaWiki:
1.35
6.0-8.x 6.0-6.x
Verze MediaWiki:
1.35
1.0-5.x 5.7
Verze MediaWiki:
1.31

Configuration

Values must be provided for the following mandatory configuration variables:

Flag Default Description
$wgPluggableAuth_Config (see Extension:PluggableAuth#Configuration) [] A mandatory array of arrays specifying the OAuth providers and their configuration. The data field of the array should be an array with the following keys:
typeThe OAuth provider the extension will use (e.g. mediawiki or facebook)Požadované
uriThe OAuth application authentication URI[2].optional for some providers
clientIdThe consumer key received from the OAuth application.Požadované
clientSecretThe consumer secret received from the OAuth application.Požadované
redirectUriThe default callback URI[2] to which the OAuth application returns after a successful authentication request.required for some providers
extensionDataAn array containing additional data required by the provider.required for some providers
migrateUsersByUsernameWhether or not to allow usurpation of existing accounts. This overwrites the globally set $wgOAuthMigrateUsersByUsername.Volitelné
disallowRemoteOnlyAccounts Whether or not to allow accounts to not have a local counterpart. This overwrites the globally set $wgOAuthDisallowRemoteOnlyAccounts. Volitelné
useRealNameAsUsernameWhether to use the real name as the username. This overwrites the globally set $wgOAuthUseRealNameAsUsername.Volitelné
autoPopulateGroups An array containing a list of MediaWiki group names that must be automatically assigned to the user after they are authenticated. This overwrites the globally set $wgOAuthAutoPopulateGroups. Since WSOAuth 9.0, this requires you to also configure how groups are synchronised. Volitelné

In addition, the following optional configuration variables are provided:

Flag Default Description
$wgOAuthCustomAuthProvidersfalseAn array containing a list of custom OAuth providers together with their class name (see WSOAuth for Developers for more information).
$wgOAuthAutoPopulateGroups[]An array containing a list of MediaWiki group names that must be automatically assigned to the user after they are authenticated. Since WSOAuth 9.0, this requires you to also configure how groups are synchronised.
$wgOAuthMigrateUsersByUsernamefalseWhether or not to allow usurpation of existing accounts. If a user is already registered on your wiki before installing WSOAuth with the same username as a user that is logging in via OAuth, this setting will determine whether that existing account will be given to the user signing in (true), or whether the user singing in through OAuth will be prevented from doing so because the user already exists (false). Once an account has been migrated, the user associated with that account will always be able to sign in through OAuth, even after this setting is changed to false. It is safer to leave this value as false and let the user connect their remote account manually through Special:Preferences.
$wgOAuthDisallowRemoteOnlyAccountsfalseWhether or not to allow accounts to not have a local counterpart.
$wgOAuthUseRealNameAsUsernamefalseWhether to use the real name as the username.

An example of the $wgPluggableAuth_Config for a single providers is as follows:

$wgPluggableAuth_Config['nlwiki'] = [
    'plugin' => 'WSOAuth',
    'data' => [
        'type' => 'mediawiki',
        'uri' => 'https://nl.wikipedia.org/wiki/Special:OAuth',
        'clientId' => '...',
        'clientSecret' => '...'
    ],
    'buttonLabelMessage' => 'dutch-wikipedia-login-button-label'
];
The key of the configuration (in the example above nlwiki) is used to identify the OAuth provider internally and MUST NOT change.

An example of the $wgPluggableAuth_Config for multiple providers is as follows:

$wgPluggableAuth_Config['nlwiki'] = [
    'plugin' => 'WSOAuth',
    'data' => [
        'type' => 'mediawiki',
        'uri' => 'https://nl.wikipedia.org/wiki/Special:OAuth',
        'clientId' => '...',
        'clientSecret' => '...'
    ],
    'buttonLabelMessage' => 'dutch-wikipedia-login-button-label'
];

$wgPluggableAuth_Config['facebook'] = [
    'plugin' => 'WSOAuth',
    'data' => [
        'type' => 'facebook',
        'clientId' => '...',
        'clientSecret' => '...',
        'redirectUri' => '...'
    ],
    'buttonLabelMessage' => 'facebook-login-button-label'
];

Group synchronisation

Viz též: Extension:PluggableAuth#Group Synchronization

To configure group synchronisation, you need to add a groupsyncs array to the $wgPluggableAuth_Config array. This array must contain zero or more sub-arrays that specify how groups are synced. For detailed information, see Extension:PluggableAuth#Group Synchronization.

The most common use-case is to synchronise all groups, which can be achieved using the syncall group synchronisation algorithm. The configuration below will achieve similar functionality to older version of WSOAuth (<= 8.0.0).

$wgPluggableAuth_Config['nlwiki'] = [
    'plugin' => 'WSOAuth',
    'data' => [
        'type' => 'mediawiki',
        'uri' => 'https://nl.wikipedia.org/wiki/Special:OAuth',
        'clientId' => '...',
        'clientSecret' => '...',
        'autoPopulateGroups' => ['mygroups' => ['sysop', 'bureaucrat']]
    ],
    'groupsyncs' => [
        'mygroupsync' => [
            'type' => 'syncall',
            'groupattributename' => 'mygroups'
        ]
    ]
    'buttonLabelMessage' => 'dutch-wikipedia-login-button-label'
];

OAuth providers

If you want to add a new OAuth provider, see WSOAuth for Developers.

Currently, the following OAuth providers are supported:

  • MediaWiki OAuth (MediaWiki instance running OAuth)
  • Facebook

MediaWiki OAuth

Follow the steps below to enable authentication and authorization via MediaWiki OAuth.

  1. Register a new OAuth consumer application for the wiki you are delegating access to.
  2. Set the following in your LocalSettings.php:
$wgPluggableAuth_Config['mywikiauth'] = [
    'plugin' => 'WSOAuth',
    'data' => [
        'type' => 'mediawiki',
        'uri' => 'https://<central wiki>/w/index.php?title=Special:OAuth',
        'clientId' => '<The client ID (key) you received from MediaWiki when you registered your app>',
        'clientSecret' => '<The secret you received from MediaWiki when you registered your app>'
    ]
];

Example of registering a new OAuth consumer application for the wiki you are delegating access wikimedia:

  1. visit: https://meta.wikimedia.org/wiki/Special:OAuthConsumerRegistration/propose
  2. Click the "Request a token for a new OAuth 1.0a consumer."
  3. Set the following:
    • Set "Application name" to something unique for your application (i.e the string "mywikiauth" used above in $wgPluggableAuth_Config['mywikiauth']).
      (Note - Be sure to keep an exact copy of this string value for use later.)
    • Set "Consumer version" to "1.0a" (by default it is just "1.0")
    • Set "Application description" to some helpful text.
    • Set "This consumer is for use only by <yourusername>." checkbox as you wish.
    • Set "OAuth "callback" URL" to https://<local wiki url>/wiki/index.php?title=Special:PluggableAuthLogin
    • Note "Contact email address" is set as the email address related to your wikimedia account.
    • Ensure "Applicable project" is set to "*" (this is the default)
    • Set "Types of grants being requested" to "User identity verification only, no ability to read pages or act on a user's behalf."
  4. Click the checkbox to agree to the conditions of use.
  5. Click the "Propose Consumer" button to submit your proposal.
  6. Write down the "Client application key" and "Client application secret" that are given by meta.wikimedia.org upon submission.
  7. Use the "Application name" you submitted to meta.wikipdeia.org as the WSO 'mywikiauth' in the example configuration on the left.
  8. Use the "Client application key" as the WSO "clientId"
  9. Use the "Client application secret" as the WSO "clientSecret"

To exclusively use MediaWiki as your sign-on system and to automatically log in when visiting the wiki, also set the following in LocalSettings.php:

$wgPluggableAuth_EnableAutoLogin = true;
$wgPluggableAuth_EnableLocalLogin = false;

For OAuth applications that utilize a "callback" prefix, a redirect URI[2] must be set through the redirectUri key. This redirect URI must have the prefix specified.

Facebook

Follow the steps below to enable authentication and authorization via Facebook.

  1. Create a new app on Facebook for Developers.
  2. Under Add a Product, select Facebook Login.
  3. In the menu on the left, select Settings under Facebook Login.
  4. Add the domain of your wiki to the list of Valid OAuth Redirect URIs and hit save.
  5. In the menu on the left, click Settings, then Basic and write down the App ID and App Secret.
  6. Set the following in your LocalSettings.php:
    $wgPluggableAuth_Config['myfacebookauth'] = [
    'plugin' => 'WSOAuth',
    'data' => [
        'type' => 'facebook',
        'clientId' => '<The App ID>',
        'clientSecret' => '<The App Secret>',
        'redirectUri' => 'https://<wiki domain>/index.php/Special:PluggableAuthLogin'
    ]
];
    The key of the configuration (in the example above myfacebookauth) is used to identify the OAuth provider internally and MUST NOT change.

To exclusively use Facebook as your sign-on system and to automatically log in when visiting the wiki, also set the following in LocalSettings.php:

$wgPluggableAuth_EnableAutoLogin = true;
$wgPluggableAuth_EnableLocalLogin = false;

Upgrading from before 6.0

The database schema had to be changed in order to support multiple authentication providers after version 6.0.

If you are running a MediaWiki instance with a version of WSOAuth older than 6.0, you must migrate your existing external users to the new database schema if you want to upgrade.

You can use the maintenance script multiAuthMigrate.php located in the extension's maintenance folder to migrate:

$ php extensions/WSOAuth/maintenance/multiAuthMigrate.php --provider=mywikiauth

The provider option in the example above determines which provider to migrate existing users to.

System messages

Here some useful system messages, related to this extension, that can be personalized:

Message title Default message Position Tip
wsoauth-user-already-exists-message
 The username "{{{1}}}" is already taken. Text displayed is the login screen error message when a user tries to login with OAuth, but there is a user in that wiki who has the same username. It may happen that a user first registers on the wiki via the regular user registration and then tries to login through OAuth, encountering this error message. If this may happen in your wiki, you can personalize this message to invite users to authorize remote logins from their preferences. Here a screenshot:[upref 1]
The page Special:Preferences with WSOAuth installed showing the "Connect a remote account" button
  1. restricted preferences
To change a system message, edit the MediaWiki:Message title page on your wiki.

Installation

This extension requires the PluggableAuth extension.
  • Stáhněte soubor/y a vložte je do adresáře pojmenovaného WSOAuth ve vaší složce extensions/.
    Vývojáři a přispěvatelé kódu by si místo toho měli nainstalovat rozšíření from Git pomocí:cd extensions/
    git clone https://gerrit.wikimedia.org/r/mediawiki/extensions/WSOAuth
  • Při instalaci z Gitu spusťte Composer pro instalaci závislostí PHP zadáním composer install --no-dev v adresáři rozšíření. (Vyskytnou-li se nějaké komplikace, podívejte se na T173141.)Category:Extensions requiring Composer with git/cs
  • Na konec vašeho souboru LocalSettings.php přidejte následující kód: 
    $wgGroupPermissions['*']['autocreateaccount'] = true;

wfLoadExtension( 'PluggableAuth' );
wfLoadExtension( 'WSOAuth' );
  • Spusťte aktualizační skript, který automaticky provede všechny nezbytné databázové změny, jaké rozšíření vyžaduje.
  • Configure as required.
  • Yes Dokončeno – Přejděte na stránku Special:Version vaší wiki a zkontrolujte, zda bylo rozšíření úspěšně nainstalováno.


Instalace Vagrant:

  • Pokud používáte Vagrant , instalujte s těmito parametry vagrant roles enable wsoauth --provision

Notes

  1. Open Authorization (OAuth)
  2. 1 2 3 Uniform Resource Identifier (URI)


Category:Extensions by Wikibase Solutions/cs
Category:All extensions/cs Category:Extensions by Wikibase Solutions/cs Category:Extensions in Wikimedia version control/cs Category:Extensions included in Canasta/cs Category:Extensions included in Open CSP/cs Category:Extensions included in ProWiki/cs Category:Extensions included in WikiForge/cs Category:Extensions requiring Composer with git/cs Category:Extensions with manual MediaWiki version Category:GetPreferences extensions/cs Category:LoadExtensionSchemaUpdates extensions/cs Category:MIT licensed extensions/cs Category:PluggableAuthPopulateGroups extensions/cs Category:PluggableAuth plugins/cs Category:Stable extensions/cs Category:User identity extensions/cs Category:User rights extensions/cs