Extension:OpenID Connect/cs
Toto rozšíření vyžaduje, aby bylo nejprve nainstalováno rozšíření PluggableAuth. Stav rozšíření: stabilníCategory:Stable extensions/cs |
|
|---|---|
| Implementace | Identita uživateleCategory:User identity extensions/cs |
| Popis | Rozšiřuje rozšíření PluggableAuth o ověřování pomocí OpenID Connect. |
| Autoři | Cindy Cicalese (cindy.cicalesediskuse) |
| Nejnovější verze | 8.3.0 (2025-02-23) |
| Zásady kompatibility | Vydání snímků současně s MediaWiki. Hlavní vývojová větev není zpětně kompatibilní. |
| Změny v databázi | Ano |
| Tabulky | openid_connect |
| Licence | Licence MIT |
| Stáhnout | Category:Extensions in Wikimedia version control/cs |
|
|
| Přeložte rozšíření OpenID Connect, používá-li lokalizaci z translatewiki.net | |
| Problémy | Otevřené úkoly · Nahlásit chybu |
Rozšíření OpenID Connect rozšiřuje rozšíření PluggableAuth o ověřování pomocí OpenID Connect.
Zvláštní poděkování patří jumbojett za OpenID Connect PHP knihovnu použitou tímto rozšířením.
Instalace
Předpoklady
Rozšíření
- Stáhněte soubor/y a vložte je do adresáře pojmenovaného
OpenIDConnectve vaší složceextensions/.
Vývojáři a přispěvatelé kódu by si místo toho měli nainstalovat rozšíření from Git pomocí:cd extensions/ git clone https://gerrit.wikimedia.org/r/mediawiki/extensions/OpenIDConnect
- Na konec vašeho souboru LocalSettings.php přidejte následující kód:
wfLoadExtension( 'OpenIDConnect' );
- Spusťte aktualizační skript, který automaticky provede všechny nezbytné databázové změny, jaké rozšíření vyžaduje.
- Nainstalujte závislosti.
- Vyžaduje nastavení v konfiguračním souboru.
Dokončeno – Přejděte na stránku Special:Version vaší wiki a zkontrolujte, zda bylo rozšíření úspěšně nainstalováno.
Závislosti
The OpenIDConnect extension requires the CURL PHP extension and the OpenID Connect PHP library. If you are following the standard installation procedure and downloaded the archive from mediawiki.org, the dependencies have been bundled and there is no further action required.
Pokud používáte postup pro vývoj/přispěvatelskou instalaci pomocí Gitu, přidejte řádek "extensions/OpenIDConnect/composer.json" do souboru composer.local.json v kořenovém adresáři vaší wiki, např.
{
"extra": {
"merge-plugin": {
"include": [
"extensions/OpenIDConnect/composer.json"
]
}
}
}
Pak spusťte composer update v kořenovém adresáři vaší wiki.
Tím se nainstalují všechny závislosti (např. PHP knihovna jumbojett OpenID Connect).
Konfigurace
Parametry
Většina konfiguračních nastavení pro poskytovatele identity OpenID Connect je sdílena v souboru, který se nachází na adrese /.well-known/openid-configuration[1] v doméně poskytovatele.
Toto rozšíření dotazuje tato nastavení za účelem zpracování ověřování.
In addition, the configuration parameters below are used to configure the extension to communicate with the identity provider as desired.
Při konfiguraci poskytovatele identity se zobrazí výzva k zadání adresy URL pro přesměrování nebo adresy URL pro zpětné volání. Pro danou hodnotu použijte úplnou URL adresu stránky s hodnotou Special:PluggableAuthLogin.
$wgPluggableAuth_Config
Default value:: []
(viz Extension:PluggableAuth#Configuration)
Povinné pole polí určujících vydavatele OpenID Connect a jejich konfiguraci. Pole data v poli obsahuje pole s následujícími klíči:
providerURL | Požadované | URL adresa vydavatele („např.“ https://accounts.google.com/ pro Google, https://api.slack.com/ pro Slack), která se používá k nalezení výše uvedeného "známého" souboru (např. https://accounts.google.com/.well-known/openid-configuration pro Google) |
clientID | Požadované | |
clientsecret | Požadované | |
proxy | Volitelné URL | |
scope | Volitelné | řetězec nebo pole řetězců, které mají být předány vydavateli, výchozí hodnota je [ 'openid', 'profile', 'email' ] |
preferred_username | Volitelné | preferovaný název atributu uživatelského jména od vydavatele, který se má použít, což znamená, že vydavatel poskytne atribut s tímto názvem, jehož hodnota bude preferovaným uživatelským jménem pro daného uživatele. Výchozí hodnota je řetězec 'preferred_username'. Pokud nechcete použít preferovaný atribut uživatelského jména, nastavte na prázdný řetězec. |
verifyHost | Volitelné | booleovská hodnota pro povolení/zakázání ověřování hostitele; výchozí: true |
verifyPeer | Volitelné | boolean pro povolení/zakázání ověřování peerů SSL; výchozí: true |
authparam | Volitelné | asociativní pole autentizačních parametrů, které mají být předány vydavateli |
providerConfig | Volitelné | asociativní pole používané ke změně koncových bodů a dalších atributů poskytovatele |
issuerValidator | Volitelné | boolean function that takes one string parameter, the issuer, and returns whether the issuer is valid (version 7.1.0+) |
preferredUsernameProcessor | Volitelné | callable that takes two parameters (preferred username string and the array of attributes returned from the identity provider) and returns a possibly modified preferred username to use for a new user (version 7.2.0+) |
realnameProcessor | Volitelné | callable that takes two parameters (real name string and the array of attributes returned from the identity provider) and returns a possibly modified real name to use for a new user (version 7.2.0+) |
emailProcessor | Volitelné | callable that takes two parameters (email address string and the array of attributes returned from the identity provider) and returns a possibly modified email address to use for a new user (version 7.2.0+) |
useRandomUsernames | Volitelné | boolean to indicate whether to generate a random unique identifier to use for the username of a new user if no preferred username is provided (rather than the default of using User followed by a unique integer) (version 8.0.0+) |
wellKnownConfigParameters | Volitelné | array of additional string parameters to use to construct the well-known config URL (default []); e.g. 'wellKnownConfigParameters' => ['appid' => 'clientIDvalue'] (version 8.2.0+) |
codeChallengeMethod | Volitelné | string to provide to the identity provider to set the code challenge method; used to support PKCE when set to "S256" (version 8.2.0+) |
authMethods | Volitelné | array of strings to specify the auth methods to use when communicating with the identity provider (default ['client_secret_basic']); e.g. 'authMethods' => ['client_secret_basic', 'client_secret_jwt', 'private_key_jwt']; note that private_key_jwt requires that privateKeyJwtGenerator must also be set (version 8.2.0+) |
privateKeyJwtGenerator | Volitelné | string parameter that takes one string parameter, the token endpoint, and returns a JWT; for use with authMethod private_key_jwt (version 8.2.0+) |
$wgOpenIDConnect_UseRealNameAsUserName
Default value:: false
Pokud je v databázi vytvářen nový uživatel a vydavatel neposkytl žádné preferované uživatelské jméno nebo byl preferred_username nastaven na hodnotu null nebo na prázdný řetězec, hodnota true pro tento příznak znamená, že jako uživatelské jméno nového uživatele by mělo být použito skutečné jméno uživatele, pokud bylo vydavatelem poskytnuto. Pokud je nastaveno na true a vydavatel neposkytl žádné preferované uživatelské jméno, bude jako uživatelské jméno pro prvního uživatele použit literál "User" a všichni další uživatelé budou používat literál „Uživatel“ následovaný číslem. Např. "User", "User1", "User2" atd. Stejné pojmenování nastane, pokud je tento parametr nastaven na false.
$wgOpenIDConnect_UseEmailNameAsUserName
Default value:: false
Pokud je v databázi vytvářen nový uživatel a vydavatel neposkytl žádné preferované uživatelské jméno, nebo byl preferred_username nastaven na hodnotu null či na prázdný řetězec a buď vydavatel neposkytl žádné skutečné jméno, nebo byl $wgOpenIDConnect_UseRealNameAsUserName nedefinovaný nebo nastavený na false, hodnota true pro tento příznak znamená, že část jména z e-mailové adresy uživatele, pokud ji vydavatel poskytl, by měla být použita jako uživatelské jméno nového uživatele. Tento parametr nelze nastavit na hodnotu true současně s nastavením $wgOpenIDConnect_UseRealNameAsUserName na hodnotu true. V tomto případě bude toto nastavení ignorováno.
$wgOpenIDConnect_MigrateUsersByUserName
Default value:: false
Pokud v databázi již existuje uživatel se stejným uživatelským jménem jako ověřený uživatel a má hodnoty null pro subjekt a vydavatele, použijte tohoto uživatele a nastavte subjekt a vydavatele v databázi na hodnoty ověřeného uživatele. This is useful when the wiki previously used a different authentication mechanism. If neither this parameter nor $wgOpenIDConnect_MigrateUsersByEmail are set to true the settings for user creation will be used as described above.
$wgOpenIDConnect_MigrateUsersByEmail
Default value:: false
If a user already exists in the database with the same email address as the authenticated user and has null values for subject and issuer, use this user, setting the subject and issuer in the database to those of the authenticated user. This is useful when the wiki previously used a different authentication mechanism. If neither this parameter nor $wgOpenIDConnect_MigrateUsersByUserName are set to true the settings for user creation will be used as described above.
$wgOpenIDConnect_ForceReauth
Default value:: false
When the user logs out from the wiki, force reauthentication with the identity provider at next login even if they have not logged out from the identity provider.
$wgOpenIDConnect_SingleLogout
Default value:: false
When the user logs out from the wiki, also log out from the identity provider. This is not supported by all identity providers (e.g. Google).
$wgOpenIDConnect_PreferredUsernameProcessor
Default value:: null
Callable that takes two parameters (preferred username string and the array of attributes returned from the identity provider) and returns a possibly modified preferred username to use for a new user; this value is only used if no value is provided for preferredUsernameProcessor in the config data section (version 7.2.0+)
$wgOpenIDConnect_RealNameProcessor
Default value:: null
Callable that takes two parameters (real name string and the array of attributes returned from the identity provider) and returns a possibly modified real name to use for a new user; this value is only used if no value is provided for realnameProcessor in the config data section (version 7.2.0+)
$wgOpenIDConnect_EmailProcessor
Default value:: null
Callable that takes two parameters (email address string and the array of attributes returned from the identity provider) and returns a possibly modified email address to use for a new user; this value is only used if no value is provided for emailProcessor in the config data section (version 7.2.0+)
$wgOpenIDConnect_UseRandomUsernames
Default value:: false
Boolean to indicate whether to generate a random unique identifier to use for the username of a new user if no preferred username is provided (rather than the default of using User followed by a unique integer) and no value is provided for useRandomUsernames in the config data section (version 8.0.0+)
Connecting to a single issuer
A simple example of the $wgPluggableAuth_Config configuration for a single issuer is as follows:
$wgPluggableAuth_Config[] = [
'plugin' => 'OpenIDConnect',
'data' => [
'providerURL' => 'https://id.mycompany_abc.com/connect/',
'clientID' => '.....',
'clientsecret' => '.....'
]
];
Connecting to a multiple issuers
An example of the $wgPluggableAuth_Config configuration for multiple issuers is as follows:
$wgPluggableAuth_Config["My Company's Connect Server"] = [
'plugin' => 'OpenIDConnect',
'data' => [
'providerURL' => 'https://id.mycompany_abc.com/connect/',
'clientID' => '.....',
'clientsecret' => '.....'
]
];
$wgPluggableAuth_Config["Partner Company's Connect Server"] = [
'plugin' => 'OpenIDConnect',
'data' => [
'providerURL' => 'https://id.partnercompany_def.com/connect/',
'clientID' => '.....',
'clientsecret' => '.....'
]
];
As of version 7.0.0, group synchronization is possible using the capability provided by the PluggableAuth extension. For information on configurating group synchronization, see the PluggableAuth documentation.
Backchannel logout
As of version 8.3.0, backchannel logout is supported. In order to use it, you must configure your identity provider for backchannel logout, pointing to the rest.php/pluggableauth/v1/logout endpoint on your wiki.
Examples
Issuer configuration
- Using the Google Developer Console create a project.
- Click on the project, click on the hamburger menu (three horizontal lines in the top left), and click on
APIs & Services -> Credentialson the menu. - Click the
Create credentials -> OAuth client IDbutton and selectWeb application. Fill in the consent screen information and save. - Provide the redirect URI in
Authorized redirect URIs[2] - Click
Create Client ID. - Note the
Client IDandClient Secretthat are assigned.
Extension configuration
The Google issuer is now configured.
Add the corresponding configuration to your LocalSettings.php file, filling in the clientID and clientsecret fields with the values assigned above.
$wgPluggableAuth_Config[] = [
'plugin' => 'OpenIDConnect',
'data' => [
'providerURL' => 'https://accounts.google.com',
'clientID' => '.....',
'clientsecret' => '.....',
]
];
You may also assign other values such as proxy and authparam.
Azure Active Directory
Azure Active Directory is now Microsoft Entra ID.
Microsoft Entra ID
Entra ID is the new name of the service formerly called "Azure Active Directory."
Issuer configuration
- In the Entra admin center, go to 'Identity', then to 'Applications', and then 'App Registrations'
- Register a new Application
- Provide a Name
- Likely specify 'Accounts in this org directory only'
- Provide redirect URI:[2]
https://[URLofWiki]/wiki/Special:PluggableAuthLogin
- In the new app, go to 'Certificates and secrets' and create a new Client secret
Extension configuration
Using the 'Application (client) ID', Directory (tenant) ID, and Secret from the application, populate your "LocalSettings.php" file:
$wgPluggableAuth_Config[] = [
'plugin' => 'OpenIDConnect',
'data' => [
'providerURL' => 'https://login.microsoftonline.com/[tenantID]/v2.0/',
'clientID' => '[Application (Client) ID]',
'clientsecret' => '[Secret from Certs and Secrets]'
]
];
$wgOpenIDConnect_UseRealNameAsUserName = true;
When using the common endpoint for Microsoft login, the issuer URL provided by the well-known endpoint contains a placeholder for the tenant ID, causing verification of JWT claims to fail. In this case, you can use an issuer validator to fix this. For example, you could provide an issuer validator that always returns true:
$wgPluggableAuth_Config[] = [
'plugin' => 'OpenIDConnect',
'data' => [
'providerURL' => 'https://login.microsoftonline.com/common/v2.0/',
'clientID' => '[Application (Client) ID]',
'clientsecret' => '[Secret from Certs and Secrets]',
'issuerValidator' => fn( $iss ) => true,
]
];
Extension configuration with Group mapping
$wgPluggableAuth_Config[] = [
'plugin' => 'OpenIDConnect',
'data' => [
from above example
],
'groupsyncs' => [
[
'type' => 'mapped',
'map' => [
'sysop' => ['groups' => '8d1cc10c-3e95-4637-941d-0c1237352e85'],
'interface-admin' => ['groups' => 'See where to find Object ID below']
]
]
]
];
- In Azure, go to `Manage` -> `Token configuration`. Click `Add group claims`, select "Groups assigned to the application (recommended for large enterprise companies to avoid exceeding the limit on the number of groups a token can emit)".
- Find app in Enterprise applications, and go to `Manage` -> `Users and groups`. Add group.
- You can now click on the group and copy the `Object ID` and paste above.
- You need to relogin to take effect.
Keycloak
Issuer configuration
Assumptions:
- Your Keycloak realm name is acme
- Your Keycloak URL and Port is https://keycloak.local:8080
- Your Keycloak Client ID is set to mediawiki
- Your auto-generated client secret is 12345
Extension configuration
$wgPluggableAuth_Config[] = [
'plugin' => 'OpenIDConnect',
'data' => [
'providerURL' => 'https://keycloak.local:8080/realms/acme',
'clientID' => 'mediawiki',
'clientsecret' => '12345'
]
];
Troubleshooting
- If you're running into trouble, like "The provider {$param} could not be fetched. Make sure your provider has a well known configuration available.", your URI[3] is wrong. You can test the correctness by calling https://keycloak.local:8080/realms/acme/.well-known/openid-configuration in your browser. If you get back a long JSON, the path is correct.
- Another way to verify the 'providerURL' is to check it against the ‘Redirect URI’ at Keycloak>Identity Providers>keycloak-oidc, i.e.: https://keycloak.local:8080/realms/acme/broker/keycloak-oidc/endpoint. For 'providerURL' you need the portion up to one level below realms.
- Make sure the redirect uri provided by this OIDC[4] plugin is set valid for your keycloak-server under acme -> Clients -> mediawiki -> Settings -> valid redirect uris . For testing purposes you can add a wildcard "*".
Okta
Issuer configuration
Okta OIDC app settings
Allowed grant types: (all) Login redirect URIs: the full URL to Special:PluggableAuthLogin, e.g. https://www.example.com/wiki/index.php/Special:PluggableAuthLogin Login flow: "Redirect to app to initiate login (OIDC compliant)" Initiate login URI: the full URL to Special:UserLogin, e.g. https://www.example.com/wiki/index.php/Special:UserLogin
Extension configuration
You must specify the openid, profile, and email scopes to communicate with Okta. If you omit the appropriate scopes, Okta will gladly authenticate your users but will not return any useful claims.
$wgPluggableAuth_Config[] = [
'plugin' => 'OpenIDConnect',
'data' => [
'providerURL' => 'https://your-okta-org.okta.com',
'clientID' => '(paste the client ID Okta assigned your new app here)',
'clientsecret' => '(paste the client secret Okta assigned your new app here)'
]
];
Auto-creating users
If you want to take advantage of MediaWiki's user auto-creation (e.g. $wgGroupPermissions['*']['autocreateaccount'] = true;), be aware that Okta's preferred_username claims take the format of an email address.
If you do not want your users to have an @ character in their usernames (this is forbidden by MediaWiki by default), you will need to specify an alternative claim to use via the 'preferred_username' key in your $wgPluggableAuth_Config.
Allowing @ in usernames may break your wiki's Interwiki compatibility (if you rely on that).
To allow the use of the @ character, just set $wgInvalidUsernameCharacters = ' '; and $wgUserrightsInterwikiDelimiter = '#'; in LocalSettings.php.
Notes
This should be resolved in the future when the library is updated to incorporate the change.
The solution is to add a single line of code to $MEDIAWIKI_ROOT/extensions/OpenIDConnect/vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php as follows:
right below: unset($token_params['client_secret']);
unset($token_params['client_id']); # see: https://github.com/jumbojett/OpenID-Connect-PHP/pull/208/commits/dd44c1ca7e45d35dcd8f32ea503b545149bc6562 (this was fixed in version 0.9.8)To authenticate your users against Okta, you must first create a new OIDC app in your Okta org and assign it to the relevant users/groups, etc.
Gitlab
Issuer configuration
- Login to Gitlab Admin Area
- Go to Applications -> New Application
- Name: MediaWiki
- Redirect URI: <wiki server>/wiki/Special:PluggableAuthLogin
- Trusted: yes
- Confidential: yes
- Scopes: openid, profile, email
- Submit
- Copy Application ID and Secret to
LocalSettings.php
Extension configuration
In "LocalSettings.php"
// Extension PluggableAuth
wfLoadExtension( 'PluggableAuth' );
$wgPluggableAuth_EnableLocalLogin = true; // set to false to deactivate local logins if required
// Extension OpenIDConnect
wfLoadExtension( 'OpenIDConnect' );
$wgPluggableAuth_Config['Login with your Gitlab Account'] = [
'plugin' => 'OpenIDConnect',
'data' => [
'providerURL' => '...', // '''Add your gitlab server here (main page)'''
'clientID' => '...', // '''Insert Gitlab Application ID here!'''
'clientsecret' => '...', // '''Insert Gitlab Secret here!'''
// Alternative 'nickname'
// Alternative 'name'
'preferred_username' => 'nickname'
]
];
You can find more information to Gitlab's docs at OpenID Connect Provider.
Amazon Cognito
Amazon Cognito is a user identity service by AWS[5].
Issuer configuration
Assumptions:
- Your Amazon Cognito user pool ID is us-west-2_XdLg34nAA
- Your AWS region is us-west-2
- Your Client ID is set to mediawiki
- Your auto-generated client secret is 12345
Extension configuration
$wgPluggableAuth_Config[] = [
'plugin' => 'OpenIDConnect',
'data' => [
'providerURL' => 'https://cognito-idp.us-west-2.amazonaws.com/us-west-2_XdLg34nAA',
'clientID' => 'mediawiki',
'clientsecret' => '12345'
]
];
For detailed instructions about how to configure Amazon Cognito for this use case, please refer to https://medium.com/@robert.broeckelmann/openid-connect-authorization-code-flow-with-aws-cognito-246997abd11a
NextCloud
Issuer configuration
Assumptions:
- Running Nextcloud version 24, or Nextcloud All-In-One v3.0.0
- Nextcloud has the App "OIDC Identity Provider v0.2.6" installed. https://github.com/H2CK/oidc
- Your nextcloud runs from domain my.nextcloud.com
- The public url : https://my.nextcloud.com/.well-known/openid-configuration is redirected to <your internal nextcloud server>/index.php/apps/oidc/openid-configuration by e.g. nginx or another reverse proxy.
- Via nextcloud admin account, under Settings > Security > "Open ID Connect clients" you add a client with the following details
- Name: wiki
- Redirection URI: The full URL to
Special:PluggableAuthLogin, e.g.https://www.example.com/wiki/index.php/Special:PluggableAuthLogin(Note: if your wiki's default language isn't english,Specialwill be different!) - Signing Algorithm: RS256
- Type: confidential When you click "add" it will provide the Client Identifier string and the Secret string. Enter these values into the
LocalSettings.phpformyGeneratedIDandmyGeneratedSecretshown below.
Extension configuration
wfLoadExtension( 'PluggableAuth' );
$wgGroupPermissions['*']['autocreateaccount'] = true;
$wgPluggableAuth_EnableAutoLogin = true; // Now the user doesn't have the 'login'/'logout' button.
wfLoadExtension( 'OpenIDConnect' );
$wgPluggableAuth_Config[] = [
'plugin' => 'OpenIDConnect',
'data' => [
'providerURL' => 'https://my.nextcloud.com',
'clientID' => 'myGeneratedID',
'clientsecret' => 'myGeneratedSecret'
]
];
Release Notes
- Version 8.3.0
- Add support for backchannel logout (T327147)
- Version 8.2.1
- Fixed case insensitive email comparison for email migration
- Version 8.2.0
- Added support for specifying parameters to the well known config (T383498)
- Added support for code challenge/PKCE (T366023)
- Added ability to set the token endpoint auth (T378905)
- Version 8.1.0
- Fixed bug on database upgrade (T378904)
- Updated https://github.com/jumbojett/OpenID-Connect-PHP to version 1.0.2 (T378907)
- Bump minimum MediaWiki version to 1.39
- Version 8.0.2
- Use case insensitive email comparison for email migration
- Improved random username generation
- Version 8.0.1
- Reverted back to version 0.9.10 of https://github.com/jumbojett/OpenID-Connect-PHP for stability
- Version 8.0.0
- Allow multiple identity providers to map to a single user (T361877)
- Version 7.2.0
- Add processor functions (T357752) to allow username, real name, and email normalization
- Add random username generator
- Updated to version 1.0.0 of https://github.com/jumbojett/OpenID-Connect-PHP
- Code clean-up (added tests, removed deprecations)
- Version 7.1.0
- Support custom issuer validator (T360249)
- Version 7.0.2
- Use ID token to get claims during authentication (T348931)
- Version 7.0.1
- Allow preferred_username config attribute to be null or blank (T339311)
- Version 7.0.0
- Made compatible with PluggableAuth 7.0.0
- Add optional single logout (
$wgOpenIDConnect_SingleLogout) - Replace ForceLogout (which was broken) with ForceReauth (
$wgOpenIDConnect_ForceReauth) - Add function to get access token with refresh token
- Use new PluggableAuth group population framework; supports retrieval of attributes including groups
- Code improvements
- Bug fixes:
- T307353: Query condition in username migration is wrong
- Version 6.2
- Update jumbojett/openid-connect-php library version to 0.9.10
- Replace deprecated User::idFromName
- Version 6.1
- Make sure populate group hook only runs for OpenID Connect plugin instances
- Version 6.0
- Updated to be compatible with PluggableAuth version 6.0
- Version 5.4
- Updated jumbojett/openid-connect-php to version 0.9.1
- Fixed bug while trying to authenticate with Okta where extra parameters are sent in the request making the request fail
- Version 5.3
- Fixed bug with migrated initial lowercase usernames (T249630)
- Version 5.2
- Added optional configuration options for disabling the verification of hostnames and certificates, for use in development environments with self-issued certificates
- Version 5.1
- Added generation of full redirect URL so OpenID Connect PHP library doesn't have to guess, which occasionally it didn't have enough information to do accurately
- Version 5.0
- Moved subject and issuer columns from
usertable toopenid_connecttable (requires database update) - Added support for Postgres
- Version 4.1
- Added namespace for library class
- Version 4.0
- Added optional error message to authenticate()
- Bumped version number to synchronize with PluggableAuth and SimpleSAMLphp extensions
- Version 2.3
- Fixed whitelist implementation
- Changes migration flags to allow migration by email address in addition to migration by user name
- Version 2.2
- Fixes related to PluggableAuth MediaWIki 1.27 upgrade
- Array coding conventions
- Version 2.1
- Update to MediaWiki 1.27 session management
- Added default values for configuration variables to extension.json
- Version 2.0
- Updated extension registration
- Changed configuration variables to use "wg" prefix
- Added composer.json to get OpenID Connect library using composer
- Version 1.2
- Added ability to specify auth params and added support for table prefixes
- Version 1.1
- Added support for Google
- Version 1.0
- Initial version
Known issues
- Wikis that use URLs of the form
https://example.org/w/index.php?title=Page_title(i.e. having the page title provided as a query parameter) will not be redirected correctly to complete the authentication flow. Instead, URLs must be of the formhttps://example.org/w/index.php/Page_title, which can be accomplished by using short URLs or by setting$wgArticlePathappropriately. - This extension may not work correctly with
$wgMainCacheType = CACHE_ACCEL;. In this case you also need to set$wgSessionCacheType = CACHE_DB;(see T147161). - This extension does not work on non-standard ports unless you manually update the underlying Openid connect client, see: jumbojett/OpenID-Connect-PHP issue 58 on GitHub. This issue also applies when connecting to other webserver than IIS.
- When running the
createAndPromote.phpmaintenance script, both the PluggableAuth and OpenID Connect extensions need to be disabled by commenting out theirwfLoadExtension()calls. - This extension does not support custom well-known endpoints. This means Azure Active Directory B2C's OpenID Connect authentication flow is currently not supported.
Notes
- ↑ openid.net: Žádost o konfiguraci poskytovatele OpenID
- 1 2 Note that the link for the authorized redirect URI must be localized, e.g. if you set your wiki's instance language to
'de'($wgLanguageCode = 'de';) you need to specify "https://[URLofWiki]/wiki/Spezial:PluggableAuthLogin". Ensure percent-encoding in case of multi-byte characters in the URL, e.g., for instance language 'cz' you need to specify "https://[URLofWiki]/wiki/Speci%C3%A1ln%C3%AD:PluggableAuthLogin", etc. - ↑ Uniform Resource Identifier (URI)
- ↑ OpenID Connect (OIDC)
- ↑ Amazon Web Services (AWS)
See also
- Extension:PluggableAuth
- Extension:SimpleSAMLphp
- Extension:Email Authorization
- Extension:LDAP Authorization
 | Toto rozšíření je zahrnuto v následujících wiki farmách/hostitelích a/nebo balíčcích: Toto není autoritativní seznam. Některé wiki farmy/hostitelé a/nebo balíčky mohou toto rozšíření obsahovat, i když zde nejsou uvedeny. Pro potvrzení se vždy obraťte na své wiki farmy/hostitele nebo balíček. |