Wikimore

**MediaWiki extensions manual**
OAuth; Release status: stableCategory:Stable extensions
Implementation	User identityCategory:User identity extensions, User rightsCategory:User rights extensions, APICategory:API extensions
Description	Allow users to safely authorize another application ("consumer") to use the MediaWiki action API on their behalf.
Author(s)	Aaron Schulz, Chris Steipp, Brad Jorsch, Robert Vogel, Dejan Savuljesku
Latest version	1.1.0 (continuous updates)
Compatibility policy	Snapshots releases along with MediaWiki. Master is not backward compatible.Category:Extensions with release branches compatibility policy
Database changes	Yes
Tables	oauth_accepted_consumer; oauth_registered_consumer
License	GNU General Public License 2.0 or later
Download	Download extension ; Git [?]: Browse repository (Phabricator · GitHub); Gerrit code review; Git commit log; Download source tarball; Category:Extensions in Wikimedia version control
Help	Help:OAuth
	Parameters $wgOAuth2PublicKey; $wgOAuth2RequireCodeChallengeForPublicClients; $wgMWOAuthCentralWiki; $wgMWOAuthSecureTokenTransfer; $wgMWOAuthSharedUserSource; $wgOAuth2GrantExpirationInterval; $wgOAuthAutoApprove; $wgMWOauthDisabledApiModules; $wgOAuth2EnabledGrantTypes; $wgMWOAuthNonceCacheType; $wgOAuthGroupsToNotify; $wgMWOAuthRequestExpirationAge; $wgOAuth2RefreshTokenTTL; $wgMWOAuthSessionCacheType; $wgMWOAuthReadOnly; $wgOAuth2PrivateKey; $wgMWOAuthSharedUserIDs; $wgOAuthSecretKey;
	Added rights mwoauthproposeconsumer; mwoauthupdateownconsumer; mwoauthmanageconsumer; mwoauthsuppress; mwoauthviewsuppressed; mwoauthviewprivate; mwoauthmanagemygrants Category:Extensions which add rights;
	Hooks used AbuseFilter-builderCategory:AbuseFilter-builder extensions; AbuseFilter-computeVariableCategory:AbuseFilter-computeVariable extensions; AbuseFilter-generateUserVarsCategory:AbuseFilter-generateUserVars extensions; ApiRsdServiceApisCategory:ApiRsdServiceApis extensions; BeforeCreateEchoEventCategory:BeforeCreateEchoEvent extensions; ChangeTagCanCreateCategory:ChangeTagCanCreate extensions; ChangeTagsListActiveCategory:ChangeTagsListActive extensions; GetPreferencesCategory:GetPreferences extensions; ListDefinedTagsCategory:ListDefinedTags extensions; LoadExtensionSchemaUpdatesCategory:LoadExtensionSchemaUpdates extensions; LoginFormValidErrorMessagesCategory:LoginFormValidErrorMessages extensions; MergeAccountFromToCategory:MergeAccountFromTo extensions; MessagesPreLoadCategory:MessagesPreLoad extensions; SetupAfterCacheCategory:SetupAfterCache extensions; SpecialPageAfterExecuteCategory:SpecialPageAfterExecute extensions; SpecialPageBeforeFormDisplayCategory:SpecialPageBeforeFormDisplay extensions; SpecialPage_initListCategory:SpecialPage initList extensions; TestCanonicalRedirectCategory:TestCanonicalRedirect extensions;
	Hooks provided OAuthReplaceMessage;
Quarterly downloads	61 (Ranked 60th)
Public wikis using	982 (Ranked 246th)
	Translate the OAuth extension if it is available at translatewiki.net
Vagrant role	oauth
Issues	Open tasks · Report a bug

Category:Extensions without an image Category:GPL licensed extensionsCategory:All extensions

The OAuth extension implements an OAuth server in MediaWiki that supports both the OAuth 1.0a and OAuth 2.0 protocol versions. It allows third party developers to securely develop applications ("consumers"), to which users can give a limited set of permissions ("grants"), so that the application can use the MediaWiki action API on the user's behalf.

If you're attempting to develop an application that uses OAuth on a wiki, see OAuth for Developers. If you are trying to use an OAuth-enabled tool on a wiki which has this extension installed, see OAuth.

Requirements

OAuth relies on the object cache for temporary tokens and sessions. This should work as long as cache configuration settings are sane. (Older versions required Memcached explicitly.)
Currently, only MySQL and SQLite database backends are supported
If the MediaWiki installation is private (i.e. users need to log in to have read access), Special:OAuth will need to be added to the white list.

Installation

Download and move the extracted OAuth folder to your extensions/ directory.
Developers and code contributors should install the extension from Git instead, using:cd extensions/ git clone https://gerrit.wikimedia.org/r/mediawiki/extensions/OAuth
Only when installing from Git, run Composer to install PHP dependencies, by issuing composer install --no-dev in the extension directory. (See T173141 for potential complications.)Category:Extensions requiring Composer with git
Add the following code at the bottom of your LocalSettings.php file:
```
wfLoadExtension( 'OAuth' );
```
Run the update script which will automatically create the necessary database tables that this extension needs.
Configure the general parameters as required.
Configure the user rights by putting them into the relevant groups in $wgGroupPermissions.
Done – Navigate to Special:Version on your wiki to verify that the extension is successfully installed.

Vagrant installation:

If using Vagrant , install with vagrant roles enable oauth --provision

To assign a permission to some group, for example to sysops, you add following line to LocalSettings.php:

$wgGroupPermissions['sysop']['mwoauthproposeconsumer'] = true;

Configuration

Parameters

Variable name	Default value	Description
`$wgMWOAuthCentralWiki`	`false`	Wiki ID of OAuth management wiki. On wiki farms, it makes sense to set this to a wiki that acts as a portal site, is dedicated to management, or just handles login/authentication. It can, however, be set to any wiki in the farm. For single-wiki sites or farms where each wiki manages consumers separately, it should be left as `false`.
`$wgMWOAuthSharedUserIDs`	`false`	(deprecated) Use `$wgMWOAuthSharedUserSource` instead Whether shared global user IDs are stored in the oauth tables. On wiki farms with a central authentication system (with integer user IDs) that share a single OAuth management wiki, this must be set to true. If wikis have a central authentication system but have their own OAuth management, then this can be either `true` or `false`. Otherwise it should always be set to `false`. Setting this to true requires CentralIdLookup or an MWOAuth aware authentication extension. This value should not be changed after the fact to avoid ambigious IDs. Proper user ID migration should be done before any such changes.
`$wgMWOAuthSharedUserSource`	`null`	Central ID provider when sharing OAuth credentials over a wiki farm Source of shared user IDs, if enabled. If CentralIdLookup is available, this is the $providerId for CentralIdLookup::factory(). Generally null would be what you want, to use the default provider. If that class is not available or the named provider is not found, this is passed to the OAuthGetUserNamesFromCentralIds, OAuthGetLocalUserFromCentralId, OAuthGetCentralIdFromLocalUser, OAuthGetCentralIdFromUserName hooks. This has no effect if $wgMWOAuthSharedUserIDs is set to false.
`$wgMWOAuthRequestExpirationAge`	`2,592,000` (30 days)	Seconds after which an idle request for a new Consumer is marked as "expired"
`$wgMWOAuthSecureTokenTransfer`	`true`	Require SSL/TLS for returning Consumer and user secrets. This is required by RFC 5849, however if a wiki wants to use OAuth, but doesn't support SSL, this option makes this configuration possible. This should be set to true for most production settings.
`$wgOAuthSecretKey`	`$wgSecretKey`	A secret configuration string (random 32-bit string generated using "base64_encode(random_bytes(32))") used to hmac the database-stored secret to produce the shared secrets for Consumers. This provides some protection against an attacker reading the values out of the consumer table (the attacker would also need $wgOAuthSecretKey to generate valid secrets), and some protection against potential weaknesses in the secret generation. If this string is compromised, the site should generate a new $wgOAuthSecretKey, which will invalidate Consumer authorizations that use HMAC/shared secret signatures instead of public/private keys. Consumers can regenerate their new shared secret by using the "Reset the secret key to a new value" option under Special:MWOAuthConsumerRegistration/update. If null, the value is set to $wgSecretKey.
`$wgOAuthGroupsToNotify`	`[]`	The list of user groups which should be notified about new consumer proposals. Setting this will only have an effect when Echo is installed.
`$wgMWOauthDisabledApiModules`	`[]`	List of API module classes to disable when OAuth is used for the request
`$wgMWOAuthReadOnly`	`false`	Prevent write activity to the database. When this is set, consumers cannot be added or updated, and new authorizations are prohibited. Authorization headers for existing authorizations will continue to work. Useful for migrating database tables
`$wgMWOAuthSessionCacheType`	`$wgSessionCacheType`	The storage mechanism for session data. If null, it defaults to $wgSessionCacheType.
`$wgOAuthAutoApprove`	`[]`	Allows automatic immediate approval of low-risk apps. In the form of `[ 'grants' => [ 'grant1', 'grant2', ... ] ]`
`$wgOAuth2EnabledGrantTypes`	[ "authorization_code", "refresh_token", "client_credentials" ]	List of OAuth2 grants that client applications can be allowed to use. Actual grants client application will be allowed to use can be any subset of grants listed here. Grants, other than the ones listed here, are considered legacy grants, and are not supported by this extension
`$wgOAuth2PrivateKey`	`""`	Private key or a path to the private key used to sign OAuth2 JWT being transmitted. See the OAuth 2.0 Server documentation for how to generate the keys.
`$wgOAuth2PublicKey`	`""`	Public key or a path to the public key used to verify OAuth2 resource requests.
`$wgOAuth2RequireCodeChallengeForPublicClients`	`true`	Controls whether clients are required to send code challenges with OAuth2 requests. This only applies to non-confidential clients.
`$wgOAuth2GrantExpirationInterval`	`"PT1H"` (1 hour)	Controls validity period for access tokens (stored in the cache configured in MWOAuthSessionCacheType). Does not apply to owner-only clients, whose access tokens are always non-expiring. Accepts ISO 8601 durations or can be set to "infinity" or false for non-expiring tokens.
`$wgOAuth2RefreshTokenTTL`	`"P1M"` (1 month)	Controls validity period for refresh tokens (stored in the cache configured in MWOAuthSessionCacheType). Accepts ISO 8601 durations or can be set to "infinity" or false for non-expiring tokens.

User rights

Right	Description
`mwoauthproposeconsumer`	Propose new OAuth consumers
`mwoauthupdateownconsumer`	Update OAuth consumers you control
`mwoauthmanageconsumer`	Manage OAuth consumers
`mwoauthsuppress`	Suppress OAuth consumers
`mwoauthviewsuppressed`	View suppressed OAuth consumers
`mwoauthviewprivate`	View private OAuth data
`mwoauthmanagemygrants`	Manage OAuth grants

Endpoints

OAuth 2.0 REST endpoints

The following REST endpoints are provided for OAuth 2.0 interaction

Path Description Allowed parameters Allowed method

/oauth2/authorize

Used for retrieving authorization code when using authorization_code grant.

Name	Required?	Description
response_type	Yes
client_id	Yes
redirect_uri	No	if present, must match the URI that was set when client was registered exactly
scope	No
state	No
code_challenge	No	required if `$wgOAuth2RequireCodeChallengeForPublicClients` is `true`
code_challenge_method	No	required if `$wgOAuth2RequireCodeChallengeForPublicClients` is `true`

GET

/oauth2/access_token

Used for requesting access tokens

Name	Required?	Description
grant_type	Yes	type of grant used
client_id	No
client_secret	No	required if client is `confidential`
redirect_uri	No	if present, must match the URI that was set when client was registered exactly
scope	No
code	No	required if `authorization_code` grant is used
refresh_token	No	required if `refresh_token` grant is used
code_verifier	No

POST

/oauth2/resource/{{type}}

Used for retrieving protected resources using the access token issued previously.

Currently, two resource types can be retrieved using this endpoint, by replacing {{type}} placeholder with the type key:

profile - retrieve the user profile of the user that is represented by the access token used to make the request - usually used for logging users in on 3rd party websites using MediaWiki
scopes - retrieve all scopes client (application) is allowed to use with the current access token

No parameters are allowed, apart from the {{type}} parameter that is included in the path

GET/POST

/oauth2/client

Lists OAuth 1.0a or 2.0 clients for the logged-in user. Authentication can be achieved over CentralAuth or by including an access token in the authorization header.

Response example

{
  "clients": [
    {
      "client_key": "xxxxxxxxxxxxxx",
      "name": "TestFromCurl1807",
      "version": "2.0",
      "email": "admin@example.com",
      "callback_url": "http://example.com",
      "scopes": [
        "authonly"
      ],
      "registration": "20200818230806",
      "stage": 0,
      "oauth_version": 2,
      "description": "foo",
      "allowed_grants": [
        "authorization_code"
      ],
      "registration_formatted": "23:08, 18 August 2020"
    }
  ],
  "total": 1
}

oauth_version (optional) - either 1 (to return only OAuth 1.0a clients) or 2 (to return only OAuth 2.0 clients). Default: 2
Pagination parameters
- limit (optional) - maximum number of clients to return. Default: 25
- offset (optional) - number of clients to skip before returning the first result. Default: 0

GET

/oauth2/client/{client_key}/reset_secret

Resets a client secret. For owner-only clients, this endpoint also resets the access token.

Response example
{ "name": "Example", "client_key": "xxxxxxxxxx", "secret": "xxxxxxxxxx", "access_token": "xxxxxxxxxx" }

Name	Required?	Description	Default
`client_key`	Yes		client identifier
`reason`	No	string containing the reason for resetting the secret.	`''`

POST

/oauth2/client

Creates an OAuth 2.0 client.

Response example
{ "name": "Example", "client_key": "xxxxxxxxxx", "secret": "xxxxxxxxxx", "access_token": "xxxxxxxxxx" }

Name	Required?	Description	Default
`name`	Yes	client name
`description`	Yes	client description
`email`	Yes	contact email
`is_confidential`	Yes	set to true if the client is confidential; set to false for public clients like mobile and desktop apps
`grant_types`	Yes	OAuth 2.0 grant types used by the client, one or more of the following: `authorization_code`, `refresh_token`, `client_credentials`
`scopes`	Yes	OAuth 2.0 scopes, either `mwoauth-authonly`, `mwoauth-authonlyprivate` or the set of applicable grants
`version`	No	client version.	1.0
`wiki`	No	applicable project.	* for all wikis
`owner_only`	?	set to true for a client used only by the creating user
`callback_url`	No	Return URL for authorizing users.	`''`
`callback_is_prefix`	No	set to true to allow the client to specify a callback in requests and use the callback URL as a required prefix.	`false`

POST

If OAuth credentials are shared over a wiki farm, make sure that real names are used/hidden consistently across all wikis (using $wgHiddenPrefs). On wikis where real names are hidden, the OAuth permission request message that tells the user which information is shared does not mention the real name, so in that case there should not be any other wiki where the OAuth consumer may still get that information from.

OAuth Release status: stableCategory:Stable extensions
Implementation	User identity Category:User identity extensions, User rights Category:User rights extensions, API Category:API extensions
Description	Allow users to safely authorize another application ("consumer") to use the MediaWiki action API on their behalf.
Author(s)	Aaron Schulz, Chris Steipp, Brad Jorsch, Robert Vogel, Dejan Savuljesku
Latest version	1.1.0 (continuous updates)
Compatibility policy	Snapshots releases along with MediaWiki. Master is not backward compatible.Category:Extensions with release branches compatibility policy
Database changes	Yes
Tables	oauth_accepted_consumer oauth_registered_consumer
License	GNU General Public License 2.0 or later
Download	Download extension Git ^[?]: Browse repository (Phabricator · GitHub) Gerrit code review Git commit log Download source tarball Category:Extensions in Wikimedia version control
Help	Help:OAuth
Parameters $wgOAuth2PublicKey $wgOAuth2RequireCodeChallengeForPublicClients $wgMWOAuthCentralWiki $wgMWOAuthSecureTokenTransfer $wgMWOAuthSharedUserSource $wgOAuth2GrantExpirationInterval $wgOAuthAutoApprove $wgMWOauthDisabledApiModules $wgOAuth2EnabledGrantTypes $wgMWOAuthNonceCacheType $wgOAuthGroupsToNotify $wgMWOAuthRequestExpirationAge $wgOAuth2RefreshTokenTTL $wgMWOAuthSessionCacheType $wgMWOAuthReadOnly $wgOAuth2PrivateKey $wgMWOAuthSharedUserIDs $wgOAuthSecretKey
Added rights `mwoauthproposeconsumer` `mwoauthupdateownconsumer` `mwoauthmanageconsumer` `mwoauthsuppress` `mwoauthviewsuppressed` `mwoauthviewprivate` `mwoauthmanagemygrants` Category:Extensions which add rights
Hooks used AbuseFilter-builder Category:AbuseFilter-builder extensions AbuseFilter-computeVariable Category:AbuseFilter-computeVariable extensions AbuseFilter-generateUserVars Category:AbuseFilter-generateUserVars extensions ApiRsdServiceApis Category:ApiRsdServiceApis extensions BeforeCreateEchoEvent Category:BeforeCreateEchoEvent extensions ChangeTagCanCreate Category:ChangeTagCanCreate extensions ChangeTagsListActive Category:ChangeTagsListActive extensions GetPreferences Category:GetPreferences extensions ListDefinedTags Category:ListDefinedTags extensions LoadExtensionSchemaUpdates Category:LoadExtensionSchemaUpdates extensions LoginFormValidErrorMessages Category:LoginFormValidErrorMessages extensions MergeAccountFromTo Category:MergeAccountFromTo extensions MessagesPreLoad Category:MessagesPreLoad extensions SetupAfterCache Category:SetupAfterCache extensions SpecialPageAfterExecute Category:SpecialPageAfterExecute extensions SpecialPageBeforeFormDisplay Category:SpecialPageBeforeFormDisplay extensions SpecialPage_initList Category:SpecialPage initList extensions TestCanonicalRedirect Category:TestCanonicalRedirect extensions
Hooks provided OAuthReplaceMessage
Quarterly downloads	61 (Ranked 60^th)
Public wikis using	982 (Ranked 246^th)
Translate the OAuth extension if it is available at translatewiki.net
Vagrant role	oauth
Issues	Open tasks · Report a bug

Wikimore

Extension:OAuth

Requirements

Installation

Configuration

Parameters

User rights

Endpoints

OAuth 2.0 REST endpoints

See also