Extension:OpenID

From MediaWiki.org
Jump to: navigation, search
shortcut: OPENID
MediaWiki extensions manual - list
Crystal Clear action run.png
OpenID

Release status: stable
OpenID logo.svg
Implementation User identity, Special page
Description Allow users with accounts on other OpenID-enabled sites to log in; if enabled, it also allows to use OpenID identities on other sites
Author(s) E. Prodromou, T. Gries, S. Chernyshev, A. Emsenhuber
Last version 3.43 (2013-11-03)
MediaWiki all major versions but with MySQL only, PostgreSQL is not tested yet.
(older versions)
PHP all versions since 5.3 ... 5.5
Database changes php maintenance/update.php was required until r89709
License GPL
Download see "Download" section
Download snapshot (Git master)
Git [?]:

README
Parameters

(see below)
Hooks used
PersonalUrls

BeforePageDisplay
ArticleViewHeader
SpecialPage_initList
LoadExtensionSchemaUpdates
GetPreferences
DeleteAccount
MergeAccountFromTo
Check usage and version matrix; stats
Bugs: list open list all report

The extension makes a MediaWiki installation OpenID 2.0-aware and lets users log in using their OpenID identity - a special URL - instead of (or as an alternative to) standard username/password log in. In that way, the MediaWiki acts as Relying part (RP) = OpenID consumer.[1] As an option, it also allows the MediaWiki to act as OpenID provider, so that users with an account on that wiki can use a special identity URL as OpenID for login to other OpenID-aware web sites.

Pre-requisites and dependencies[edit | edit source]

MySQL ok, PostgreSQL ok[edit | edit source]

The extension has been developed and fully tested to work with MySQL databases by the maintainer.

requisite 1: php-openid library[edit | edit source]

The extension depends on the OpenID PHP library from https://github.com/openid/php-openid . Clone a recent version and move the Auth subdirectory as explained below in the Installation section.

requisite 2: PHP extensions or modules[edit | edit source]

You need to install a few additional dependencies as PHP extensions or recompile your PHP if these are not part of your standard PHP installation. When running a server with OpenSUSE you will likely have to add (via YaST or manually) at least the modules gmp, mcrypt, curl, openssl, xml.

Download[edit | edit source]

You can download the extension directly from the MediaWiki source code repository (browse code). You can get:

One of the extensions tags

Not all extensions have tags. Some extensions have tags for each release, in which case those tags have the same stability as the release. To download a tag

  • Go to the tags list
  • Click the name of the tag you want to download
  • Click "snapshot"
The latest version of one of the extensions branches

Each extension has a master branch containing the latest code (might be unstable). Extensions can have further branches as well.

  • Go to the branches list
  • Click the branch name
  • Click "snapshot"
A snapshot made during the release of a MediaWiki version.

This might be unstable and is not guaranteed to work with the associated MediaWiki version.

After you've got the code, save it into the extensions/OpenID directory of your wiki.

If you are familiar with git and have shell access to your server, you can obtain the extension, with all its tags and branches, as follows:

cd extensions
git clone https://gerrit.wikimedia.org/r/p/mediawiki/extensions/OpenID.git

Installation[edit | edit source]

  • Download and extract the files in a directory called OpenID in your extensions/ folder.
  • Add the following code at the bottom of your LocalSettings.php:
require_once "$IP/extensions/OpenID/OpenID.php";
  • Install the Auth subdirectory of the required OpenID PHP library in $IP/extensions/OpenID/Auth as explained in the following.
  • Run the update.php script in in your MediaWiki maintenance folder $IP/maintenance to create a new table in the MediaWiki database which is used by the OpenID extension.
cd $IP/extensions/OpenID
git clone git://github.com/openid/php-openid.git
mv php-openid/Auth/ Auth
rm -r php-openid
cd $IP/maintenance# php update.php
  • YesY Done – Navigate to "Special:Version" on your wiki to verify that the extension is successfully installed.

It should work out of the box, but you'll almost definitely want to set the trust root and access controls (see Configuration below).

  • If you restrict general access to wiki pages, you must add anonymous access for Special:OpenIDLogin and Special:OpenIDFinish or the OpenID Verification will fail. Typically this is done by adding those pages to $wgWhitelistRead in LocalSettings.php.
  • The user account must have a password associated to it: in Special:Preference Password Reset is added as new link.

Configuration[edit | edit source]

These settings can be configured in the LocalSettings.php file. Place your parameters after the require_once line for the OpenID extension.

Configuration parameters for OpenID extension
variable default description
$wgOpenIDLoginOnly (since 3.10)

$wgOpenIDOnly (until 3.09)

 true With this enabled, the default login personal_urls will be removed and additionally the options for linking your OpenID to an existing account will be removed from the registration form. Users then can only login via their OpenID accounts. This is perhaps the most important option.
$wgOpenIDConsumerAndAlsoProvider (since v3.12)

$wgOpenIDClientOnly (until v3.11)

 true If true, user accounts on this wiki can be used as OpenIDs on other sites.
$wgOpenIDAllowServingOpenIDUserAccounts true With this enabled, it allows to use a special url as OpenID to other sides even if user is using OpenID already for login to the wiki. Users can use their OpenIDs of this site A as OpenID on another site B even if user is using OpenID on A already. Some users might want to do that for vanity purposes or whatever. If false, serving OpenID accounts is prevented.
$wgOpenIDIdentifiersURL (since v3.00) "" When used as OpenID provider, you can optionally define a template for a customized fully specified url (CFSU) as identity url for delegation.

This allows differently looking "nice OpenID urls" in addition to the generic urls /User:Username and /Special:OpenIDIdentifier/<id> .

The CFSU template must contain a placeholder string "{ID}". The placeholder is substituted with the authenticated user's internal ID during the OpenID authentication process.

To make this working you need also to set up a suited rewrite rule in your web server which redirects the CFSU with the replaced user id to Special:OpenIDIdentifier/<id>.

The default value is str_replace( "$1", "Special:OpenIDIdentifier/{ID}", $wgServer . $wgArticlePath );
$wgOpenIDTrustRoot (since v1.005)

$wgTrustRoot (until v1.004)

 null This is an URL that identifies your site to OpenID servers. Typically, it's the "root" url of the site, like "http://en.wikipedia.org/" or "http://wikitravel.org/it/". If this is null, the software will make a half-hearted guess, but it's not very good and you should probably just set it.
$wgOpenIDConsumerDenyByDefault false The administrator can decide which OpenIDs are allowed to login to their server. If this flag is true, only those OpenIDs that match one of the $wgOpenIDConsumerAllow and not one of the $wgOpenIDConsumerDeny patterns will be allowed to log in. If it is false, all OpenIDs are allowed to log in, unless they are matched by an $wgOpenIDConsumerDeny pattern and not an $wgOpenIDConsumerAllow. Typically you'll set this to true for testing and then false for general use. When using deny and allow arrays, defines how the security works. If true, works like "Order Allow,Deny" in Apache; deny by default, allow items that match allow that don't match deny to pass. If false, works like "Order Deny,Allow" in Apache; allow by default, deny items in deny that aren't in allow.
$wgOpenIDConsumerAllow array() Which partners to allow; regexps here. See above. An array of regular expressions that match OpenIDs you want to allow to log in. For example, "@^(http://)?wikitravel.org/@" will allow OpenIDs from the Wikitravel domain.
$wgOpenIDConsumerDeny array() Which partners to deny; regexps here. See above. An array of regular expressions that match OpenIDs you want to deny access to. This is mostly useful for servers that are known to be bad. Example: "#^(http://)?example.com/#".
$wgOpenIDServerForceAllowTrust array() an array of regular expressions that match trust roots that you want to skip trust checks for when the user logs in from those sites. A typical example would be a closely federated cluster of sites (like Wikimedia, Wikia, or Wikitravel) where the personal data is available to the trusting server anyways. Be very careful using this across organizational boundaries.
$wgOpenIDUseEmailAsNickname false when first-time logging-in with OpenID, use the part before the @ in any given e-mail address as the username if a nickname is not given by the OpenID. This works well with $wgOpenIDConsumerForce where all users have a unique e-mail address at the same domain.
$wgOpenIDProposeUsernameFromSREG true when first-time logging in with OpenID, propose and allow new account names from OpenID SREG data such as fullname or nickname
$wgOpenIDAllowNewAccountname true when first-time logging in with OpenID, show option to enter and to allow a manually chosen username
$wgOpenIDAllowExistingAccountSelection true when first-time logging in with OpenID, show option to select an existing MediaWiki user
$wgOpenIDTrustEmailAddress false Implicitly trust the e-mail address sent from the OpenID server, and don't ask the user to verify it. This can lead to people with a nasty OpenID provider setting up accounts and spamming
$wgOpenIDAllowAutomaticUsername true when first-time logging in with OpenID, show option to choose and to allow an automatically generated username
$wgOpenIDConsumerStoreType 'file' strings denoting the type of storage to be used to store OpenID association data when acting as an OpenID relying party (consumer) and server, respectively. Only valid value is "file"; "memc" is no longer valid.
$wgOpenIDServerStoreType 'file' strings denoting the type of storage to be used to store OpenID association data when acting as an OpenID relying party (consumer) and server, respectively. Only valid value is "file"; "memc" is no longer valid.
$wgOpenIDConsumerStorePath false see $wgOpenIDServerStorePath
$wgOpenIDServerStorePath false strings specifying the paths where OpenID assocation data should be stored when acting as a relying party (consumer) or server, respectively. Each of these need only be set if the store type settings (above) are set to "file", respectively. These strings, if both are set, MUST NOT be equal. If the store type is "file", the default here is "/$wgTmpDirectory/$wgDBname/openid-consumer-store/" and "/$wgTmpDirectory/$wgDBname/openid-server-store/" respectively. Paths will be automatically created if they doesn't exist.
$wgOpenHideOpenIDLoginLink (since 3.41)

$wgHideOpenIDLoginLink (until 3.40)

 false boolean that says whether or not to hide the OpenID login link in the personal URLs. Typically you'd use this if you've already got some other method for showing the OpenID login link, like in your skin. Note that it will not prevent login if the user navigates to Special:OpenIDLogin directly; it's simply cosmetic. This is mostly a backwards-compatibility option.
$wgOpenIDSmallLogoUrl (since v3.06)

$wgOpenIDLoginLogoUrl (until v3.05)

 false Url of a small OpenID logo; The default (false) uses a built-in logo.
$wgOpenIDShowUrlOnUserPage "never" whether to show the OpenID identity URL on a user's home page. Possible values are
  • "never"
  • "user" (let the users decide in their preferences)
  • "always"
$wgOpenIDShowProviderIcons true With this enabled, users will see button icons instead of just links on the OpenID provider selection page.
$wgOpenIDForcedProvider (since 3.40)

$wgOpenIDConsumerForce

 Url of required OpenID provider. When this is set, it bypasses the OpenID provider selection form.
$wgOpenIDProviders (since 3.40) array() array of providers and their parameters

"It does not work": bugs, common pitfalls[edit | edit source]

Please check our First aid checklist before asking for help. Report a bug: see info box.
  • After creating a login with OpenID, features requiring a password (e.g. Special:ChangeEmail) won't work and features requiring an email (e.g. Special:PasswordReset) won't work because no email is set. See Bug 34357.
  • one MediaWiki acting as OpenID server Bob does not work with another or same MediaWiki acting as OpenID consumer Alice on the same server. Advice for the moment: use two different servers while playing with the extension
  • when you want to log in to your OpenID-consuming MediaWiki Alice as user X:
make sure that your are not logged in to the OpenID identity server Bob as another user Z ; otherwise you will see an error, which is intended.
I recommend you log out every persona you may have on server Bob while testing the extension
clear your browser cache of all Bob-related cookies, and session cookie.


Specific information[edit | edit source]

myOpenID to close down for good in February 2014[edit | edit source]

It has been reported, that myOpenID will close down for good in February 2014. Users of the OpenID registrar will have to go elsewhere.[2][3]

Google "2-step verification" is compatible[edit | edit source]

When using Google ID as OpenID, you can opt-in there to "2-step verification" ("two-factor authentication") because it is compatible with the OpenID extension.

Yahoo as OpenID provider: don't use! It is deprecated. Read why.[edit | edit source]

Yahoo allows users to regain other users e-mail addresses when they are not used for a certain time. This breaks the security of OpenID. The use of Yahoo OpenId is therefore deprecated and will be discontinued in the extension OpenID.[4][5]

References[edit | edit source]

  1. Relying party (RP) = consumer: The site that wants to verify the end-user's identifier; other terms include "service provider" or the now obsolete "consumer" - which is still used here (this will be changed soon)
  2. http://www.theregister.co.uk/2013/09/05/myopenid_closes_for_good_2014/
  3. https://news.ycombinator.com/item?id=6329158
  4. Yahoo OpenID soon untrustable due to plans to release unused accounts after one year of inactivity - forbid logins with Yahoo OpenID?
  5. Yahoo! wants to recycle unused email accounts
Retrieved from "http://www.mediawiki.org/w/index.php?title=Extension:OpenID&oldid=812990"