Extension:Magic Link Authentication
Magic Link Authentication Release status: experimental |
|
---|---|
Implementation | User identity |
Description | Extends the PluggableAuth extension to provide authentication using a magic link |
Author(s) | Cindy Cicalese (cindy.cicalesetalk) |
Compatibility policy | For every MediaWiki release that is a Long Term Support release there is a corresponding branch in the extension. |
MediaWiki | |
Database changes | Yes |
Tables | magic_link_auth |
License | MIT License |
Download | |
|
|
Translate the Magic Link Authentication extension if it is available at translatewiki.net | |
Issues | Open tasks · Report a bug |
The Magic Link Authentication extension provides authentication using a magic link (a form of passwordless authentication) in conjunction with Extension:PluggableAuth. The user enters their email address at Special:UserLogin
, and they are emailed a magic link containing a JWT. When they click on the link, they are redirected back to the wiki and, if the JWT is validated, logged in. The JWT has a configurable expiration period and can only be used once.
Installation
[edit]- Download and move the extracted
MagicLinkAuthentication
folder to yourextensions/
directory.
Developers and code contributors should install the extension from Git instead, using:cd extensions/
git clone https://gerrit.wikimedia.org/r/mediawiki/extensions/MagicLinkAuthentication - Add the following code at the bottom of your LocalSettings.php file:
wfLoadExtension( 'MagicLinkAuthentication' );
- Run the update script which will automatically create the necessary database tables that this extension needs.
- Done – Navigate to Special:Version on your wiki to verify that the extension is successfully installed.
Configuration parameters
[edit]Flag | Default | Description |
---|---|---|
$wgMagicLinkAuthentication_SigningKey
|
null
|
Secret key used to sign magic link (required). |
$wgMagicLinkAuthentication_EncryptionKey
|
null
|
Secret key used to encrypt part of magic link payload (required). |
$wgMagicLinkAuthentication_TokenLifetime
|
300
|
Lifetime of magic link token in seconds. |
$wgMagicLinkAuthentication_EmailSender
|
null
|
Email address used for sender of magic link. If null , the value of $wgPasswordSender will be used.
|
Notes
[edit]This extension can be used with the OATHAuth extension, which provides support for two-factor authentication (2FA) to add an additional measure of security.
If there are multiple users that have a given email address in the MediaWiki user table in the database, the first account returned by the database query will be used. This could happen if other authentication extensions are in use or have been in use in the past for the wiki. This extension does not prevent this situation.
If the editmyprivateinfo
permission (see Manual:User_rights#List_of_permissions) is enabled, a user could change their email address. In this case, the user could log in, change their email address, log out, and be unable to log back in to that account. The administrator of the wiki would need to determine if they want to prevent this by disabling the editmyprivateinfo
permission. Note that disabling the editmyprivateinfo
permission will prevent users from changing their email address, but will also prevent them from updating their real name or, if local username/password authentication is enabled, their password.
Limitations
[edit]When clicking on the magic link, the user must be on the same device using the same browser as was used when requesting the magic link.