The recomandation feature doesn't work in the main search bar of Vector (2022) when WSOAuth is active, but it works well in the Special:Search page and with Vector (2010) with WSOAuth active and in general when WSOAuth isn't active.
Using : MW 1.41.0, Vector 1.0.0, PluggableAuth 7.0.0, WSOAuth 9.0.0
Am I the only one facing this issue ? Does someone have an idea of what could cause that or something I could have done wrong ?
As in this this bug report, it was because of the psr/http-message installed in the extension vendor. Changing the name of the folder solved it.
Environment:
I'm trying to do a PluggableAuth integration with Wikimedia and the configuration documentation example refers to receiving:
however upon completion of my OAuth 1.0a application I only get:
It is not clear to me how to configure my wgPluggableAuth_Config.
Is the nlwiki example [0] out of date? Please advise. Thank you!
Hi, using the latest version of OAuth for MW1.39 (1.1.0 c129a70), I get the following:
The first token is the clientId and the second token is the clientSecret. Does this differ from the response that you get?
It does differ.. It doesn't give me a clientId or clientSecret, rather if gave me 4 different things:
Just to be sure: Are you registering an OAuth 1.0a consumer, and not an OAuth 2.0 client?
@Valerio Bozzolan Hi, According to the screenshot of section 6 there are two items : 'real name' and 'real account' in the Special page -> user preference-> user profile page but if i open my Preferences, i just see Username, my groups, connected apps, number of edits... but without these two referenced items.
So 1.either the screenshot must be actualized,
or 2.the two items appear only under certain conditions - user rights, extension installled... which ones ?. Is it possible to clarify ? Thanks.
--Christian 🇫🇷 FR (talk) 08:16, 12 December 2023 (UTC)
The screenshot is modern but the MediaWiki is legacy. If you have another screenshot, feel free to share :)
done, URI.
@Xxmarijnw Hi, $wgPluggableAuth_Config uri is 'The OAuth application authentication URL'. Should it be better 'The OAuth application authentication URI' in the description text ? Same case for redirectUri. --Christian 🇫🇷 FR (talk) 16:53, 11 December 2023 (UTC)
I noticed that the 1.35 is missing from this menu:
Special:ExtensionDistributor/WSOAuth
Maybe easy to be fixed
hey guys, I wrote a Twitter OAuth Provider and included it in the WSOAuth default providers list for myself. It's based on the Facebook example from the docs, and makes use of the smolblog twitter oauth2 plugin provided as a 3rd party integration by the PHP League.
<?php
namespace WSOAuth\AuthenticationProvider;
use Smolblog\OAuth2\Client\Provider\Twitter;
use MediaWiki\User\UserIdentity;
class TwitterAuth extends AuthProvider {
/**
* @var Twitter
*/
private $provider;
/**
* @inheritDoc
*/
public function __construct( string $clientId, string $clientSecret, ?string $authUri, ?string $redirectUri ) {
$this->provider = new Twitter( [
'clientId' => $clientId,
'clientSecret' => $clientSecret,
'redirectUri' => $redirectUri
] );
}
/**
* @inheritDoc
*/
public function login( ?string &$key, ?string &$secret, ?string &$authUrl ): bool {
$authUrl = $this->provider->getAuthorizationUrl( [
'scope' => [ 'users.read', 'offline.access', 'tweet.read' ]
] );
$secret = $this->provider->getState();
// We also need to store the PKCE Verification code so we can send it with
// the authorization code request.
$_SESSION['oauth2verifier'] = $this->provider->getPkceVerifier();
return true;
}
/**
* @inheritDoc
*/
public function logout( UserIdentity &$user ): void {
}
/**
* @inheritDoc
*/
public function getUser( string $key, string $secret, &$errorMessage ) {
if ( !isset( $_GET['code'] ) ) {
unset($_SESSION['oauth2verifier']);
return false;
}
if ( !isset( $_GET['state'] ) || empty( $_GET['state'] ) || ( $_GET['state'] !== $secret ) ) {
return false;
}
try {
$token = $this->provider->getAccessToken('authorization_code', [
'code' => $_GET['code'],
'code_verifier' => $_SESSION['oauth2verifier'],
]);
$user = $this->provider->getResourceOwner( $token );
return [
'name' => $user->getUsername(),
'realname' => $user->getName(),
'email' => $user->getUsername() . '@bonkipedia.dev',
];
} catch ( \Exception $e ) {
return false;
}
}
/**
* @inheritDoc
*/
public function saveExtraAttributes( int $id ): void {
}
}
Here's Google as well. Hope this saves someone the misery I went through
<?php
namespace WSOAuth\AuthenticationProvider;
use League\OAuth2\Client\Provider\Google;
use MediaWiki\User\UserIdentity;
class GoogleAuth extends AuthProvider {
/**
* @var Google
*/
private $provider;
/**
* @inheritDoc
*/
public function __construct( string $clientId, string $clientSecret, ?string $authUri, ?string $redirectUri ) {
$this->provider = new Google( [
'clientId' => $clientId,
'clientSecret' => $clientSecret,
'redirectUri' => $redirectUri,
'hostedDomain' => <Optional, set to limit to only GCP hosted domains...>
] );
}
/**
* @inheritDoc
*/
public function login( ?string &$key, ?string &$secret, ?string &$authUrl ): bool {
$authUrl = $this->provider->getAuthorizationUrl( [
'scope' => [ 'email' ]
] );
$secret = $this->provider->getState();
return true;
}
/**
* @inheritDoc
*/
public function logout( UserIdentity &$user ): void {
}
/**
* @inheritDoc
*/
public function getUser( string $key, string $secret, &$errorMessage ) {
if ( !isset( $_GET['code'] ) ) {
return false;
}
if ( !isset( $_GET['state'] ) || empty( $_GET['state'] ) || ( $_GET['state'] !== $secret ) ) {
return false;
}
try {
$token = $this->provider->getAccessToken( 'authorization_code', [ 'code' => $_GET['code'] ] );
$user = $this->provider->getResourceOwner( $token );
return [
'name' => $user->getName(),
'realname' => $user->getName(),
'email' => $user->getEmail()
];
} catch ( \Exception $e ) {
return false;
}
}
/**
* @inheritDoc
*/
public function saveExtraAttributes( int $id ): void {
}
}
I recently created a Github Oauth provider for my organization's wiki (mediawiki 1.37.2, PluggableAuth 6.0, WSOauth 6.0.2), using the PHP League's Oauth2 client for GitHub. Is there interest in adding this as a default option, or are there only two defaults on purpose (e.g. for maintainability)?
Thank you! Please create a pull request on Gerrit and assign me, so I can take a look at it.
It's "Wikibase Solutions" Auth.
See phab:T283908
Question for User:Xxmarijnw. See this screenshot. I think that if the user is already logged-in in both wikis, we should just trust the account saving it in the wsoauth_users table, instead of treat him/her as a usurper.
Another question. I don't understand how the user (already logged in) says that a central account is his/her.
What do you think about?
Hello, thank you for your bug report and my apologies it has been sitting here for so long. Could you describe a use-case where it would be desirable the account is usurped if the user is already logged in locally? If you are already logged in locally, I am not sure if it would be logical/desirable to usurp the account if you logged in again through OAuth. One use-case I can think of is when you do not want to enable automatic account usurpation, but do want to allow existing users to migrate to OAuth when they desire. Is that what you are going for?
Thank you.
Sincerely,
Marijn
Have you a GitLab account? This kind of websites can have 5+ identity providers but their sysadmins are not involved in any user-per-user verification. That's a great example.
Instead, as far as I noticed, for already existing wikis introducing OAuth, a server sysadmin should manually verify each user to prevent accounts usurpation. This is an amazing feature but the current manual verification workflow is not feasible because:
Well, instead, this could be the workflow:
Now. Instead of a brand-new preferences page, for now we can just trust an user already logged-in locally if she/he is able to complete an authentication from her/his favorite identity provider. From that moment, she/he can use that identity provider for future logins.
What do you think about?
Hello,
Again, apologies for the wait. I think this would be a nice feature to add to the extension. I will add it once my time allows it.
Sincerely,
Marijn
Just for transparency, I contacted you in private via email yesterday and, thanks to your quick response, probably we have found an investor.
To speed up the process I tried to describe this feature in phab:T283908. Feel free to edit whatever you want. See you in the next days :)
Created tag:
Workboard:
Is there an issue tracker for this project?
Can I help you opening a Phabricator tag to put down some feature requests and issues?
Thank you :)
