Jump to content

Manual:$wgAuthManagerAutoConfig

From mediawiki.org
Authentication: $wgAuthManagerAutoConfig
Register authentication providers to use with AuthManager
Introduced in version:1.27.0 (Gerrit change 195297; git #d245bd25)
Removed in version:Still in use
Allowed values:see below
Default value:see below

Extensions need to register their AuthenticationProvider implementations via this setting for AuthManager to pick it up.

Allowed values

A hash with three keys, each key a list of ObjectFactory specifications:

[
    'preauth' => [ /* list of pre-authentication providers */ ],
    'primaryauth' => [ /* list of primary authentication providers */ ],
    'secondaryauth' => [ /* list of secondary authentication providers */ ],
]

Beyond the usual ObjectFactory parameters, a special sort parameter is also recognized; this will determine the effective order of the providers (defaults to 0; smaller first; sorting is stable). The convention is to use the provider's class name as its array key (as a convenience for site admins wanting to change it; AuthManager ignores array keys).

Example

$wgAuthManagerAutoConfig['preauth'] = [
    'MyPreAuthenticationProvider' => [
        'class' => 'MyPreAuthenticationProvider',
        'args' => [ 'arg1', 'arg2' ],
    ],
];

or, if the extension uses extension registration (preferable):

{
    //...
    "AuthManagerAutoConfig": {
        "preauth": {
            "MyPreAuthenticationProvider": {
                "class": "MyPreAuthenticationProvider",
                "args": [ "arg1", "arg2" ]
            }
        }
    },
    //...
}

This will create a pre-authentication provider object with new MyPreAuthenticationProvider( 'arg1', 'arg2' ), and register it as one of the authentication providers.

Default value

MediaWiki version:
1.43
$wgAuthManagerAutoConfig = [
	'preauth' => [
		ThrottlePreAuthenticationProvider::class => [
			'class' => ThrottlePreAuthenticationProvider::class,
			'sort' => 0,
		],
	],
	'primaryauth' => [
		// TemporaryPasswordPrimaryAuthenticationProvider should come before any other PasswordAuthenticationRequest-based PrimaryAuthenticationProvider (or at least any that might return FAIL rather than ABSTAIN for a wrong password), or password reset won't work right.
		// Do not remove this (or change the key) or auto-configuration of other such providers in extensions will probably auto-insert themselves in the wrong place.
		TemporaryPasswordPrimaryAuthenticationProvider::class => [
			'class' => TemporaryPasswordPrimaryAuthenticationProvider::class,
			'services' => [
				'DBLoadBalancerFactory',
			],
			'args' => [ [
				// Fall through to LocalPasswordPrimaryAuthenticationProvider
				'authoritative' => false,
			] ],
			'sort' => 0,
		],
		LocalPasswordPrimaryAuthenticationProvider::class => [
			'class' => LocalPasswordPrimaryAuthenticationProvider::class,
			'services' => [
				'DBLoadBalancerFactory',
			],
			'args' => [ [
				// Last one should be authoritative, or else the user will get a less-than-helpful error message (something like "supplied authentication info not supported" rather than "wrong password") if it too fails.
				'authoritative' => true,
			] ],
			'sort' => 100,
		],
	],
	'secondaryauth' => [
		CheckBlocksSecondaryAuthenticationProvider::class => [
			'class' => CheckBlocksSecondaryAuthenticationProvider::class,
			'sort' => 0,
		],
		ResetPasswordSecondaryAuthenticationProvider::class => [
			'class' => ResetPasswordSecondaryAuthenticationProvider::class,
			'sort' => 100,
		],
		// Linking during login is experimental, enable at your own risk - T134952
		// ConfirmLinkSecondaryAuthenticationProvider::class => [
		//   'class' => ConfirmLinkSecondaryAuthenticationProvider::class,
		//   'sort' => 100,
		// ],
		EmailNotificationSecondaryAuthenticationProvider::class => [
			'class' => EmailNotificationSecondaryAuthenticationProvider::class,
			'services' => [
				'DBLoadBalancerFactory',
			],
			'sort' => 200,
		],
	],
];
MediaWiki versions:
1.41 – 1.42
$wgAuthManagerAutoConfig = [
	'preauth' => [
		\MediaWiki\Auth\ThrottlePreAuthenticationProvider::class => [
			'class' => \MediaWiki\Auth\ThrottlePreAuthenticationProvider::class,
			'sort' => 0,
		],
	],
	'primaryauth' => [
		// TemporaryPasswordPrimaryAuthenticationProvider should come before any other PasswordAuthenticationRequest-based PrimaryAuthenticationProvider (or at least any that might return FAIL rather than ABSTAIN for a wrong password), or password reset won't work right.
		// Do not remove this (or change the key) or auto-configuration of other such providers in extensions will probably auto-insert themselves in the wrong place.
		\MediaWiki\Auth\TemporaryPasswordPrimaryAuthenticationProvider::class => [
			'class' => \MediaWiki\Auth\TemporaryPasswordPrimaryAuthenticationProvider::class,
			'services' => [
				'DBLoadBalancerFactory',
			],
			'args' => [ [
				// Fall through to LocalPasswordPrimaryAuthenticationProvider
				'authoritative' => false,
			] ],
			'sort' => 0,
		],
		\MediaWiki\Auth\LocalPasswordPrimaryAuthenticationProvider::class => [
			'class' => \MediaWiki\Auth\LocalPasswordPrimaryAuthenticationProvider::class,
			'services' => [
				'DBLoadBalancerFactory',
			],
			'args' => [ [
				// Last one should be authoritative, or else the user will get a less-than-helpful error message (something like "supplied authentication info not supported" rather than "wrong password") if it too fails.
				'authoritative' => true,
			] ],
			'sort' => 100,
		],
	],
	'secondaryauth' => [
		\MediaWiki\Auth\CheckBlocksSecondaryAuthenticationProvider::class => [
			'class' => \MediaWiki\Auth\CheckBlocksSecondaryAuthenticationProvider::class,
			'sort' => 0,
		],
		\MediaWiki\Auth\ResetPasswordSecondaryAuthenticationProvider::class => [
			'class' => \MediaWiki\Auth\ResetPasswordSecondaryAuthenticationProvider::class,
			'sort' => 100,
		],
		// Linking during login is experimental, enable at your own risk - T134952
		// \MediaWiki\Auth\ConfirmLinkSecondaryAuthenticationProvider::class => [
		//   'class' => \MediaWiki\Auth\ConfirmLinkSecondaryAuthenticationProvider::class,
		//   'sort' => 100,
		// ],
		\MediaWiki\Auth\EmailNotificationSecondaryAuthenticationProvider::class => [
			'class' => \MediaWiki\Auth\EmailNotificationSecondaryAuthenticationProvider::class,
			'services' => [
				'DBLoadBalancerFactory',
			],
			'sort' => 200,
		],
	],
];
MediaWiki versions:
1.39 – 1.40
$wgAuthManagerAutoConfig = [
	'preauth' => [
		\MediaWiki\Auth\ThrottlePreAuthenticationProvider::class => [
			'class' => \MediaWiki\Auth\ThrottlePreAuthenticationProvider::class,
			'sort' => 0,
		],
	],
	'primaryauth' => [
		// TemporaryPasswordPrimaryAuthenticationProvider should come before
		// any other PasswordAuthenticationRequest-based
		// PrimaryAuthenticationProvider (or at least any that might return
		// FAIL rather than ABSTAIN for a wrong password), or password reset
		// won't work right. Do not remove this (or change the key) or
		// auto-configuration of other such providers in extensions will
		// probably auto-insert themselves in the wrong place.
		\MediaWiki\Auth\TemporaryPasswordPrimaryAuthenticationProvider::class => [
			'class' => \MediaWiki\Auth\TemporaryPasswordPrimaryAuthenticationProvider::class,
			'services' => [
				'DBLoadBalancer',
			],
			'args' => [ [
				// Fall through to LocalPasswordPrimaryAuthenticationProvider
				'authoritative' => false,
			] ],
			'sort' => 0,
		],
		\MediaWiki\Auth\LocalPasswordPrimaryAuthenticationProvider::class => [
			'class' => \MediaWiki\Auth\LocalPasswordPrimaryAuthenticationProvider::class,
			'services' => [
				'DBLoadBalancer',
			],
			'args' => [ [
				// Last one should be authoritative, or else the user will get
				// a less-than-helpful error message (something like "supplied
				// authentication info not supported" rather than "wrong
				// password") if it too fails.
				'authoritative' => true,
			] ],
			'sort' => 100,
		],
	],
	'secondaryauth' => [
		\MediaWiki\Auth\CheckBlocksSecondaryAuthenticationProvider::class => [
			'class' => \MediaWiki\Auth\CheckBlocksSecondaryAuthenticationProvider::class,
			'sort' => 0,
		],
		\MediaWiki\Auth\ResetPasswordSecondaryAuthenticationProvider::class => [
			'class' => \MediaWiki\Auth\ResetPasswordSecondaryAuthenticationProvider::class,
			'sort' => 100,
		],
		// Linking during login is experimental, enable at your own risk - T134952
		// \MediaWiki\Auth\ConfirmLinkSecondaryAuthenticationProvider::class => [
		//   'class' => \MediaWiki\Auth\ConfirmLinkSecondaryAuthenticationProvider::class,
		//   'sort' => 100,
		// ],
		\MediaWiki\Auth\EmailNotificationSecondaryAuthenticationProvider::class => [
			'class' => \MediaWiki\Auth\EmailNotificationSecondaryAuthenticationProvider::class,
			'services' => [
				'DBLoadBalancer',
			],
			'sort' => 200,
		],
	],
];
MediaWiki versions:
1.37 – 1.38
$wgAuthManagerAutoConfig = [
	'preauth' => [
		MediaWiki\Auth\ThrottlePreAuthenticationProvider::class => [
			'class' => MediaWiki\Auth\ThrottlePreAuthenticationProvider::class,
			'sort' => 0,
		],
	],
	'primaryauth' => [
		// TemporaryPasswordPrimaryAuthenticationProvider should come before
		// any other PasswordAuthenticationRequest-based
		// PrimaryAuthenticationProvider (or at least any that might return
		// FAIL rather than ABSTAIN for a wrong password), or password reset
		// won't work right. Do not remove this (or change the key) or
		// auto-configuration of other such providers in extensions will
		// probably auto-insert themselves in the wrong place.
		MediaWiki\Auth\TemporaryPasswordPrimaryAuthenticationProvider::class => [
			'class' => MediaWiki\Auth\TemporaryPasswordPrimaryAuthenticationProvider::class,
			'services' => [
				'DBLoadBalancer',
			],
			'args' => [ [
				// Fall through to LocalPasswordPrimaryAuthenticationProvider
				'authoritative' => false,
			] ],
			'sort' => 0,
		],
		MediaWiki\Auth\LocalPasswordPrimaryAuthenticationProvider::class => [
			'class' => MediaWiki\Auth\LocalPasswordPrimaryAuthenticationProvider::class,
			'services' => [
				'DBLoadBalancer',
			],
			'args' => [ [
				// Last one should be authoritative, or else the user will get
				// a less-than-helpful error message (something like "supplied
				// authentication info not supported" rather than "wrong
				// password") if it too fails.
				'authoritative' => true,
			] ],
			'sort' => 100,
		],
	],
	'secondaryauth' => [
		MediaWiki\Auth\CheckBlocksSecondaryAuthenticationProvider::class => [
			'class' => MediaWiki\Auth\CheckBlocksSecondaryAuthenticationProvider::class,
			'sort' => 0,
		],
		MediaWiki\Auth\ResetPasswordSecondaryAuthenticationProvider::class => [
			'class' => MediaWiki\Auth\ResetPasswordSecondaryAuthenticationProvider::class,
			'sort' => 100,
		],
		// Linking during login is experimental, enable at your own risk - T134952
		// MediaWiki\Auth\ConfirmLinkSecondaryAuthenticationProvider::class => [
		//   'class' => MediaWiki\Auth\ConfirmLinkSecondaryAuthenticationProvider::class,
		//   'sort' => 100,
		// ],
		MediaWiki\Auth\EmailNotificationSecondaryAuthenticationProvider::class => [
			'class' => MediaWiki\Auth\EmailNotificationSecondaryAuthenticationProvider::class,
			'services' => [
				'DBLoadBalancer',
			],
			'sort' => 200,
		],
	],
];
MediaWiki versions:
1.33 – 1.36
$wgAuthManagerAutoConfig = [
	'preauth' => [
		MediaWiki\Auth\ThrottlePreAuthenticationProvider::class => [
			'class' => MediaWiki\Auth\ThrottlePreAuthenticationProvider::class,
			'sort' => 0,
		],
	],
	'primaryauth' => [
		MediaWiki\Auth\TemporaryPasswordPrimaryAuthenticationProvider::class => [
			'class' => MediaWiki\Auth\TemporaryPasswordPrimaryAuthenticationProvider::class,
			'args' => [ [
				'authoritative' => false,
			] ],
			'sort' => 0,
		],
		MediaWiki\Auth\LocalPasswordPrimaryAuthenticationProvider::class => [
			'class' => MediaWiki\Auth\LocalPasswordPrimaryAuthenticationProvider::class,
			'args' => [ [
				'authoritative' => true,
			] ],
			'sort' => 100,
		],
	],
	'secondaryauth' => [
		MediaWiki\Auth\CheckBlocksSecondaryAuthenticationProvider::class => [
			'class' => MediaWiki\Auth\CheckBlocksSecondaryAuthenticationProvider::class,
			'sort' => 0,
		],
		MediaWiki\Auth\ResetPasswordSecondaryAuthenticationProvider::class => [
			'class' => MediaWiki\Auth\ResetPasswordSecondaryAuthenticationProvider::class,
			'sort' => 100,
		],
		MediaWiki\Auth\EmailNotificationSecondaryAuthenticationProvider::class => [
			'class' => MediaWiki\Auth\EmailNotificationSecondaryAuthenticationProvider::class,
			'sort' => 200,
		],
	],
];
MediaWiki versions:
1.27 – 1.32
$wgAuthManagerAutoConfig = [
	'preauth' => [
		MediaWiki\Auth\LegacyHookPreAuthenticationProvider::class => [
			'class' => MediaWiki\Auth\LegacyHookPreAuthenticationProvider::class,
			'sort' => 0,
		],
		MediaWiki\Auth\ThrottlePreAuthenticationProvider::class => [
			'class' => MediaWiki\Auth\ThrottlePreAuthenticationProvider::class,
			'sort' => 0,
		],
	],
	'primaryauth' => [
		MediaWiki\Auth\TemporaryPasswordPrimaryAuthenticationProvider::class => [
			'class' => MediaWiki\Auth\TemporaryPasswordPrimaryAuthenticationProvider::class,
			'args' => [ [
				'authoritative' => false,
			] ],
			'sort' => 0,
		],
		MediaWiki\Auth\LocalPasswordPrimaryAuthenticationProvider::class => [
			'class' => MediaWiki\Auth\LocalPasswordPrimaryAuthenticationProvider::class,
			'args' => [ [
				'authoritative' => true,
			] ],
			'sort' => 100,
		],
	],
	'secondaryauth' => [
		MediaWiki\Auth\CheckBlocksSecondaryAuthenticationProvider::class => [
			'class' => MediaWiki\Auth\CheckBlocksSecondaryAuthenticationProvider::class,
			'sort' => 0,
		],
		MediaWiki\Auth\ResetPasswordSecondaryAuthenticationProvider::class => [
			'class' => MediaWiki\Auth\ResetPasswordSecondaryAuthenticationProvider::class,
			'sort' => 100,
		],
		MediaWiki\Auth\EmailNotificationSecondaryAuthenticationProvider::class => [
			'class' => MediaWiki\Auth\EmailNotificationSecondaryAuthenticationProvider::class,
			'sort' => 200,
		],
	],
];

See also