확장기능:OAuth
OAuth 출시 상태: 안정 |
|
---|---|
구현 | User identity , User rights , API |
설명 | 사용자들은 미디어위키 Action API를 사용하는 다른 프로그램(이하 사용자)에서 안전하게 인증할 수 있습니다. |
만든 이 | Aaron Schulz, Chris Steipp, Brad Jorsch, Robert Vogel, Dejan Savuljesku |
최신 버전 | 1.1.0 (continuous updates) |
호환성 정책 | 스냅샷은 미디어위키와 함께 릴리스됩니다. Master is not backward compatible. |
데이터베이스 변경 | 예 |
테이블 | oauth_accepted_consumer oauth_registered_consumer |
라이선스 | GNU General Public License 2.0 or later |
다운로드 | |
도움말 | 도움말:OAuth |
|
|
|
|
|
|
Quarterly downloads | 88 (Ranked 63rd) |
Public wikis using | 982 (Ranked 246th) |
OAuth 확장 기능 번역 (translatewiki.net에서 가능한 경우) | |
Vagrant 역할 | oauth |
이슈 | 미해결 작업 · 버그 보고 |
The OAuth extension implements an OAuth server in MediaWiki that supports both the OAuth 1.0a and OAuth 2.0 protocol versions. It allows third party developers to securely develop applications ("consumers"), to which users can give a limited set of permissions ("grants"), so that the application can use the MediaWiki action API on the user's behalf.
Requirements
- OAuth relies on the object cache for temporary tokens and sessions. This should work as long as cache configuration settings are sane. (Older versions required Memcached explicitly.)
- Currently, only MySQL and SQLite database backends are supported
- If the MediaWiki installation is private (i.e. users need to log in to have read access), Special:OAuth will need to be added to the white list.
Installation
- 파일을 다운로드하고
OAuth
폴더를extensions/
디렉토리에 넣어 주세요.
개발자와 코딩 기여자는 Git을 이용해 확장기능을 다운받는 것이 좋습니다.cd extensions/
git clone https://gerrit.wikimedia.org/r/mediawiki/extensions/OAuth - Git에서 설치할 경우, PHP 의존 기능을 설치하려면 Composer를 실행하여 확장 기능 디렉터리에
composer install --no-dev
를 발행하십시오. (잠재적인 문제에 대해서는 T173141 을 참고하십시오.) - 아래의 코드를 LocalSettings.php 코드의 마지막에 추가합니다.
wfLoadExtension( 'OAuth' );
- 갱신 스크립트를 실행합니다. 이 스크립트는 이 확장기능을 필요로 하는 데이터 베이스 테이블을 자동적으로 작성합니다.
- Configure the general parameters as required.
- Configure the user rights by putting them into the relevant groups in
$wgGroupPermissions
. - 완료 – 위키의 ‘Special:Version’에 이동해서, 확장기능이 올바르게 설치된 것을 확인합니다.
Vagrant 설치:
- Vagrant 를 사용하고 있는 경우에는,
vagrant roles enable oauth --provision
로 설치해주세요
To assign a permission to some group, for example to sysops, you add following line to LocalSettings.php
:
$wgGroupPermissions['sysop']['mwoauthproposeconsumer'] = true;
Configuration
Parameters
Variable name | Default value | Description |
---|---|---|
$wgMWOAuthCentralWiki
|
false
|
Wiki ID of OAuth management wiki. On wiki farms, it makes sense to set this to a wiki that acts as a portal site, is dedicated to management, or just handles login/authentication. It can, however, be set to any wiki in the farm. For single-wiki sites or farms where each wiki manages consumers separately, it should be left as false .
|
$wgMWOAuthSharedUserIDs
|
false
|
(구식화됨) Use $wgMWOAuthSharedUserSource instead
Whether shared global user IDs are stored in the oauth tables.
On wiki farms with a central authentication system (with integer user IDs) that share a single OAuth management wiki, this must be set to true.
If wikis have a central authentication system but have their own OAuth management, then this can be either |
$wgMWOAuthSharedUserSource
|
null
|
Central ID provider when sharing OAuth credentials over a wiki farm
Source of shared user IDs, if enabled. If CentralIdLookup is available, this is the $providerId for CentralIdLookup::factory(). Generally null would be what you want, to use the default provider. If that class is not available or the named provider is not found, this is passed to the OAuthGetUserNamesFromCentralIds, OAuthGetLocalUserFromCentralId, OAuthGetCentralIdFromLocalUser, OAuthGetCentralIdFromUserName hooks. This has no effect if $wgMWOAuthSharedUserIDs is set to false. |
$wgMWOAuthRequestExpirationAge
|
2,592,000 (30 days)
|
Seconds after which an idle request for a new Consumer is marked as "expired" |
$wgMWOAuthSecureTokenTransfer
|
true
|
Require SSL/TLS for returning Consumer and user secrets. This is required by RFC 5849, however if a wiki wants to use OAuth, but doesn't support SSL, this option makes this configuration possible. This should be set to true for most production settings. |
$wgOAuthSecretKey
|
$wgSecretKey
|
A secret configuration string (random 32-bit string generated using "base64_encode(random_bytes(32))") used to hmac the database-stored secret to produce the shared secrets for Consumers. This provides some protection against an attacker reading the values out of the consumer table (the attacker would also need $wgOAuthSecretKey to generate valid secrets), and some protection against potential weaknesses in the secret generation. If this string is compromised, the site should generate a new $wgOAuthSecretKey, which will invalidate Consumer authorizations that use HMAC/shared secret signatures instead of public/private keys. Consumers can regenerate their new shared secret by using the "Reset the secret key to a new value" option under Special:MWOAuthConsumerRegistration/update. If null, the value is set to $wgSecretKey. |
$wgOAuthGroupsToNotify
|
[]
|
The list of user groups which should be notified about new consumer proposals. Setting this will only have an effect when Echo is installed. |
$wgMWOauthDisabledApiModules
|
[]
|
List of API module classes to disable when OAuth is used for the request |
$wgMWOAuthReadOnly
|
false
|
Prevent write activity to the database. When this is set, consumers cannot be added or updated, and new authorizations are prohibited. Authorization headers for existing authorizations will continue to work. Useful for migrating database tables |
$wgMWOAuthSessionCacheType
|
$wgSessionCacheType
|
The storage mechanism for session data. If null, it defaults to $wgSessionCacheType. |
$wgOAuthAutoApprove
|
[]
|
Allows automatic immediate approval of low-risk apps. In the form of [ 'grants' => [ 'grant1', 'grant2', ... ] ]
|
$wgOAuth2EnabledGrantTypes
|
[
"authorization_code",
"refresh_token",
"client_credentials"
]
|
List of OAuth2 grants that client applications can be allowed to use. Actual grants client application will be allowed to use can be any subset of grants listed here. Grants, other than the ones listed here, are considered legacy grants, and are not supported by this extension |
$wgOAuth2PrivateKey
|
""
|
Private key or a path to the private key used to sign OAuth2 JWT being transmitted. See the OAuth 2.0 Server documentation for how to generate the keys. |
$wgOAuth2PublicKey
|
""
|
Public key or a path to the public key used to verify OAuth2 resource requests. |
$wgOAuth2RequireCodeChallengeForPublicClients
|
true
|
Controls whether clients are required to send code challenges with OAuth2 requests. This only applies to non-confidential clients. |
$wgOAuth2GrantExpirationInterval
|
"PT1H" (1 hour)
|
Controls validity period for access tokens (stored in the cache configured in MWOAuthSessionCacheType). Does not apply to owner-only clients, whose access tokens are always non-expiring. Accepts ISO 8601 durations or can be set to "infinity" or false for non-expiring tokens. |
$wgOAuth2RefreshTokenTTL
|
"P1M" (1 month)
|
Controls validity period for refresh tokens (stored in the cache configured in MWOAuthSessionCacheType). Accepts ISO 8601 durations or can be set to "infinity" or false for non-expiring tokens. |
User rights
Right | Description |
---|---|
mwoauthproposeconsumer |
새 OAuth 컨슈머 제안 |
mwoauthupdateownconsumer |
내가 제어할 수 있는 OAuth 컨슈머 업데이트 |
mwoauthmanageconsumer |
OAuth 컨슈머 관리 |
mwoauthsuppress |
OAuth 컨슈머 억제 |
mwoauthviewsuppressed |
표시하지 않은 OAuth 컨슈머 보기 |
mwoauthviewprivate |
비공개 OAuth 데이터 보기 |
mwoauthmanagemygrants |
OAuth 부여 관리 |
Endpoints
OAuth 2.0 REST endpoints
The following REST endpoints are provided for OAuth 2.0 interaction
Path | Description | Allowed parameters | Allowed method | ||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
/oauth2/authorize | Used for retrieving authorization code when using authorization_code grant. |
|
GET | ||||||||||||||||||||||||||||||||||||||||||||||||||
/oauth2/access_token | Used for requesting access tokens |
|
POST | ||||||||||||||||||||||||||||||||||||||||||||||||||
/oauth2/resource/{{type}} | Used for retrieving protected resources using the access token issued previously.
Currently, two resource types can be retrieved using this endpoint, by replacing
|
No parameters are allowed, apart from the {{type}} parameter that is included in the path
|
GET/POST | ||||||||||||||||||||||||||||||||||||||||||||||||||
/oauth2/client | Lists OAuth 1.0a or 2.0 clients for the logged-in user. Authentication can be achieved over CentralAuth or by including an access token in the authorization header.
|
|
GET | ||||||||||||||||||||||||||||||||||||||||||||||||||
/oauth2/client/{client_key}/reset_secret | Resets a client secret. For owner-only clients, this endpoint also resets the access token.
|
|
POST | ||||||||||||||||||||||||||||||||||||||||||||||||||
/oauth2/client | Creates an OAuth 2.0 client.
|
|
POST |
See also
- Extension:OATHAuth - A similarly named extension which implements a second authentication factor using OATH-based one-time passwords.
- Extension:WSOAuth – A MediaWiki extension that lets your wiki delegate authentication to any OAuth provider using PluggableAuth, including a wiki that is running Extension:OAuth.
- oauthclient-php – A client library for OAuth consumers.
이 확장 기능은 하나 이상의 위키미디어 프로젝트에서 사용 중입니다. 이것은 아마도 이 확장 기능이 안정적이고 트래픽이 많은 웹 사이트에서 사용할 수 있을 만큼 충분히 잘 작동한다는 것을 의미합니다. 설치된 위치를 확인하려면 위키미디어의 CommonSettings.php 및 InitialiseSettings.php 구성 파일에서 이 확장 기능의 이름을 찾습니다. 특정 위키에 설치된 확장 기능의 전체 목록은 위키의 Special:Version 문서에서 볼 수 있습니다. |
This extension is included in the following wiki farms/hosts and/or packages: This is not an authoritative list. Some wiki farms/hosts and/or packages may contain this extension even if they are not listed here. Always check with your wiki farms/hosts or bundle to confirm. |
- Stable extensions/ko
- User identity extensions/ko
- User rights extensions/ko
- API extensions/ko
- GPL licensed extensions/ko
- Extensions in Wikimedia version control/ko
- Extensions which add rights/ko
- AbuseFilter-builder extensions/ko
- AbuseFilter-computeVariable extensions/ko
- AbuseFilter-generateUserVars extensions/ko
- ApiRsdServiceApis extensions/ko
- BeforeCreateEchoEvent extensions/ko
- ChangeTagCanCreate extensions/ko
- ChangeTagsListActive extensions/ko
- GetPreferences extensions/ko
- ListDefinedTags extensions/ko
- LoadExtensionSchemaUpdates extensions/ko
- LoginFormValidErrorMessages extensions/ko
- MergeAccountFromTo extensions/ko
- MessagesPreLoad extensions/ko
- SetupAfterCache extensions/ko
- SpecialPageAfterExecute extensions/ko
- SpecialPageBeforeFormDisplay extensions/ko
- SpecialPage initList extensions/ko
- TestCanonicalRedirect extensions/ko
- All extensions/ko
- Extensions requiring Composer with git/ko
- Extensions used on Wikimedia/ko
- Extensions included in Miraheze/ko
- Extensions included in MyWikis/ko
- Extensions included in ProWiki/ko
- Extensions included in wiki.gg/ko
- Extensions included in WikiForge/ko