2014-01-06

Created page with "{{shortcut|OPENID}} {{Extension |name = OpenID |image = OpenID_logo.svg |status = stable |type1 = user identity |type2 = special |author =..."

New page

{{shortcut|OPENID}}

{{Extension

|name = OpenID

|image = OpenID_logo.svg

|status = stable

|type1 = user identity

|type2 = special

|author = E. Prodromou, T. Gries, S. Chernyshev, A. Emsenhuber

|version = 4.03

|update = 2013-11-26

|mediawiki = all versions since MediaWiki 1.21 (with MySQL)<br/>([[#Download|older versions]])

|php = 5.3+

|needs-updatephp = php maintenance/update.php

|download = see "[[#Download|Download]]" section <br/>{{WikimediaDownload|OpenID}}

|license = GPL

|readme = {{git file|action=raw|project=mediawiki/extensions/OpenID|file=README|text=README}}

|description = Allow users with accounts on other [http://www.openid.net/ OpenID]-enabled sites to log in; if enabled, it also allows to use OpenID identities on other sites

|parameters = (see below)

|hook1 = PersonalUrls

|hook2 = BeforePageDisplay

|hook3 = ArticleViewHeader

|hook4 = SpecialPage_initList

|hook5 = LoadExtensionSchemaUpdates

|hook6 = GetPreferences

|hook7 = UserMerge/DeleteAccount

|hook8 = UserMerge/MergeAccountFromTo

|bugzilla = OpenID

|CheckUsageNameOverride = OpenID

}}

The extension makes a MediaWiki installation '''[[:en:OpenID|OpenID 2.0]]'''-aware and lets users log in using their OpenID identity - a special URL - instead of (or as an alternative to) standard username/password log in. In that way, the MediaWiki acts as '''Relying part (RP)''' = '''OpenID ''consumer'''''.<ref>''Relying party (RP)'' = ''consumer'': The site that wants to verify the end-user's identifier; other terms include "service provider" or the now obsolete "consumer" - which is still used here (this will be changed soon)</ref> As an option, it also allows the MediaWiki to act as '''OpenID ''provider''''', so that users with an account on that wiki can use a special identity URL as OpenID for login to ''other'' OpenID-aware web sites.

== Pre-requisites and dependencies ==

=== MySQL ok, PostgreSQL ok ===

The extension has been developed and fully tested to work with MySQL databases by the maintainer. Working with PostgreSQL databases is confirmed since version 3.43 20131103.

=== requisite 1: php-openid library ===

The extension depends on the OpenID PHP library from https://github.com/openid/php-openid . Clone a recent version and move the <code>Auth</code> subdirectory as explained below in the [[#Installation|Installation]] section.

=== requisite 2: PHP extensions or modules ===

You need to install a few additional dependencies as '''PHP extensions''' or recompile your PHP if these are not part of your standard PHP installation. When running a server with OpenSUSE you will likely have to add (via YaST or manually) at least the modules <code>gmp, mcrypt, curl, openssl, xml</code>.

== Download ==

{{ExtensionGitDownload}}

{| class="wikitable plainlinks"

|+ users are adviced to always update to the most recent MediaWiki version (if possible)

! MediaWiki version !! compatible OpenID version

|-

| colspan="2" style="text-align:center;" | ''[http://wikiapiary.com/wiki/Extension:OpenID click here for a web overview which version of the extension is installed with which MediaWiki version]''

|-

| '''''MediaWiki 1.23 alpha (git HEAD) ''☉''' || ''OpenID git HEAD'' '''☉'''

|-

| '''''MediaWiki 1.22 (git w/ PostgreSQL)''''' || all versions since ''3.43'' incl. HEAD '''☉'''

|-

| '''''MediaWiki 1.22 (git)''''' || all versions since ''3.00'' incl. HEAD '''☉'''

|-

| '''''MediaWiki 1.21 (git)''''' || all versions since ''2.00'' incl HEAD '''☉'''

|-

| '''''MediaWiki 1.20 (git)''''' || ''1.00x''

|-

| '''1.17 → 1.18''' || n/a

|-

| '''1.15 → 1.16.1''' || 0.9.1 for MediaWiki 1.16.1

|}

'''☉ recommended'''

== Installation ==

{{ExtensionInstall

|custom-steps=

* Install the <code>Auth</code> subdirectory of the required OpenID PHP library in <code>$IP/extensions/OpenID/Auth</code> as explained in the following.

* Run the <code>update.php</code> script in in your MediaWiki maintenance folder <tt>$IP/maintenance</tt> to create a new table in the MediaWiki database which is used by the OpenID extension.

cd $IP/extensions/OpenID

git clone git://github.com/openid/php-openid.git

mv php-openid/Auth/ Auth

rm -r php-openid

cd $IP/maintenance# php update.php

}}

It should work out of the box, but you'll almost definitely want to set the trust root and access controls (see Configuration below).

{{Note|

* If you restrict general access to wiki pages, you must add anonymous access for Special:OpenIDLogin and Special:OpenIDFinish or the OpenID Verification will fail. Typically this is done by adding those pages to $wgWhitelistRead in LocalSettings.php.

* The user account must have a password associated to it: in Special:Preference ''Password Reset'' is added as new link.

}}

== Configuration ==

: ''Usually, you will be able to start using the extension with the built-in standard settings, i.e. without adding personal parameters in your LocalSettings.''

If you want to use personal parameters, then add them ''after'' the <code>require_once</code> line in your <code>LocalSettings.php</code>.

{| class="wikitable sortable"

|+ Configuration parameters for OpenID extension version 4.00 (parameters for older versions are [https://www.mediawiki.org/w/index.php?title=Extension:OpenID&oldid=826089#Configuration here])

! style="width:15%;" | relevant for<br/>

consumer (C)<br/>

provider (P)<br/>

mode

! style="width:10%;" | variable

! style="width:10%;" | default

! style="width:55%;" | description

|-

| C

| $wgOpenIDLoginOnly

| style="text-align:center" | ''false''

| With this enabled, the default login personal_urls will be removed and additionally the options for linking your OpenID to an existing account will be removed from the registration form. Users then can only login via their OpenID accounts. This is perhaps the most important option.

|-

| C+P

| {{red|$wgOpenIDMode ''(since v4.00)''}}

| style="text-align:center" | ''array( 'consumer', 'provider' )''

|

* 'provider' - if you want to allow Users of this wiki to use their identity as OpenIDs for logins on other sites

* 'consumer' - if you want to allow logins to this wiki with OpenID from elsewhere, or OpenID from a forced provider

* array( 'consumer', 'provider' ) - consumer and provider

* false - (extension disabled)

|-

| P

| $wgOpenIDAllowServingOpenIDUserAccounts

| style="text-align:center" | ''true''

| With this enabled, it allows to use a special url as OpenID to other sides even if user is using OpenID already for login to the wiki. Users can use their OpenIDs of this site A as OpenID on another site B even if user is using OpenID on A already. Some users might want to do that for vanity purposes or whatever. If false, serving OpenID accounts is prevented.

|-

| P

| $wgOpenIDIdentifiersURL

| style="text-align:center" | ""

| When used as OpenID provider, you can optionally define a template for a customized fully specified url (CFSU) as identity url for delegation.

This allows differently looking "nice OpenID urls" in addition to the generic urls /User:Username and /Special:OpenIDIdentifier/<id> .

The CFSU template must contain a placeholder string "{ID}". The placeholder is substituted with the authenticated user's internal ID during the OpenID authentication process.

To make this working you need also to set up a suited rewrite rule in your web server which redirects the CFSU with the replaced user id to Special:OpenIDIdentifier/<id>.

The default value is str_replace( "$1", "Special:OpenIDIdentifier/{ID}", $wgServer . $wgArticlePath );

|-

| C

| $wgOpenIDTrustRoot

| style="text-align:center" | ''null''

| This is a string that identifies your wiki (as consumer) in your OpenID account at the OpenID server. It is the "root" of your consumer site and looks like "https://www.mywiki.org/w/" or "http://www.yourwiki.org/wiki/". If you leave the <code>null</code> default, the software makes a guess. It is recommended not to change the default value if your wiki (as consumer) works with other OpenID servers.<br/>

|-

| C

| $wgOpenIDConsumerDenyByDefault

| style="text-align:center" | ''false''

| The administrator can decide which OpenIDs are allowed to login to their server. If this flag is true, only those OpenIDs that match one of the $wgOpenIDConsumerAllow and not one of the $wgOpenIDConsumerDeny patterns will be allowed to log in. If it is false, all OpenIDs are allowed to log in, unless they are matched by an $wgOpenIDConsumerDeny pattern and not an $wgOpenIDConsumerAllow. Typically you'll set this to true for testing and then false for general use. When using deny and allow arrays, defines how the security works. If true, works like "Order Allow,Deny" in Apache; deny by default, allow items that match allow that don't match deny to pass. If false, works like "Order Deny,Allow" in Apache; allow by default, deny items in deny that aren't in allow.

|-

| C

| $wgOpenIDConsumerAllow

| style="text-align:center" | array()

| Which partners to allow; regexps here. See above. An array of regular expressions that match OpenIDs you want to allow to log in. For example, "{{cnw|@^(http://)?wikitravel.org/@}}" will allow OpenIDs from the Wikitravel domain.

|-

| C

| $wgOpenIDConsumerDeny

| style="text-align:center" | array()

| Which partners to deny; regexps here. See above. An array of regular expressions that match OpenIDs you want to deny access to. This is mostly useful for servers that are known to be bad. Example: "{{cnw|#^(http://)?example.com/#}}".

|-

| C

| $wgOpenIDServerForceAllowTrust

| style="text-align:center" | array()

| an array of regular expressions that match trust roots that you want to skip trust checks for when the user logs in from those sites. A typical example would be a closely federated cluster of sites (like Wikimedia, Wikia, or Wikitravel) where the personal data is available to the trusting server ''anyways''. Be very careful using this across organizational boundaries.

|-

| C

| $wgOpenIDUseEmailAsNickname

| style="text-align:center" | ''false''

| when first-time logging-in with OpenID, use the part before the @ in any given e-mail address as the username if a nickname is not given by the OpenID. This works well with $wgOpenIDConsumerForce where all users have a unique e-mail address at the same domain.

|-

| C

| $wgOpenIDProposeUsernameFromSREG

| style="text-align:center" | ''true''

| when first-time logging in with OpenID, propose and allow new account names from OpenID SREG data such as fullname or nickname

|-

| C

| $wgOpenIDAllowNewAccountname

| style="text-align:center" | ''true''

| when first-time logging in with OpenID, show option to enter and to allow a manually chosen username

|-

| C

| $wgOpenIDAllowExistingAccountSelection

| style="text-align:center" | ''true''

| when first-time logging in with OpenID, show option to select an existing MediaWiki user

|-

| C

| $wgOpenIDTrustEmailAddress

| style="text-align:center" | ''false''

| Implicitly trust the e-mail address sent from the OpenID server, and don't ask the user to verify it. This can lead to people with a nasty OpenID provider setting up accounts and spamming

|-

| C

| $wgOpenIDAllowAutomaticUsername

| style="text-align:center" | ''true''

|when first-time logging in with OpenID, show option to choose and to allow an automatically generated username

|-

| C+P

| $wgOpenIDConsumerStoreType

| style="text-align:center" | 'file'

| strings denoting the type of storage to be used to store OpenID association data when acting as an OpenID relying party (consumer) and server, respectively. Only valid value is "file"; "memc" is no longer valid.

|-

| C+P

| $wgOpenIDServerStoreType

| style="text-align:center" | 'file'

| strings denoting the type of storage to be used to store OpenID association data when acting as an OpenID relying party (consumer) and server, respectively. Only valid value is "file"; "memc" is no longer valid.

|-

| C+P

| $wgOpenIDConsumerStorePath

| style="text-align:center" | ''false''

| ''see $wgOpenIDServerStorePath''

|-

| C+P

| $wgOpenIDServerStorePath

| style="text-align:center" | ''false''

| strings specifying the paths where OpenID assocation data should be stored when acting as a relying party (consumer) or server, respectively. Each of these need only be set if the store type settings (above) are set to "file", respectively. These strings, if both are set, MUST NOT be equal. If the store type is "file", the default here is "/$wgTmpDirectory/$wgDBname/openid-consumer-store/" and "/$wgTmpDirectory/$wgDBname/openid-server-store/" respectively. Paths will be automatically created if they doesn't exist.

|-

| C+P

| $wgOpenHideOpenIDLoginLink

| style="text-align:center" | ''false''

| boolean that says whether or not to hide the OpenID login link in the personal URLs. Typically you'd use this if you've already got some other method for showing the OpenID login link, like in your skin. Note that it will ''not'' prevent login if the user navigates to Special:OpenIDLogin directly; it's simply cosmetic. This is mostly a backwards-compatibility option.

|-

| C+P

| $wgOpenIDSmallLogoUrl

| style="text-align:center" | ''false''

| Url of a small OpenID logo; The default (false) uses a built-in logo.

|-

| P

| $wgOpenIDShowUrlOnUserPage

| style="text-align:center" | "never"

| whether to show the OpenID identity URL on a user's home page. Possible values are

:* "never"

:* "user" (let the users decide in their preferences)

:* "always"

|-

| C

| $wgOpenIDShowProviderIcons

| style="text-align:center" | ''true''

| With this enabled, users will see button icons instead of just links on the OpenID provider selection page.

|-

| C

| $wgOpenIDForcedProvider ''(since 3.40)''

| style="text-align:center" | ''null''

| Url of required OpenID provider. When this is set, it bypasses the OpenID provider selection form.

* Force this server to only allow authentication against one server and hide the selection form entirely.

*

* @param string|null $wgOpenIDForcedProvider Name of hard-coded provider, or fully qualified Provider Id selection page Url

* null: (default) show the extension's OpenID provider selection screen based on internal $wgOpenIDProviders list

* (string) fully qualified Url: a fully qualified Url to the Providers' Id selection page

* use "http://mediawiki-provider-server/wiki/Special:OpenIDServer/id"

* in case you want to force the use of another mediawiki-provider-server (not this wiki!) as OpenID provider

* (string) OpenID provider Name: use data for provider "Name" from the internal $wgOpenIDProviders list

|-

| C

| $wgOpenIDProviders ''(since 3.40)''

| style="text-align:center" | array()

| array of providers and their parameters

|}

== "It does not work": bugs, common pitfalls ==

: ''Please check our [[Extension talk:OpenID#First aid checklist|First aid checklist]] before asking for help, and please [https://bugzilla.wikimedia.org/enter_bug.cgi?product=MediaWiki%20extensions&component=OpenID file bugs] directly in the bugzilla bugtracker.''

*After having created an account with OpenID on an ''OpenID-login-only enabled wiki'', account changes which requires a password like [[Special:ChangeEmail]] won't work because no password is set, and account changes which require an email (e.g. [[Special:PasswordReset]]) won't work because no email is set, see [[Bugzilla:34357|Bug 34357]].

* one MediaWiki acting as OpenID server Bob does not work with another or same MediaWiki acting as OpenID consumer Alice on the same server. Advice for the moment: use two different servers while playing with the extension

* when you want to log in to your OpenID-consuming MediaWiki Alice as user X:

: '''make sure that your are not logged in to the OpenID identity server Bob as another user Z ; otherwise you will see an error, which is intended.'''

: I recommend you log out every persona you may have on server Bob while testing the extension

: clear your browser cache of all Bob-related cookies, and session cookie.

<!--

== Subpages ==

{{Special:Prefixindex/Extension:OpenID/}}

-->

== Specific information ==

=== myOpenID to close down for good in February 2014 ===

It has been reported, that myOpenID will close down for good in February 2014. Users of the OpenID registrar will have to go elsewhere.<ref>http://www.theregister.co.uk/2013/09/05/myopenid_closes_for_good_2014/</ref><ref>https://news.ycombinator.com/item?id=6329158</ref>

=== Google "2-step verification" is compatible ===

When using Google ID as OpenID, you can opt-in there to "2-step verification" ("two-factor authentication") because it is compatible with the OpenID extension.

=== Yahoo as OpenID provider: don't use! It is deprecated. Read why. ===

Yahoo allows users to regain other users e-mail addresses when they are not used for a certain time. This breaks the security of OpenID. The use of Yahoo OpenId is therefore deprecated and will be discontinued in the extension OpenID.<ref>[[bugzilla:49800|Yahoo OpenID soon untrustable due to plans to release unused accounts after one year of inactivity - forbid logins with Yahoo OpenID?]]</ref><ref>[http://icgeeks.org/yahoo-wants-to-recycle-unused-email-accounts/ Yahoo! wants to recycle unused email accounts]</ref>

== References ==

<references />

[[Category:Extensions by integration target|OpenID]]

{{languages|Extension:OpenID}}

Show more