MediaWiki

MediaWiki may be integrated with CILogon using OpenID Connect (OAuth 2.O) for authentication and provisioning and lifecycle management of accounts by the CILogon Registry (COmanage). 

Deployment Requirements

Deploying MediaWiki and integrating it with CILogon requires:

Deployment Instructions

These deployment instructions have been developed and tested for CentOS 7.x. Please adjust accordingly if you use another platform.

1. Install and configure the Apache HTTP Server for HTTPS.

2. Install PHP 5.6:


yum install epel-release
wget http://rpms.famillecollet.com/enterprise/remi-release-7.rpm
rpm -Uvh remi-release-7*.rpm


Edit the file /etc/yum.repos.d/remi.repo and enable the [remi] and [remi-php56] repos, then

yum install php php-gd php-mysql php-mcrypt php-mbstring php-xml

3. Install MariaDB:


yum install mariadb mariadb-server
systemctl enable mariadb
systemctl start mariadb
mysql_secure_installation

4. Create the mediawiki database and mediawiki database user:

mysql --user=root --password
create database mediawiki;
grant all privileges on mediawiki.* to 'mediawiki'@'localhost' identified by '<password>';

5. Install memcached:


yum install memcached php56-php-pecl-memcache
systemctl enable memcached
Edit /etc/sysconfig/memcached and add

OPTIONS="-l 127.0.0.1"

Then start memcached:


systemctl start memcached

6. Install MediaWiki 

Use the manual instructions

Be sure you can login as the administrator using the standard login and password form.

7. Configure Short URLs

Configure "short URLs" by editing LocalSettings.php and adding the line

$wgArticlePath = "/wiki/$1";


Then edit the Apache configuration and enable and configure the rewrite engine:

# Enable the rewrite engine
RewriteEngine On

# Short url for wiki pages
RewriteRule ^/?wiki(/.*)?$ %{DOCUMENT_ROOT}/w/index.php [L]

# Redirect / to Main Page
RewriteRule ^/*$ %{DOCUMENT_ROOT}/w/index.php [L]

Restart Apache.

8. Configure use of memcached

Edit LocalSettings.php and add

$wgMainCacheType = CACHE_MEMCACHED;
$wgParserCacheType = CACHE_MEMCACHED;
$wgMessageCacheType = CACHE_MEMCACHED;
$wgMemCachedServers = array( "127.0.0.1:11211" );
$wgSessionsInObjectCache = true;
$wgSessionCacheType = CACHE_MEMCACHED;

9. Deploy the OAuth MediaWiki extension

cd extensions
mkdir OAuth
cd OAuth
wget https://github.com/cilogon/mediawiki-extensions-OAuth/archive/REL1_28.tar.gz
tar zxf REL1_28.tar.gz --strip-components=1
rm REL1_28.tar.gz
cd ../../maintenance
php update.php

Edit LocalSettings.php and add

$wgWhitelistRead = array('Special:OAuth');
require_once "$IP/extensions/OAuth/OAuth.php";
$wgOAuthSecretKey = "SOME_LONG_STRING";
$wgMWOAuthSecureTokenTransfer = true;

where SOME_LONG_STRING is a random string, eg. E5UtLI5tRqq7dPcBKG6n.

Also add the following to LocalSettings.php:

$wgGroupPermissions['*']['mwoauthproposeconsumer'] = false;
$wgGroupPermissions['*']['mwoauthupdateownconsumer'] = false;
$wgGroupPermissions['*']['mwoauthmanageconsumer'] = false;
$wgGroupPermissions['*']['mwoauthsuppress'] = false;
$wgGroupPermissions['*']['mwoauthviewsuppressed'] = false;
$wgGroupPermissions['*']['mwoauthviewprivate'] = false;
$wgGroupPermissions['*']['mwoauthmanagemygrants'] = false;

$wgGroupPermissions['user']['mwoauthproposeconsumer'] = false;
$wgGroupPermissions['user']['mwoauthupdateownconsumer'] = false;
$wgGroupPermissions['user']['mwoauthmanageconsumer'] = false;
$wgGroupPermissions['user']['mwoauthsuppress'] = false;
$wgGroupPermissions['user']['mwoauthviewsuppressed'] = false;
$wgGroupPermissions['user']['mwoauthviewprivate'] = false;
$wgGroupPermissions['user']['mwoauthmanagemygrants'] = false;

$wgGroupPermissions['sysop']['mwoauthproposeconsumer'] = true;
$wgGroupPermissions['sysop']['mwoauthupdateownconsumer'] = true;
$wgGroupPermissions['sysop']['mwoauthmanageconsumer'] = true;
$wgGroupPermissions['sysop']['mwoauthsuppress'] = true;
$wgGroupPermissions['sysop']['mwoauthviewsuppressed'] = true;
$wgGroupPermissions['sysop']['mwoauthviewprivate'] = true;
$wgGroupPermissions['sysop']['mwoauthmanagemygrants'] = true;

10. Create and configure a MediaWiki account for COmanage Registry Provisioner

As the wiki admin browse to the Special:SpecialPages page for your wiki and click on "Create account". Create an account with
  • Username: COmanageRegistryProvisioner
  • Password: set a long unguessable password (be sure to record it)
  • Email address: use the email address for the responsible administrator
Use the mysql client to connect to the database and mark the email for the user you just used as authenticated, eg.

UPDATE user SET user_email_authenticated = user_touched WHERE user_id = 2;

Still as the administrator browse to Special:UserRights and temporarily add the COmanageRegistryProvisioner user to the administrator group.

11. Create a new OAuth consumer

Log out as the administrator and log in as the COmanageRegistryProvisioner. Then browse to Speical:OAuthConsumerRegistration. Click on "Request a token for a new consumer". Complete the form:
  • Application name: COmanage Registry Provisioner
  • Application description: COmanage Registry Provisioner
  • Tick the box for "This consumer is for use only by COmanageRegistryProvisioner"
  • Contact email address: email address for the responsible admin
  • Applicable project: All projects on this site
  • Types of grants being requested: Request authorization for specific permissions
  • Applicable grants: Basic rights and Create accounts
  • Usage restrictions (JSON): leave the default for now
  • Public RSA key: leave blank
  • Tick the box to acknowledge.
Record the values for the Consumer token, Consumer secret, Access token, and Access secret

12. Complete configuration of COmanageRegistryProvisioner account


Log out and log back in as the wiki admin. Use the Special:UserRights page to remove the COmanageRegistryProvisioner account from the administrator group.

Edit LocalSettings.php and add

$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['user']['createaccount'] = false;
$wgGroupPermissions['sysop']['createaccount'] = false;
$wgGroupPermissions['provisioner']['createaccount'] = true;

Use the Special:UserRights page again to add the COmanageRegistryProvisioner account to the provisioner group.