MediaWiki

MediaWiki may be integrated with CILogon using OpenID Connect (OAuth 2.O) for authentication and provisioning and lifecycle management of accounts by the CILogon Registry (COmanage).

Deployment Requirements

Deploying MediaWiki and integrating it with CILogon requires:

• MediaWiki version 1.28 or higher
• PHP 5.6 or higher
• MediaWiki "short URLs" configuration
• MediaWiki PluggableAuth extension
• MediaWiki OpenID Connect extension
• MediaWiki OAuth extension
• Memcached (required by OAuth extension)
• MariaDB/MySQL (required by OAuth extension)

Deployment Instructions

These deployment instructions have been developed and tested for CentOS 7.x. Please adjust accordingly if you use another platform.

1. Install and configure the Apache HTTP Server for HTTPS.

2. Install PHP 5.6:

yum install epel-release

wget http://rpms.famillecollet.com/enterprise/remi-release-7.rpm

rpm -Uvh remi-release-7*.rpm

Edit the file /etc/yum.repos.d/remi.repo and enable the [remi] and [remi-php56] repos, then

yum install php php-gd php-mysql php-mcrypt php-mbstring php-xml

3. Install MariaDB:

yum install mariadb mariadb-server

systemctl enable mariadb

systemctl start mariadb

mysql_secure_installation

4. Create the mediawiki database and mediawiki database user:

mysql --user=root --password

create database mediawiki;

grant all privileges on mediawiki.* to 'mediawiki'@'localhost' identified by '<password>';

5. Install memcached:

yum install memcached php56-php-pecl-memcache

systemctl enable memcached

Edit /etc/sysconfig/memcached and add

OPTIONS="-l 127.0.0.1"

Then start memcached:

systemctl start memcached

6. Install MediaWiki

Use the manual instructions.

Be sure you can login as the administrator using the standard login and password form.

7. Configure Short URLs

Configure "short URLs" by editing LocalSettings.php and adding the line

$wgArticlePath = "/wiki/$1";

Then edit the Apache configuration and enable and configure the rewrite engine:

# Enable the rewrite engine

RewriteEngine On

# Short url for wiki pages

RewriteRule ^/?wiki(/.*)?$ %{DOCUMENT_ROOT}/w/index.php [L]

# Redirect / to Main Page

RewriteRule ^/*$ %{DOCUMENT_ROOT}/w/index.php [L]

Restart Apache.

8. Configure use of memcached

Edit LocalSettings.php and add

$wgMainCacheType = CACHE_MEMCACHED;

$wgParserCacheType = CACHE_MEMCACHED;

$wgMessageCacheType = CACHE_MEMCACHED;

$wgMemCachedServers = array( "127.0.0.1:11211" );

$wgSessionsInObjectCache = true;

$wgSessionCacheType = CACHE_MEMCACHED;

9. Deploy the OAuth MediaWiki extension

cd extensions

mkdir OAuth

cd OAuth

wget https://github.com/cilogon/mediawiki-extensions-OAuth/archive/REL1_28.tar.gz

tar zxf REL1_28.tar.gz --strip-components=1

rm REL1_28.tar.gz

cd ../../maintenance

php update.php

Edit LocalSettings.php and add

$wgWhitelistRead = array('Special:OAuth');

require_once "$IP/extensions/OAuth/OAuth.php";

$wgOAuthSecretKey = "SOME_LONG_STRING";

$wgMWOAuthSecureTokenTransfer = true;

where SOME_LONG_STRING is a random string, eg. E5UtLI5tRqq7dPcBKG6n.

Also add the following to LocalSettings.php:

$wgGroupPermissions['*']['mwoauthproposeconsumer'] = false;

$wgGroupPermissions['*']['mwoauthupdateownconsumer'] = false;

$wgGroupPermissions['*']['mwoauthmanageconsumer'] = false;

$wgGroupPermissions['*']['mwoauthsuppress'] = false;

$wgGroupPermissions['*']['mwoauthviewsuppressed'] = false;

$wgGroupPermissions['*']['mwoauthviewprivate'] = false;

$wgGroupPermissions['*']['mwoauthmanagemygrants'] = false;

$wgGroupPermissions['user']['mwoauthproposeconsumer'] = false;

$wgGroupPermissions['user']['mwoauthupdateownconsumer'] = false;

$wgGroupPermissions['user']['mwoauthmanageconsumer'] = false;

$wgGroupPermissions['user']['mwoauthsuppress'] = false;

$wgGroupPermissions['user']['mwoauthviewsuppressed'] = false;

$wgGroupPermissions['user']['mwoauthviewprivate'] = false;

$wgGroupPermissions['user']['mwoauthmanagemygrants'] = false;

$wgGroupPermissions['sysop']['mwoauthproposeconsumer'] = true;

$wgGroupPermissions['sysop']['mwoauthupdateownconsumer'] = true;

$wgGroupPermissions['sysop']['mwoauthmanageconsumer'] = true;

$wgGroupPermissions['sysop']['mwoauthsuppress'] = true;

$wgGroupPermissions['sysop']['mwoauthviewsuppressed'] = true;

$wgGroupPermissions['sysop']['mwoauthviewprivate'] = true;

$wgGroupPermissions['sysop']['mwoauthmanagemygrants'] = true;

10. Create and configure a MediaWiki account for COmanage Registry Provisioner

As the wiki admin browse to the Special:SpecialPages page for your wiki and click on "Create account". Create an account with

• Username: COmanageRegistryProvisioner
• Password: set a long unguessable password (be sure to record it)
• Email address: use the email address for the responsible administrator

Use the mysql client to connect to the database and mark the email for the user you just used as authenticated, eg.

UPDATE user SET user_email_authenticated = user_touched WHERE user_id = 2;

Still as the administrator browse to Special:UserRights and temporarily add the COmanageRegistryProvisioner user to the administrator group.

11. Create a new OAuth consumer

Log out as the administrator and log in as the COmanageRegistryProvisioner. Then browse to Speical:OAuthConsumerRegistration. Click on "Request a token for a new consumer". Complete the form:

• Application name: COmanage Registry Provisioner
• Application description: COmanage Registry Provisioner
• Tick the box for "This consumer is for use only by COmanageRegistryProvisioner"
• Contact email address: email address for the responsible admin
• Applicable project: All projects on this site
• Types of grants being requested: Request authorization for specific permissions
• Applicable grants: Basic rights and Create accounts
• Usage restrictions (JSON): leave the default for now
• Public RSA key: leave blank
• Tick the box to acknowledge.

Record the values for the Consumer token, Consumer secret, Access token, and Access secret

12. Complete configuration of COmanageRegistryProvisioner account

Log out and log back in as the wiki admin. Use the Special:UserRights page to remove the COmanageRegistryProvisioner account from the administrator group.

Edit LocalSettings.php and add

$wgGroupPermissions['*']['createaccount'] = false;

$wgGroupPermissions['user']['createaccount'] = false;

$wgGroupPermissions['sysop']['createaccount'] = false;

$wgGroupPermissions['provisioner']['createaccount'] = true;

Use the Special:UserRights page again to add the COmanageRegistryProvisioner account to the provisioner group.

13. Configure identifiers in COmanage Registry

We recommend two identifiers to be managed by COmanage Registry be configured for auto-assignment in your registry:

1. An opaque project-wide identifier that is not name-based so that it will not change when a user's name changes. A best practice is to use a simple prefix that represents your project followed by a number (sequential) that increments for each enrolled user. For example if your project is "NANOGrav" then you might choose the identifier format to be "NG(#)" with a minimum value of 10000 so that example identifier values are NG10001, NG10002, NG10003, and so on.
2. This identifier will be consumed by MediaWiki and used as part of the unique user key but will not be seen by the user.
3. A name-based identifier that adheres to the MediaWiki username requirements. An example identifier format is "(G)[1:(M:1) ] (F)[2: (#)]". This format will use the given and family name of the user to construct the identifier value. It will add a middle name if available if necessary to make the value unique. If the middle name does not make the value unique or is not available it will append a digit to ensure the value is always unique.
4. This identifier will be provisioned to MediaWiki and seen by the user.

Please email help@cilogon.org with any questions about how to create the identifier assignments in COmanage.

14. Configure COmanage Registry MediaWiki Provisioner

Log into COmanage Registry as the CO administrator for your organization and choose Configuration -> Provisioning Targets from the menu. Click "Add Provisioning Target" and complete the form to add a new MediaWiki Provisioner.

After adding the new provisioner you will be presented the form to configure it. Complete the form with the API URL for your MediaWiki deployment and the OAuth consumer token/key, secret, access token, and access secret from step 11. Choose the identifier you configured in step 13 as the name-based identifier that will be provisioned as the MediaWiki username that the user sees.

15. Provision users to MediaWiki

After saving the MediaWiki Provisioner configuration in COmanage Registry click "Reprovision All" next to the MediaWiki provisioning target to provision users to MediaWiki.

16. Add user(s) to Administrators Group

Log into MediaWiki as the administrator and browse to the Special:UserRights page. Add one or more of the provisioned users to the Administrators group so that after OIDC authentication is enabled those users may easily administer the wiki.

17. Obtain OIDC client credentials

Log into the CILogon Registry (COmanage) as an administrator. Use the menu Configuration->OIDC Clients and then click "Add a New OIDC Client". Complete the form with the following details:

• Name: choose a name for your OIDC client, eg. "MediaWiki OIDC Client"
• Home URL: enter the generic URL for your MediaWiki deployment. This configuration option is not used as part of the authentication flow and is only advisory.
• Error URL: enter the URL to redirect the user to if there is an unrecoverable error during the authentication flow.
• Callback URL: enter the "Special Pages Pluggable Auth Login" URL for your MediaWiki deployment, eg. https://my.org/wiki/Special:PluggableAuthLogin
• Scope: Choose 'openid' from the drop-down menu and then click "Add" to add 3 more fields and select "profile", "email", and "org.cilogon.userinfo" each one.
• LDAP Claim Mappings: Tick the "+" sign to open the input fields for LDAP claim mappings. The LDAP server URL and other connection details will be set by default. Configure the following mapping:
  • LDAP Attribute Name: CILogonPersonMediaWikiUsername
  • OIDC Claim Name: preferred_username
  • Multivalued: unchecked
• Click the "Add" button to add another mapping:
  • LDAP Attribute Name: givenName
  • OIDC Claim Name: given_name
  • Multivalued: unchecked
• Click the "Add" button to add another mapping:
  • LDAP Attribute Name: sn
  • OIDC Claim Name: family_name
  • Multivalued: unchecked
• Click the "Add" button to add another mapping:
  • LDAP Attribute Name: mail
  • OIDC Claim Name: email
  • Multivalued: unchecked

Click "Add" to submit the form and create the OIDC client.

Record the client ID and client secret. You must record the client secret since it is not saved by the CILogon services.

18. Deploy the PluggableAuth and OpenIDConnect MediaWiki Extensions

cd extensions

mkdir PluggableAuth

cd PluggableAuth

wget https://github.com/wikimedia/mediawiki-extensions-PluggableAuth/archive/5.0.tar.gz

tar zxf 5.0.tar.gz --strip-components=1

rm 5.0.tar.gz

cd ../

mkdir OpenIDConnect

cd OpenIDConnect

wget https://github.com/wikimedia/mediawiki-extensions-OpenIDConnect/archive/4.0.tar.gz

tar zxf 4.0.tar.gz --strip-components=1

rm 4.0.tar.gz

composer update

cd ../../maintenance

php update.php

19. Configure the PluggableAuth and OpenIDConnect MediaWiki Extensions

Edit LocalSettings.php and add

wfLoadExtension( 'PluggableAuth' );

wfLoadExtension( 'OpenIDConnect' );

$wgOpenIDConnect_Config['https://test.cilogon.org'] = array(

    'clientID' => 'YOUR CLIENT ID',

    'clientsecret' => 'YOUR CLIENT SECRET',

    'scope' => array( 'openid', 'profile', 'email', 'org.cilogon.userinfo' ),

    'name' => 'CILogon'

);

$wgOpenIDConnect_MigrateUsersByUserName = true;

$wgPluggableAuth_EnableLocalLogin = true;

20. Test OIDC authentication

With a web browser with no existing sessions or state browse to your wiki and click "Log in". Click on "Log in with PluggableAuth" to be redirected to the CILogon service and choose your login server. After authenticating with the login server you should be logged into the wiki and see your username.