How to setup external Single Sign On for MediaWiki?

Question

I'm trying to setup single sign on for MediaWiki with ExtAuthDB extension. The purpose is to authenticate user from external user system automatically when user logins in the main website: www.mysite.com. Mediawiki is located on subdomain: www.wiki.mysite.com.

I have installed the extension as it said in the guide. All priviliges are correct. But it doesn't work.

ExtAuthDB.php is:

<?php
/**
* Authentication plugin interface. Instantiate a subclass of AuthPlugin
* and set $wgAuth to it to authenticate against some external tool.
*
* The default behavior is not to do anything, and use the local user
* database for all authentication. A subclass can require that all
* accounts authenticate externally, or use it only as a fallback; also
* you can transparently create internal wiki accounts the first time
* someone logs in who can be authenticated externally.
*
* This interface is a derivation of AuthJoomla and might change a bit before 1.4.0 final is done...
*
*/
$wgExtensionCredits['parserhook'][] = array (
'name' => 'ExtAuthDB',
'author' => 'Alessandra Bilardi',
'description' => 'Authenticate users about external MySQL database',
'url' => 'https://www.mediawiki.org/wiki/Extension:ExtAuthDB',
'version' => '0.1',
);

require_once ( "$IP/includes/AuthPlugin.php" );
class ExtAuthDB extends AuthPlugin
{

/**
* Add into LocalSettings.php the following code: 
*
* MySQL Host Name.
* $wgExtAuthDB_MySQL_Host = '';
* MySQL Username.      
* $wgExtAuthDB_MySQL_Username = '';
* MySQL Password.        
* $wgExtAuthDB_MySQL_Password = '';
* MySQL Database Name.    
* $wgExtAuthDB_MySQL_Database = '';
* MySQL Database Table of users data.
* $wgExtAuthDB_MySQL_Table = '';
* MySQL Database username column label.
* $wgExtAuthDB_MySQL_Login = '';
* MySQL Database login password column label
* $wgExtAuthDB_MySQL_Pswrd = '';
* MySQL Database email column label
* $wgExtAuthDB_MySQL_Email = '';
* MySQL Database user real name column label
* $wgExtAuthDB_MySQL_RealN = '';
* require_once("$IP/extensions/ExtAuthDB/ExtAuthDB.php");
* $wgAuth = new ExtAuthDB();
*
* @return Object Database
*/
private function connectToDB()
{
    $db = & Database :: newFromParams(
    $GLOBALS['wgExtAuthDB_MySQL_Host'],
    $GLOBALS['wgExtAuthDB_MySQL_Username'],
    $GLOBALS['wgExtAuthDB_MySQL_Password'],
    $GLOBALS['wgExtAuthDB_MySQL_Database']);

    $this->userTable = $GLOBALS['wgExtAuthDB_MySQL_Table'];
    $this->userLogin = $GLOBALS['wgExtAuthDB_MySQL_Login'];
    $this->userPswrd = $GLOBALS['wgExtAuthDB_MySQL_Pswrd'];//.$GLOBALS['$wgExtAuthDB_MySQL_Salt'];
    $this->userEmail = $GLOBALS['wgExtAuthDB_MySQL_Email'];
    $this->userRealN = $GLOBALS['wgExtAuthDB_MySQL_RealN'];
    wfDebug("ExtAuthDB::connectToDB() : DB failed to open\n");
    return $db;
}

/**
 * Check whether there exists a user account with the given name.
 * The name will be normalized to MediaWiki's requirements, so
 * you might need to munge it (for instance, for lowercase initial
 * letters).
 *
 * @param $username String: username.
 * @return bool
 * @public
 */
function userExists( $username ) {
    # Override this!
    return true;
}

/**
 * Check if a username+password pair is a valid login.
 * The name will be normalized to MediaWiki's requirements, so
 * you might need to munge it (for instance, for lowercase initial
 * letters).
 *
 * @param $username String: username.
 * @param $password String: user password.
 * @return bool
 * @public
 */
function authenticate( $username, $password )
{
    $db = $this->connectToDB();
    $hash_password = $db->selectRow($this->userTable,array ($this->userPswrd), array ($this->userLogin => $username ), __METHOD__ );
    if ($password == $hash_password->{$this->userPswrd}) {
        return true;
    }
    return false;
}

/**
 * Set the domain this plugin is supposed to use when authenticating.
 *
 * @param $domain String: authentication domain.
 * @public
 */
function setDomain( $domain ) {

    $this->domain = $domain;
}

/**
 * Check to see if the specific domain is a valid domain.
 *
 * @param $domain String: authentication domain.
 * @return bool
 * @public
 */
function validDomain( $domain ) {
    # Override this!
    return true;
}

/**
 * When a user logs in, optionally fill in preferences and such.
 * For instance, you might pull the email address or real name from the
 * external user database.
 *
 * The User object is passed by reference so it can be modified; don't
 * forget the & on your function declaration.
 *
 * @param User $user
 * @public
 */
function updateUser( &$user )
{
    $db = $this->connectToDB();
    $euser = $db->selectRow($this->userTable,array ( '*' ), array ($this->userLogin => $user->mName ), __METHOD__ );
    $user->setRealName($euser->{$this->userRealN});
    $user->setEmail($euser->{$this->userEmail});
    $user->mEmailAuthenticated = wfTimestampNow();
    $user->saveSettings();
    //exit;
    # Override this and do something
    return true;
}
function disallowPrefsEditByUser() {
    return array (
        'wpRealName' => true,
        'wpUserEmail' => true,
        'wpNick' => true
    );
}

/**
 * Return true if the wiki should create a new local account automatically
 * when asked to login a user who doesn't exist locally but does in the
 * external auth database.
 *
 * If you don't automatically create accounts, you must still create
 * accounts in some way. It's not possible to authenticate without
 * a local account.
 *
 * This is just a question, and shouldn't perform any actions.
 *
 * @return bool
 * @public
 */
function autoCreate() {
    return true;
}

/**
 * Can users change their passwords?
 *
 * @return bool
 */
function allowPasswordChange() {
    return false;
}

/**
 * Set the given password in the authentication database.
 * As a special case, the password may be set to null to request
 * locking the password to an unusable value, with the expectation
 * that it will be set later through a mail reset or other method.
 *
 * Return true if successful.
 *
 * @param $user User object.
 * @param $password String: password.
 * @return bool
 * @public
 */
function setPassword( $user, $password ) {
    return true;
}

/**
 * Update user information in the external authentication database.
 * Return true if successful.
 *
 * @param $user User object.
 * @return bool
 * @public
 */
function updateExternalDB( $user ) {
    $db = $this->connectToDB();
    $euser = $db->selectRow($this->userTable,array ( '*' ), array ($this->userLogin => $user->mName ), __METHOD__ );
    $user->setRealName($euser->{$this->userRealN});
    $user->setEmail($euser->{$this->userEmail});
    $user->mEmailAuthenticated = wfTimestampNow();
    $user->saveSettings();
    return true;
}

/**
 * Check to see if external accounts can be created.
 * Return true if external accounts can be created.
 * @return bool
 * @public
 */
function canCreateAccounts() {
    return false;
}

/**
 * Add a user to the external authentication database.
 * Return true if successful.
 *
 * @param User $user - only the name should be assumed valid at this point
 * @param string $password
 * @param string $email
 * @param string $realname
 * @return bool
 * @public
 */
function addUser( $user, $password, $email='', $realname='' ) {
    return false;
}


/**
 * Return true to prevent logins that don't authenticate here from being
 * checked against the local database's password fields.
 *
 * This is just a question, and shouldn't perform any actions.
 *
 * @return bool
 * @public
 */
function strict() {
    return true;
}

/**
 * When creating a user account, optionally fill in preferences and such.
 * For instance, you might pull the email address or real name from the
 * external user database.
 *
 * The User object is passed by reference so it can be modified; don't
 * forget the & on your function declaration.
 *
 * @param $user User object.
 * @param $autocreate bool True if user is being autocreated on login
 * @public
 */
function initUser( $user, $autocreate=false ) {
    # Override this to do something.
}

/**
 * If you want to munge the case of an account name before the final
 * check, now is your chance.
 */
function getCanonicalName( $username ) {
    return $username;
}
}

And in LocalSettings.php, I should add this code:

// add ExtAuthDB
// MySQL Host Name.
$wgExtAuthDB_MySQL_Host = 'localhost';
// MySQL Username.
$wgExtAuthDB_MySQL_Username = 'dbuser';
// MySQL Password.
$wgExtAuthDB_MySQL_Password = 'dbpassword';
// MySQL Database Name.
$wgExtAuthDB_MySQL_Database = 'base';
// MySQL Database Table of users data.
$wgExtAuthDB_MySQL_Table = 'members';
// MySQL Database username column label.
$wgExtAuthDB_MySQL_Login = 'username';
// MySQL Database login password column label
$wgExtAuthDB_MySQL_Pswrd = 'password';
$wgExtAuthDB_MySQL_Salt='salt';
// MySQL Database email column label
$wgExtAuthDB_MySQL_Email = 'email';
// MySQL Database user real name column label
$wgExtAuthDB_MySQL_RealN = 'real_name';

require_once("$IP/extensions/ExtAuthDB/ExtAuthDB.php");
$wgAuth = new ExtAuthDB();

Sorry, I had to copy full script, because I don't know where is the exact fault. And my question is: Why doesn't it work? Where is the mistake?

EDIT:

My external user table consists of id, username, password, salt, email, real_name. I thought it could be because of seperate password and salt fields, so I tried to implement salt in ExtAuthDB.php file manually. Unfortunately, it didn't work either. Then I commented this line.

Answer 1

I was able to setup SSO (Single sign-on) from WordPress to media wiki using OAuth 2.0 server, I have posted my solution on this post

Or you can follow these steps:

1. First you need an OAuth 2.0 server, you could implement it your self see details here Run your own OAuth 2.0 Server or the easiest way is to use the WordPress plugin WP Oauth 2.0 server you don't have to buy the pro, you can also implement SSO by using the Grant type Authorization codes which comes free.

2. You need OAuth 2.0 client extension installed on your media wiki, the extension can be found here, follow the installation instructions there.

3. Go to WordPress plugin page and activate OAuth server, then navigate to OAuth Server and add a new client, give your client a name and in Redirect URI add the link mention on the media wiki extension page i.e http://your.wiki.domain/path/to/wiki/Special:OAuth2Client/callback, then go to OAuth>clients page where you can see your newly created client, click edit and here you can see clientID and Client secret add this ID and secret in the localSettings.php of your media wiki.

4. Create a page on WordPress and put the following button with your client id in it

   < a href="https://your-Domain-Where-OAuth-server-is-running.de/oauth/authorize?response_type=code&client_id=YOURCLIENTID&state=RANDOM-STRING&scope=basic"> go to wiki</a> don't forget to put scope otherwise you will get a media wiki internal error.

5. If everything worked fine then you should automatically go to the media wiki main page after clicking this button from your WordPress. media wiki will show you as logged in. It took me some time to figure it out I hope this helps anyone who comes here.