Jump to content

Extension:WebAuthn

From mediawiki.org
MediaWiki extensions manual
WebAuthn
Release status: stable
Implementation User rights , Special page
Description Module for OATHAuth that enables support for authentication through the WebAuthn API
Author(s)
Latest version Continuous updates
Compatibility policy Master maintains backward compatibility.
MediaWiki 1.34+
PHP 7.2+
License GNU General Public License 2.0 or later
Download
  • $wgWebAuthnRelyingPartyName
  • $wgWebAuthnRelyingPartyID
  • $wgWebAuthnNewCredsDisabled
Quarterly downloads 12 (Ranked 125th)
Public wikis using 915 (Ranked 291st)
Translate the WebAuthn extension if it is available at translatewiki.net
Issues Open tasks · Report a bug

WebAuthn is a module for the OATHAuth extension, that provides support for U2F devices (such as YubiKey) by using the WebAuthn API in browsers. It enables support for logging-in using physical security tokens or biometric sensors along with a regular password. Learn more about U2F on Wikipedia.

Warning Warning: Due to limitations in the WebAuthn API, users cannot use this method to log in on wikis not sharing the same root domain. If you have multiple wikis on the same root domain, you must configure support for logging in on wikis other than the one where the key was registered on. Users logging in on wikis not sharing the root domain or on wiki families where the extension has not been configured properly must login on the wiki they registered their U2F key on. See T244088 for more information.

Installation

[edit]

WebAuthn requires OATHAuth and GMP php extensions to be installed first.

  • Download and move the extracted WebAuthn folder to your extensions/ directory.
    Developers and code contributors should install the extension from Git instead, using:cd extensions/
    git clone https://gerrit.wikimedia.org/r/mediawiki/extensions/WebAuthn
  • Only when installing from Git, run Composer to install PHP dependencies, by issuing composer install --no-dev in the extension directory. (See task T173141 for potential complications.)
  • Add the following code at the bottom of your LocalSettings.php file:
    wfLoadExtension( 'WebAuthn' );
    
  • Yes Done – Navigate to Special:Version on your wiki to verify that the extension is successfully installed.

Cross-wiki support for wikis sharing the same root domain

[edit]

By default, users may only use their U2F key to log in to the wiki where they initially registered the key. Attempting to log in on another wiki within the wiki family results in an error about an unrecognized key and restricts where the user can log in to only the wiki where they registered their U2F key on.

Limited support exists for wiki families (those with $wgOATHAuthDatabase configured) sharing the same root domain. System administrators must first configure support for this by defining both $wgWebAuthnRelyingPartyID and $wgWebAuthnRelyingPartyName. The Relying Party ID must be set to your root domain. For example, if you have wikis at a.wiki.com, b.wiki.com, and c.wiki.com, the root domain is wiki.com and must be set as the ID. The Relying Party name can be whatever but ideally, it should be the name of your wiki family.

Due to limitations in the WebAuthn API, no support exists for logging in via WebAuthn on wikis not sharing the same root domain. Users should be advised to register their U2F key on a central wiki and login through that wiki. Attempting to login on those wikis will result in an error about an unrecognized key.

Configuration

[edit]
parameter default comment
$wgWebAuthnRelyingPartyID null Configures relying party ID. If not defined, this defaults to your domain.
$wgWebAuthnRelyingPartyName null Configures relying party name. If not defined, this defaults to your sitename.

Browser support

[edit]

List of all supported web browsers can be found on Mozilla Developer Network.

Desktop

[edit]
  • Chrome 67+
  • Edge 18+
  • Firefox 60+

Mobile

[edit]
  • Android WebView 70+
  • Chrome for Android 70+
  • Firefox for Android 60+