Extension:WebAuthn
WebAuthn Release status: stable |
|
---|---|
Implementation | User rights , Special page |
Description | Module for OATHAuth that enables support for authentication through the WebAuthn API |
Author(s) | |
Latest version | Continuous updates |
Compatibility policy | Master maintains backward compatibility. |
MediaWiki | 1.34+ |
PHP | 7.2+ |
License | GNU General Public License 2.0 or later |
Download | |
|
|
Quarterly downloads | 12 (Ranked 125th) |
Public wikis using | 915 (Ranked 291st) |
Translate the WebAuthn extension if it is available at translatewiki.net | |
Issues | Open tasks · Report a bug |
WebAuthn is a module for the OATHAuth extension, that provides support for U2F devices (such as YubiKey) by using the WebAuthn API in browsers. It enables support for logging-in using physical security tokens or biometric sensors along with a regular password. Learn more about U2F on Wikipedia.
Installation
[edit]WebAuthn requires OATHAuth and GMP php extensions to be installed first.
- Download and move the extracted
WebAuthn
folder to yourextensions/
directory.
Developers and code contributors should install the extension from Git instead, using:cd extensions/
git clone https://gerrit.wikimedia.org/r/mediawiki/extensions/WebAuthn - Only when installing from Git, run Composer to install PHP dependencies, by issuing
composer install --no-dev
in the extension directory. (See task T173141 for potential complications.) - Add the following code at the bottom of your LocalSettings.php file:
wfLoadExtension( 'WebAuthn' );
- Done – Navigate to Special:Version on your wiki to verify that the extension is successfully installed.
Cross-wiki support for wikis sharing the same root domain
[edit]By default, users may only use their U2F key to log in to the wiki where they initially registered the key. Attempting to log in on another wiki within the wiki family results in an error about an unrecognized key and restricts where the user can log in to only the wiki where they registered their U2F key on.
Limited support exists for wiki families (those with $wgOATHAuthDatabase
configured) sharing the same root domain. System administrators must first configure support for this by defining both $wgWebAuthnRelyingPartyID
and $wgWebAuthnRelyingPartyName
. The Relying Party ID must be set to your root domain. For example, if you have wikis at a.wiki.com
, b.wiki.com
, and c.wiki.com
, the root domain is wiki.com
and must be set as the ID. The Relying Party name can be whatever but ideally, it should be the name of your wiki family.
Due to limitations in the WebAuthn API, no support exists for logging in via WebAuthn on wikis not sharing the same root domain. Users should be advised to register their U2F key on a central wiki and login through that wiki. Attempting to login on those wikis will result in an error about an unrecognized key.
Configuration
[edit]parameter | default | comment |
---|---|---|
$wgWebAuthnRelyingPartyID
|
null
|
Configures relying party ID. If not defined, this defaults to your domain. |
$wgWebAuthnRelyingPartyName
|
null
|
Configures relying party name. If not defined, this defaults to your sitename. |
Browser support
[edit]List of all supported web browsers can be found on Mozilla Developer Network.
Desktop
[edit]- Chrome 67+
- Edge 18+
- Firefox 60+
Mobile
[edit]- Android WebView 70+
- Chrome for Android 70+
- Firefox for Android 60+
This extension is being used on one or more Wikimedia projects. This probably means that the extension is stable and works well enough to be used by such high-traffic websites. Look for this extension's name in Wikimedia's CommonSettings.php and InitialiseSettings.php configuration files to see where it's installed. A full list of the extensions installed on a particular wiki can be seen on the wiki's Special:Version page. |
This extension is included in the following wiki farms/hosts and/or packages: This is not an authoritative list. Some wiki farms/hosts and/or packages may contain this extension even if they are not listed here. Always check with your wiki farms/hosts or bundle to confirm. |