Extension:WebAuthn

From Linux Web Expert

Revision as of 07:12, 2 April 2024 by imported>Tgr (WMF) (phab link)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

MediaWiki extensions manual
WebAuthn
Release status: stable
File:WebAuthn extension screenshot.png
Implementation User rights , Special page
Description Module for OATHAuth that enables support for authentication through the WebAuthn API
Author(s)
Latest version Continuous updates
Compatibility policy Master maintains backward compatibility.
MediaWiki 1.34+
PHP 7.2+
License GNU General Public License 2.0 or later
Download
  • $wgWebAuthnRelyingPartyName
  • $wgWebAuthnRelyingPartyID
Quarterly downloads Lua error in Module:Extension at line 172: bad argument #1 to 'inNamespace' (unrecognized namespace name 'skin').
Public wikis using Lua error in Module:Extension at line 172: bad argument #1 to 'inNamespace' (unrecognized namespace name 'skin').
Translate the WebAuthn extension if it is available at translatewiki.net
Issues Open tasks · Report a bug

WebAuthn is a module for the OATHAuth extension, that provides support for U2F devices (such as YubiKey) by using the WebAuthn API in browsers. It enables support for logging-in using physical security tokens or biometric sensors along with a regular password. Learn more about U2F on Wikipedia.

File:OOjs UI icon notice-destructive.svg <translate> Warning:</translate> Due to limitations in the WebAuthn API, users cannot use this method to log in on wikis not sharing the same root domain. If you have multiple wikis on the same root domain, you must configure support for logging in on wikis other than the one where the key was registered on. Users logging in on wikis not sharing the root domain or on wiki families where the extension has not been configured properly must login on the wiki they registered their U2F key on. See T244088 for more information.

Installation

WebAuthn requires OATHAuth and GMP php extensions to be installed first.

  • <translate> [[<tvar name=2>Special:ExtensionDistributor/WebAuthn</tvar>|Download]] and move the extracted <tvar name=name>WebAuthn</tvar> folder to your <tvar name=ext>extensions/</tvar> directory.</translate>
    <translate> Developers and code contributors should install the extension [[<tvar name=git>Special:MyLanguage/Download from Git</tvar>|from Git]] instead, using:</translate>cd extensions/
    git clone https://gerrit.wikimedia.org/r/mediawiki/extensions/WebAuthn
  • <translate> Only when installing from Git, run <tvar name=composer>Composer</tvar> to install PHP dependencies, by issuing <tvar name=code>composer install --no-dev</tvar> in the extension directory.</translate> <translate> (See <tvar name=phab><translate> task <tvar name=1>T173141</tvar></translate></tvar> for potential complications.)</translate>
  • <translate> Add the following code at the bottom of your <tvar name=1>LocalSettings.php </tvar> file:</translate>
    wfLoadExtension( 'WebAuthn' );
    
  • File:OOjs UI icon check-constructive.svg <translate> Done</translate> – <translate> Navigate to <tvar name=special>Special:Version</tvar> on your wiki to verify that the extension is successfully installed.</translate>

Cross-wiki support for wikis sharing the same root domain

By default, users may only use their U2F key to log in to the wiki where they initially registered the key. Attempting to log in on another wiki within the wiki family results in an error about an unrecognized key and restricts where the user can log in to only the wiki where they registered their U2F key on.

Limited support exists for wiki families (those with $wgOATHAuthDatabase configured) sharing the same root domain. System administrators must first configure support for this by defining both $wgWebAuthnRelyingPartyID and $wgWebAuthnRelyingPartyName. The Relying Party ID must be set to your root domain. For example, if you have wikis at a.wiki.com, b.wiki.com, and c.wiki.com, the root domain is wiki.com and must be set as the ID. The Relying Party name can be whatever but ideally, it should be the name of your wiki family.

Due to limitations in the WebAuthn API, no support exists for logging in via WebAuthn on wikis not sharing the same root domain. Users should be advised to register their U2F key on a central wiki and login through that wiki. Attempting to login on those wikis will result in an error about an unrecognized key.

Configuration

parameter default comment
$wgWebAuthnRelyingPartyID null Configures relying party ID. If not defined, this defaults to your domain.
$wgWebAuthnRelyingPartyName null Configures relying party name. If not defined, this defaults to your sitename.

Browser support

List of all supported web browsers can be found on Mozilla Developer Network.

Desktop

  • Chrome 67+
  • Edge 18+
  • Firefox 60+

Mobile

  • Android WebView 70+
  • Chrome for Android 70+
  • Firefox for Android 60+