This provides some protection against an attacker reading the values out of the consumer table (the attacker would also need $wgOAuthSecretKey to generate valid secrets), and some protection against potential weaknesses in the secret generation. This should be set to true for most production settings.Ī secret configuration string (random 32-bit string generated using "base64_encode(random_bytes(32))") used to hmac the database-stored secret to produce the shared secrets for Consumers. This is required by RFC 5849, however if a wiki wants to use OAuth, but doesn't support SSL, this option makes this configuration possible. Require SSL/TLS for returning Consumer and user secrets. Seconds after which an idle request for a new Consumer is marked as "expired" This has no effect if $wgMWOAuthSharedUserIDs is set to false. If that class is not available or the named provider is not found, this is passed to the OAuthGetUserNamesFromCentralIds, OAuthGetLocalUserFromCentralId, OAuthGetCentralIdFromLocalUser, OAuthGetCentralIdFromUserName hooks. Generally null would be what you want, to use the default provider. If CentralIdLookup is available, this is the $providerId for CentralIdLookup::factory(). Proper user ID migration should be done before any such changes.Ĭentral ID provider when sharing OAuth credentials over a wiki farm This value should not be changed after the fact to avoid ambigious IDs. Setting this to true requires CentralIdLookup or an MWOAuth aware authentication extension. Otherwise it should always be set to false. If wikis have a central authentication system but have their own OAuth management, then this can be either true or false. On wiki farms with a central authentication system (with integer user IDs) that share a single OAuth management wiki, this must be set to true. Whether shared global user IDs are stored in the oauth tables. (deprecated) Use $wgMWOAuthSharedUserSource instead For single-wiki sites or farms where each wiki manages consumers separately, it should be left as false. It can, however, be set to any wiki in the farm.
On wiki farms, it makes sense to set this to a wiki that acts as a portal site, is dedicated to management, or just handles login/authentication.