Wikimedia Space/Wikimedia login

Wikimedia Space aims to provide Wikimedia login to its users. Here we document the technical aspects of this feature.

The Wikimedia Foundation has commissioned the development of a Wikimedia login for Discourse based on the OmniAuth protocol. Below you can find its technical documentation.

OAuth Consumer Registration[edit]

The first thing you need is an approved OAuth Consumer Registration. This has two steps:

1. Filling out the consumer registration form
2. Getting your request approved

Consumer Registration Form[edit]

The form you need to fill out to is here: Special:OAuthConsumerRegistration. The fields should be filled out as follows:

• Application: Can be anything, e.g. “WMF Discourse”
• Consumer versions: 1.0
• Application Description: Can be anything, e.g. “Discourse for WMF”
• This consumer is for use only by <username>: leave this unchecked
• OAuth “callback” URL: “<your domain>/auth/mediawiki/callback” For example https://discourse-mediawiki.wmflabs.org/auth/mediawiki/callback
• Allow consumer to specify a callback in requests and use “callback” URL above as a required prefix: leave this unchecked
• Contact email address: your email
• Applicable project: leave this as *
• Types of grants being requested: check “User identity verification only with access to real name and email address, no ability to read pages or act on a user’s behalf.”
• Applicable grants: leave as is
• Allowed IP ranges: leave as is
• Public RSA key (optional): leave as is
• Check the final checkbox.

Once you click “Propose consumer” make sure you make a note of the key and secret given to you.

Proposal Approval[edit]

To get your proposal approved you need to post a new topic in Talk:Steward_requests/Miscellaneous using the template:

Subject:

OAuth approval request for <"Application" from your proposal>

Body:

{{oauthapprequest
| status = '
| appname = <"Application" from your proposal> 
| version = 0.0.1
| publisher = <your username>
| consumer_key = <key given after your proposal was submitted>
 }}

OAuth Site Administration[edit]

Once your OAuth proposal is approved you’re ready to set up Wikimedia Auth in Discourse. The following guide assumes that you’ll be using Wikimedia Auth as the sole method of authentication in Discourse (as a form of single-sign-on). It also assumes you have the discourse-wikimedia-auth plugin is installed.

Discourse Site Settings[edit]

Set the folowing site settings:

• enable local logins: false (this turns off email / password login)
• enable local logins via email: false (this turns off logging in via an email link)
• email editable: false (this ensures the user’s email remains that provided by wikimedia)
• username change period: 0 (this ensures the user’s username remains that provided by wikimedia)
• ensure that none of the other oauth providers are enabled, i.e. google, twitter and facebook.
• wikimedia auth enabled: true
• wikimedia consumer key: “key” you obtained when you submitted your proposal
• wikimedia consumer secret: “secret” you obtained when you submitted your proposal
• wikimedia callback url: oob
• wikimedia auth site: https://meta.wikimedia.org (you can change this to any wiki)

User Property Ownership[edit]

As mentioned, the plugin assumes that Wikimedia OAuth will be the sole source of authentication, functioning as a form of single sign on. Like other single sign on systems, it assigns ownership over the primary identifying properties of the user to the source of authentication, specifically their email and username.

In short, the user’s Discourse email and username will be the same as the user’s Wikimedia email and username and cannot be set or changed in Discourse. Other user properties, such as the user’s real name or location, can be set and changed in Discourse.

One thing to note about usernames is that it is not possible to exactly transpose Wikimedia usernames into Discourse as the rules concerning usernames in a Wikimedia wiki are different from the rules concerning usernames in Discourse. These rules cannot be changed for our purposes (in either Discourse or in a Wikimedia wiki).

One key difference is that Wikimedia usernames can have spaces and brackets whereas Discourse usernames can’t. This means that AMcLeod (WMF) becomes AMcLeod_WMF in Discourse (albeit, Wikimedia wikis seem to treat spaces and underscores as the same thing). I can give you more detail on what exactly will change if it’s needed, but in the main Discourse allows fewer special characters in usernames than Wikimedia wikis.

The bottom line is the primary text content of the usernames will not change, but some usernames may change slightly to adhere to the Discourse username rules.

Note that Wikimedia usernames are still stored as-is (i.e. as-is on Wikimedia wikis, without the Discourse username rules applied) in the Discourse database (see “Data Storage” below), so if you need to exactly associate Wikimedia accounts with Discourse accounts for integration purposes, this is still possible.

Login Flow[edit]

The login flow works as follows, starting in Discourse.

User clicks on login or sign up button and they are redirected to the wiki the plugin is authenticating users on. On that wiki they see this modal.

After the user has clicked “Allow” they are redirected back to Discourse. Note that the user has to have confirmed their Wikimedia email to gain access. If they have not confirmed their Wikimedia email they see

This error message can be edited in Admin > Customize > Text Content: “login.authenticator_email_not_verified”

If they have confirmed their Wikimedia email they see the modal below. If the user has a “realname” associated with their Wikimedia account this field will be filled with that property, otherwise it is filled with an adapted version of their username.

After the user clicks “Create New Account”, their account is created.

If the user visits the “Account” section of their Discourse user account, they will only be able to edit their avatar and their real name. As mentioned, their username and email are “owned” by the Wikimedia auth provider and cannot be changed in Discourse.

They can still edit all the fields in the “Profile” section of their account.

Data Storage[edit]

In addition to being stored in the main user database tables, the user data recieved from Wikimedia when authourising the user is stored in the user_associated_accounts database table in Discourse.

• Wikimedia Central ID 1
• Wikimedia Email (in addition to its seperate storage in the user_emails database table, i.e. as the user’s Discourse email)
• Wikimedia Username (in addition to its storage in the users database table, i.e. as the user’s Discourse username)
• The following additional Wikimedia account data

There are a few things to note about this data storage.

Firstly, it is relevant to privacy matters, particularly in regimes such as the GDPR. This is a subset of a broader issue which has been addressed in the context of Discourse in a few different ways. For further on this topic see the following:

• https://meta.discourse.org/t/providing-data-for-gdpr/83595/23?u=angus
• https://meta.discourse.org/t/legal-tools-plugin/87966

Secondly, it also may be useful for any future integrations you want to have between Discourse and any Wikiemdia wiki.

The type of account data returned by the server is determined by the “Types of grants being requested” field in the OAuth Consumer Proposal (above). We selected the one we did as this is described as returning the user’s email and name which we need. It also returns a fair amount of other user information however.

If we want Discourse to be storing less user information, there may be a change we can make to the OAuth Consumer Proposal grant type (i.e. a different option that returns email and name, but not all the additional information noted above).

(Answers coming soon)

What happens when two users have the same email[edit]

(See phab:T231878)

What happens when the user changes their email address on the Wikimedia wiki[edit]

...

What happens when the username changes, while the central ID stays the same[edit]

...