Extension:CentralAuth - MediaWiki
Jump to content
From mediawiki.org
Translate this page
Languages:
Bahasa Indonesia
Nederlands
Türkçe
magyar
polski
português
português do Brasil
suomi
svenska
čeština
русский
українська
العربية
فارسی
हिन्दी
বাংলা
中文
MediaWiki extensions manual
CentralAuth
Release status:
stable
Implementation
User identity
Database
Special page
API
Description
Allows to merge accounts into global accounts
Author(s)
Brooke Vibber
talk
Compatibility policy
Snapshots releases along with MediaWiki. Master is not backward compatible.
Database changes
Yes
Virtual domain
virtual-centralauth
Tables
globalnames
localnames
globaluser
localuser
global_user_groups
global_group_permissions
wikiset
global_group_restrictions
renameuser_status
renameuser_queue
users_to_rename
global_edit_count
global_user_autocreate_serial
Parameters
$wgCentralAuthAutoLoginWikis
$wgCentralAuthCookiePath
$wgCentralAuthEnableSul3
$wgCentralAuthAutomaticVanishPerformer
$wgCentralAuthReadOnly
$wgCentralAuthAutoMigrate
$wgCentralAuthFallbackAppealUrl
$wgCentralAuthBlockAppealWikidataIds
$wgCentralAuthSul3SharedDomainRestrictions
$wgCentralAuthEnableGlobalRenameRequest
$wgCentralAuthRestrictSharedDomain
$wgCentralAuthGlobalPasswordPolicies
$wgCentralAuthCookieDomain
$wgCentralAuthWikisPerSuppressJob
$wgCentralAuthFallbackAppealTitle
$wgCentralAuthCookies
$wgCentralAuthAutomaticVanishWiki
$wgCentralAuthRC
$wgCentralAuthGlobalBlockInterwikiPrefix
$wgCentralAuthAutoMigrateNonGlobalAccounts
$wgCentralAuthDatabase
$wgCentralAuthDryRun
$wgCentralAuthAutomaticGlobalGroups
$wgCentralAuthCentralWiki
$wgCentralAuthSharedDomainCallback
$wgCentralAuthLoginIcon
$wgCentralAuthStrict
$wgCentralAuthOldNameAntiSpoofWiki
$wgCentralAuthLoginWiki
$wgCentralAuthWikidataApiUrl
$wgCentralAuthSessionCacheType
$wgGlobalRenameDenylist
$wgCentralAuthCookiePrefix
$wgCentralAuthRejectVanishUserNotification
$wgCentralAuthAutoCreateWikis
$wgCentralAuthPrefsForUIReload
Added rights
centralauth-createlocal
centralauth-merge
centralauth-unmerge
centralauth-lock
centralauth-suppress
globalgrouppermissions
globalgroupmembership
centralauth-rename
Hooks used
APIGetAllowedParams
AbuseFilter-builder
AbuseFilter-computeVariable
AbuseFilter-generateUserVars
AbuseFilterAlterVariables
AbuseFilterShouldFilterAction
ApiCheckCanExecute
ApiQueryCheckCanExecute
ApiQueryTokensRegisterTypes
AuthChangeFormFields
AuthManagerFilterProviders
AuthManagerVerifyAuthentication
AuthPreserveQueryParams
BeforePageDisplay
BlockIpComplete
ContentSecurityPolicyDefaultSource
ContentSecurityPolicyScriptSource
ContributionsToolLinks
GetLocalURL
GetLogTypesOnUser
GetPreferences
GetSecurityLogContext
GetUserBlock
ImportHandleUnknownUser
InvalidateEmailComplete
LoadExtensionSchemaUpdates
LocalUserCreated
LogEventsListGetExtraInputs
LoginFormValidErrorMessages
MakeGlobalVariablesScript
OtherBlockLogLink
PasswordPoliciesForUser
PostLoginRedirect
RenameUserComplete
RenameUserPreRename
RenameUserWarning
ResourceLoaderForeignApiModules
ResourceLoaderModifyEmbeddedSourceUrls
RestCheckCanExecute
SecurePoll_GetUserParams
SecuritySensitiveOperationStatus
SessionCheckInfo
SetupAfterCache
SiteNoticeBefore
SpecialContributionsBeforeMainOutput
SpecialLogAddLogSearchRelations
SpecialPageBeforeExecute
SpecialPage_initList
SpecialPasswordResetOnSubmit
TempUserCreatedRedirect
TestCanonicalRedirect
UnblockUserComplete
UnitTestsAfterDatabaseSetup
UnitTestsBeforeDatabaseTeardown
UserArrayFromResult
UserEditCountUpdate
UserGetEmail
UserGetEmailAuthenticationTimestamp
UserGetReservedNames
UserGetRights
UserGroupsChanged
UserIsBot
UserIsLocked
UserLoginComplete
UserLogout
UserLogoutComplete
UserRequirementsCondition
UserRequirementsConditionDisplay
UserSaveSettings
UserSetEmail
UserSetEmailAuthenticationTimestamp
getUserPermissionsErrors
getUserPermissionsErrorsExpensive
Hooks provided
CentralAuthIsUIReloadRecommended
CentralAuthLoginRedirectData
CentralAuthPostLoginRedirect
CentralAuthSilentLoginRedirect
CentralAuthWikiList
CentralAuthInfoFields
Licence
GNU General Public License 2.0 or later
Download extension
Git
Browse repository
GitHub
Gerrit code review
Git commit log
Download source tarball
Translate the CentralAuth extension
if it is available at translatewiki.net
Issues
Open tasks
Report a bug
CentralAuth
allows merging several existing separate account systems into one global account system.
Warning:
CentralAuth was designed specifically for Wikimedia projects which already had millions of accounts that needed to be merged into a global table.
If you are starting a new wiki farm from scratch and have no need to merge existing accounts into a global table, it is much easier to set up global accounts using
$wgSharedDB
rather than using CentralAuth.
However,
$wgSharedDB
is only useful for preventing conflicts of username creations, and does not handle anything such as universal sign-on (instead, users are required to sign in to each wiki), or cross-cluster account rights and management.
This extension provides said functionality at the cost of complexity.
If you end up using this extension on a third-party wiki, it is likely that you will end up having to troubleshoot complex issues that potentially require diving into the source code to resolve.
You have been warned.
Warning:
CentralAuth does not work well with SQLite-based setups, such as
Quickstart
. See
T382432
Installation
See the
setup
section below for prerequisites to using CentralAuth.
Then follow these instructions when you are ready to activate CentralAuth:
Install
Extension:AntiSpoof
, since it is a required dependency.
Download the latest snapshot
and extract it to your
extensions
directory.
Pick a database and create the CentralAuth database tables. You can use an existing database or create a new one. (The extension by default uses the wiki's local database, which is convenient for automated testing but doesn't really make sense on a real wiki farm (as it will be different for every wiki, but the point of CentralAuth is sharing data between wikis) so you'll need to reconfigure that; see
$wgVirtualDomainsMapping
'virtual-centralauth'
below.) Use this database then run
tables-generated.sql
If you use
Extension:AntiSpoof
you'll need to create a global
spoofuser
table (to block new usernames that look similar to existing usernames in any wiki). One way to do this is dump the
spoofuser
table from the local wiki's database and import it into the new
$wgVirtualDomainsMapping
'virtual-centralauth'
Add
wfLoadExtension
'CentralAuth'
);
to your
LocalSettings.php
for each of your wikis, or in another PHP file that is included in
LocalSettings.php
on each of your wikis.
The CentralAuth extension should be now active.
Create a new database
Here are sample shell and SQL commands to create the
centralauth
database, copy the
spoofuser
table to it, and migrate existing user data to it.
Replace $wgDBname and $wgDBuser with the values for your own wiki installation credentials.
Create the new database (Remember this step is optional, you can instead use one of your existing databases, in which case skip to the create tables step):
cd
extensions/CentralAuth
mysql
-u
root
-p
(enter password for root SQL user)
CREATE
DATABASE
centralauth
USE
centralauth
GRANT
all
on
centralauth
to
'$wgDBuser'
@'localhost'
quit
Run maintenance scripts
The following assumes your present working directory is your MediaWiki installation (not your CentralAuth directory).
Create the central auth tables (using
sql.php
is preferred).
php
maintenance/run.php
sql
--wikidb
centralauth
extensions/CentralAuth/schema//tables-generated.sql
If AntiSpoof is installed, create the table via (Alternatively, you can copy an existing AntiSpoof table if you want to keep previous entries):
php
maintenance/run.php
sql
--wikidb
centralauth
extensions/AntiSpoof/sql//tables-generated.sql
Run the user migration scripts
php
maintenance/run.php
CentralAuth:migratePass0.php
php
maintenance/run.php
CentralAuth:migratePass1.php
Upgrading
CentralAuth is designed for large wiki farms who run database updates manually in order to enable zero-downtime upgrades.
For that reason, the CentralAuth database will not be updated with the usual upgrade process.
Third-party users are expected to follow CentralAuth development and apply database migrations manually instead.
Setup
Warning:
A central login wiki (see
#SUL2
) or a shared auth domain (see
#SUL3
) is required if you want to have a universal sign-on across different primary domains (
i.e.
if your wikis are not under subdomains of the same domain).
First, you'll need to configure your
wiki family
using
$wgConf
, or CentralAuth can't be used for your wiki family.
This includes setting
$wgLocalDatabases
and assigning it to
$wgConf
->
wikis
, and
$wgConf
->
settings
(minimum is
$wgCanonicalServer
$wgServer
and
$wgArticlePath
).
Follow
the examples
carefully.
If you are creating a new wiki family, bear in mind that it may be easier if the databases for the wikis in each group have the same suffix (
e.g.
hypothetical databases
enwiki
dewiki
frwiki
etc.
, pertaining to wikis belonging to the same group, all have the suffix "
wiki
").
After installing the extension, you have to gather some data in the CentralAuth database.
In order to retroactively set up global accounts, you will have to run the
migratePass0.php
and
migratePass1.php
scripts.
The first one stores information about your wikis in the CentralAuth database, while the second one uses automatic migration heuristics to generate global accounts.
A user can merge their accounts manually via
Special:MergeAccount
Dry runs can be used for testing purposes.
To enable global groups, you will have to make an entry into the
global_group_permissions
table in your CentralAuth database, with
ggp_group='steward'
and (for access to the group management interface)
ggp_permission=globalgrouppermissions
A sample query that is recommended to use is:
INSERT
INTO
global_group_permissions
ggp_group
ggp_permission
VALUES
'steward'
'globalgrouppermissions'
),
'steward'
'globalgroupmembership'
);
Then, promote some users into stewards:
INSERT
IGNORE
INTO
global_user_groups
gug_user
gug_group
VALUES
((
SELECT
gu_id
FROM
globaluser
WHERE
gu_name
'Admin'
),
'steward'
);
There are various settings you may wish to modify (
e.g.
whether to provide single sign-on across a whole domain) listed in
CentralAuth.php
In particular, you will want to set a value for
$wgVirtualDomainsMapping
'virtual-centralauth'
Make sure you put such settings after the
wfLoadExtension
line in
LocalSettings.php
e.g.
wfLoadExtension
'CentralAuth'
);
$wgVirtualDomainsMapping
'virtual-centralauth'
'db'
=>
'centralauth'
];
SUL2
Warning:
As all logged in users will have a session in the central login wiki, you are recommended to set up a new wiki with as few extensions installed as possible (not using an existing wiki for this purpose).
This will reduce the risk for XSS vulnerabilities.
Warning:
Universal sign-on may be broken in newer Google Chrome versions due to SameSite cookie policy. To fix it, you need to add:
$wgCookieSameSite
"None"
$wgUseSameSiteLegacyCookies
true
In addition, you must run your site under HTTPS.
In July 2013, Wikimedia changed its approach to logging users into multiple wikis.
When configured for this new approach, after successful login and account creation CentralAuth redirects to
Special:CentralLogin/start?token=
somevalue
on a "central login wiki", which sets cookies on that wiki and then redirects back to the logged-into wiki.
It omits the "login/account creation success" page, instead redirecting back to the "returnto" page that the user was originally on.
It places 1x1 pixel images in the footer of that page, in place of the icons formerly used on the "login/account creation success" page.
The settings for this are, roughly,
# General CentralAuth configuration
$wgCentralAuthCookies
true
// default is to use the local wiki database
$wgVirtualDomainsMapping
'virtual-centralauth'
'db'
=>
'centralauthDatabaseName'
];
$wgCentralAuthAutoMigrate
true
$wgCentralAuthAutoLoginWikis
# Mapping from domain name to wiki id for other wikis to automatically login into
'enwiki.mediawiki.mwdd.localhost'
=>
'enwiki'
];
# Activates the redirect to the "central login wiki"
$wgCentralAuthLoginWiki
'WikiIdOfLoginWiki'
$wgCentralAuthLoginWiki
is the ID (usually the database-name) of the wiki to which CentralAuth will redirect on login and create account actions.
SUL3
In 2025 the Wikimedia cluster setup was changed so that authentication happens (
e.g.
users input their passwords) on a shared domain, instead of each wiki's individual domains.
The shared domain can be configured to serve each of the wikis in the farm.
This was motivated by changes to browser cookies handling that might prevent cookies from being set during the redirect through a central wiki.
See
SUL3
for more details.
To configure your wiki farm to use SUL3:
Make sure that your wiki farm is configured using either the
sites
table
or
$wgConf
(see
#Setup
).
$wgCentralAuthLoginWiki
and
$wgLocalDatabases
should also be set. Other parts of CentralAuth are somewhat tolerant if this is missing, but SUL3 will crash.
This is needed even when setting up a local environment for development with just one wiki, but it can be greatly simplified, see below.
Configure your server so that it will serve one of your wikis under another domain. If you had SUL2 configured, use the login wiki, otherwise just pick one.
If you're setting up a local environment for development, and you're hosting your only wiki on
(optionally with a port), note that all localhost subdomains resolve to your machine, so you can start using e.g.
and
without any configuration needed.
Set
$wgCentralAuthSharedDomainCallback
to return your new domain. Note that this is a callback function, not a string.
Set
$wgCentralAuthEnableSul3 = true;
You might need to adjust some MediaWiki config settings to support this:
$wgServer
and
$wgCanonicalServer
must
be conditionally set to the auth domain when accessing your wiki through the auth domain, otherwise you will get a redirect loop when trying to log in. CentralAuth reads the "real" canonical server from the wiki farm configuration defined in step 1.
In order to serve more than one wiki from the auth domain, adjust
$wgCentralAuthSharedDomainCallback
to add a path prefix after the domain name that depends on the wiki, configure your server to serve the right wiki depending on that prefix, and conditionally adjust
$wgScriptPath
$wgArticlePath
etc.
to match. This is tricky to get right, so if you're setting up a local environment for development, don't bother.
Review your MediaWiki cookie settings to make sure the wiki can set cookies while accessed through the auth domain, and that they won't conflict with the wiki's normal cookies. Conditionally setting
$wgCentralAuthCookiePrefix
when accessing your wiki through the auth domain is a good way to avoid cookie name conflicts.
Below is a minimal configuration to run CentralAuth with SUL3 on a single-wiki "farm" on your development machine:
// Minimal setup for a single-wiki "farm"
$wgConf
->
wikis
$wgDBname
];
$wgConf
->
suffixes
[]
''
$wgConf
->
settings
'wgServer'
=>
'default'
=>
'http://wiki.localhost:8080'
],
'wgArticlePath'
=>
'default'
=>
'/wiki/$1'
],
];
// Misc settings needed by CentralAuth
$wgCentralAuthLoginWiki
$wgDBname
$wgLocalDatabases
$wgDBname
];
// Enable CentralAuth SUL3
$wgCentralAuthSharedDomainCallback
fn
()
=>
'http://auth.localhost:8080'
$wgCentralAuthEnableSul3
true
// Point $wgServer to whichever domain the wiki was accessed through
$wgCanonicalServer
$wgServer
MediaWiki\Request\WebRequest
::
detectServer
true
);
if
$wgServer
===
'http://auth.localhost:8080'
// Conditional config for the shared auth domain goes here
Cache issues
When using CentralAuth, different wikis must share the same MainCache (to allow purging of cached cross-wiki data such as global edit counts), the same session store (the store
$wgCentralAuthSessionCacheType
points to) , and the same MicroStash (for
centralauthtoken
).
For best results, it is recommended to use memcached, or another centralised persistent cache.
If you have only a single server, then APCU works as a central cache via
CACHE_ACCEL
By default,
CACHE_DB
will use a separate
objectcache
table in the local database of each wiki in your wiki farm.
To make this work with CentralAuth, we need to tell the wikis to use a central cache table.
If you have no cache set up (
i.e.
$wgMainCacheType
is
CACHE_NONE
) or are using
CACHE_DB
, then you need to configure
CACHE_DB
to use the same database across all wikis (where
centralauth
is the name of your CentralAuth database as configured via
$wgVirtualDomainsMapping['virtual-centralauth']
):
$wgObjectCaches
CACHE_DB
'class'
=>
SqlBagOStuff
::
class
'loggroup'
=>
'SQLBagOStuff'
'server'
=>
'type'
=>
$wgDBtype
'host'
=>
$wgDBserver
'user'
=>
$wgDBuser
'password'
=>
$wgDBpassword
// or whatever database you use for central data
'dbname'
=>
'centralauth'
];
$wgSessionCacheType
CACHE_DB
You have to create this table yourself, because objectcache is not (yet) a virtual domain and so is cannot be created by maintenance/update.php.
Run the following via maintenance/sql.php to create the table (where "enwiki" is one of your wiki databases):
CREATE
TABLE
centralauth
objectcache
LIKE
enwiki
objectcache
HTTP and HTTPS
Since 2023, CentralAuth does not support mixed-protocol HTTP/HTTPS wikis, only pure-HTTPS wikis (with
$wgForceHTTPS
set to
true
) and pure-HTTP wikis (primarily for local testing).
phab:T348852
Database Virtual Domains Mapping
Since MediaWiki 1.41, you can configure database
virtual domains mapping
for CentralAuth, and this
replaced
$wgCentralAuthDatabase
To setup virtual domains mapping with CentralAuth, use:
// 'centralauth' is the name of the your CentralAuth database.
$wgVirtualDomainsMapping
'virtual-centralauth'
'db'
=>
'centralauth'
];
Configuration
Configuration settings in
extension.json
Config section
parameter
default
comment
deprecated
$wgCentralAuthDatabase
null
Database name you keep central auth data in.
If this is not on the primary database connection, don't forget to also set up
$wgDBservers
to have an entry with a
groupLoads
setting for the
'CentralAuth'
group.
Alternatively you can use
$wgLBFactoryConf
to set up an
LBFactoryMulti
object.
To use a database with a table prefix, set this variable to "
{$database}-{$prefix}
".
This setting has been deprecated, use virtual domains mapping as described above.
$wgCentralAuthAutoMigrate
false
If
true
, existing unattached accounts will be automatically migrated if possible at first login.
Any new account creations will be required to attach.
If
false
, unattached accounts will not be harassed unless the individual account has opted in to migration.
$wgCentralAuthAutoMigrateNonGlobalAccounts
false
If
true
, existing unattached accounts where no global account exists will be compared to see if a merge can be made based on passwords and emails with no clashes (all accounts merge).
This was formerly controlled by
$wgCentralAuthAutoMigrate
$wgCentralAuthStrict
false
If
true
, remaining accounts which have not been attached will be forbidden from logging in until they are resolved.
$wgCentralAuthDryRun
false
If
true
, merging won't actually be possible through the Special:MergeAccount interface.
$wgCentralAuthCookies
false
If
true
, global session and token cookies will be set alongside the per-wiki session and login tokens when users log in with a global account.
This allows other wikis on the same domain to transparently log them in.
$wgCentralAuthLoginWiki
false
Database name of a central login wiki. This is an alternative to directly setting cross-domain cookies for each wiki in
$wgCentralAuthAutoLoginWikis
. If set, a single login wiki will use a session/cookie to handle unified login sessions across wikis.
On login, users will be redirected to the login wiki's Special:CentralLogin/login page and then redirected to Special:CentralLogin back on the originating wiki.
In the process, the central login wiki cookie and session will be set.
As the user accesses other wikis, the login wiki will be checked via JavaScript to check login status and set the local session and cookies.
This requires
$wgCentralAuthCookies
$wgCentralAuthSharedDomainCallback
false
Callback that takes a wiki ID and returns the URL prefix for the shared authentication domain without a trailing slash. This should use the same domain and scheme on every wiki of the CentralAuth wiki farm, with a path prefix that specifies the given wiki. A local URL appended to this prefix must be routed the same way as a local URL on the current wiki. This is used to share a central cookie between wikis while allowing the cookie-related UI (such as the login and signup page) to behave like any specific wiki in the farm. If unset, this mechanism will not be used.
$wgCentralAuthEnableSul3
false
Enables
SUL3
mode. Requires
$wgCentralAuthSharedDomainCallback
to be configured first.
$wgCentralAuthRestrictSharedDomain
false
Restrict wiki functionality to authentication only when the current domain matches the domain of CentralAuthSharedDomainCallback. Enable when using a shared login domain. Disable when the login domain is a standalone wiki.
$wgCentralAuthSul3SharedDomainRestrictions
complex array
Additional allowed/disallowed features when on the SUL3 central login domain. Defaults are stored in
SharedDomainHookHandler::DEFAULT_RESTRICTIONS
$wgCentralAuthCookieDomain
''
Domain to set global cookies for.
For instance,
'.wikipedia.org'
to work on all
wikipedia.org
subdomains instead of just the current one.
Leave blank to set the cookie for the current domain only, such as if all your wikis are hosted on the same subdomain.
This doesn't work in
SUL3
. See
phab:T391358
for more details.
$wgCentralAuthCookiePrefix
'centralauth_'
Prefix for CentralAuth global authentication cookies.
$wgCentralAuthCookiePath
'/'
Path for CentralAuth global authentication cookies. Set this variable if you want to restrict cookies to a certain path within the domain specified by
$wgCentralAuthCookieDomain
$wgCentralAuthAutoLoginWikis
[]
List of wiki IDs which should be called on login to try to set third-party cookies for the global session state.
The wiki ID is typically the database name, except when table prefixes are used, in which case it is the database name, a hyphen separator, and then the table prefix.
This allows a farm with multiple second-level domains to set up a global session on all of them by hitting one wiki from each domain (en.wikipedia.org, en.wikinews.org,
etc.
).
Done by accessing
Special:CentralAutoLogin/start
on each wiki.
If empty, no other wikis will be hit.
The key should be set to the cookie domain name.
$wgCentralAuthAutoCreateWikis
[]
List of wiki IDs on which an attached local account should be created automatically when the global account is created.
The wiki ID is typically the database name, except when table prefixes are used, in which case it is the database name, a hyphen separator, and then the table prefix.
$wgCentralAuthLoginIcon
false
Local filesystem path to the icon returned by
Special:CentralAutoLogin
should be a 20x20px PNG.
$wgCentralAuthPrefsForUIReload
'skin'
'language'
'thumbsize'
'underline'
'stubthreshold'
'showhiddencats'
'justify'
'numberheadings'
'editondblclick'
'editsection'
'editsectiononrightclick'
'usenewrc'
'extendwatchlist'
User preferences for which we should recommend reloading the page after a successful central login query.
If you need to do something more complicated than just
$userOptionsLookup
->
getOption
$user
$pref
!==
$userOptionsLookup
->
getDefaultOption
$pref
, use the hook
CentralAuthIsUIReloadRecommended
$wgCentralAuthRC
[]
Array of settings for sending the CentralAuth events to the RC Feeds.
@example $wgRCFeeds['example'] = [ 'uri' => "udp://localhost:1336" ];
$wgCentralAuthWikisPerSuppressJob
10
Size of wikis handled in one suppress user job. Keep in mind that one wiki requires
~10
queries.
$wgCentralAuthReadOnly
false
Like
$wgReadOnly
, used to set extension to database read only mode.
@var bool
$wgCentralAuthEnableGlobalRenameRequest
false
Feature flag for
Special:GlobalRenameRequest
@var bool
$wgCentralAuthGlobalPasswordPolicies
[]
Global password policies. These are applied like local password policies, the strongest policy applicable to a user is used. Policies can apply to either a local group (if the user is a member of that group on any wiki, the policy will apply to that user) or global group.
@var array
$wgGlobalRenameDenylist
null
A list of users who won't be allowed to create new global rename requests through Special:GlobalRenameRequest.
There are two ways to set it:
Using a wiki-page: use a
Title
object to have a wiki-page (
MediaWiki:GlobalRenameDenylist
for example) as the banned-list. The wiki-page must be a list with one item per line, and must exist otherwise
Special:GlobalRenameRequest
will throw a
MWException
Example:
$wgGlobalRenameDenylist
Title
::
makeTitle
NS_MEDIAWIKI
'GlobalRenameDenylist'
);
Using a URL: put a complete URL which must return, using HTTP, a plain-text list of the banned users (and nothing else).
For example, with a URL pointing to a wiki page:
$wgGlobalRenameDenylist
"https://yourwiki/yourpath/index.php?title=MediaWiki:GlobalRenameDenylist&action=raw"
You can use the exact names or regular expressions.
@var Title|string|null
$wgCentralAuthGlobalBlockInterwikiPrefix
"global"
When globally suppressing a user, a block against this user is inserted in all wikis. CentralAuth will set the author of theses blocks as
$wgCentralAuthGlobalBlockInterwikiPrefix>(user-who-made-the-suppression's nickname)
. For example, if
$wgCentralAuthGlobalBlockInterwikiPrefix
"Admins"
, and Joe suppresses John, all wikis will show in
BlockList
a block against John made by
Admins>Joe
@var string
Use
Allows for a single-user login (SUL) system using MediaWiki's AuthPlugin system.
User creation and login is done globally using one central user table across all wikis.
Note that local user accounts are automatically created on account creation/login however.
This extension also implements global user groups, to which global accounts can belong to.
User rights
CentralAuth defines several new user rights:
User right
Abilities
Default group
Status
centralauth-createlocal
Forcibly create a local account for a global account
Stewards and sysops
Active in MW 1.36+
centralauth-lock
Prevent users from logging in on any wiki
Stewards
Active
centralauth-suppress
Suppress or unhide global accounts
Stewards
Active
centralauth-rename
Rename global accounts
Stewards
Active
centralauth-unmerge
Unmerge global accounts from a local account
Stewards
Active
centralauth-merge
Merge all CentralAuth accounts globally
All users
Active; usually automatic
globalgrouppermissions
Manage permissions of global groups
Global Stewards
Active; not assigned to local stewards by default
globalgroupmembership
Edit membership to global groups
Global Stewards
Active; not assigned to local stewards by default
Functions
Single-user login (SUL)
A user with an account on more than one wiki may use
Special:MergeAccount
to create their global user account, which can then be used on any wiki. Users with the
centralauth-unmerge
permission (given to stewards by default) can undo a merging of a global account, where the passwords are all reset back to the pre-merge setting.
User accounts can now also be renamed globally.
Locking and hiding global users
Screenshot of
Special:CentralAuth
interface on Meta-Wiki, showing lock/hide interface.
A global account can be
locked
or
hidden
by a user with the
centralauth-lock
and
centralauth-suppress
permissions, respectively, given to the
local
group 'stewards' by default.
A locked global account will be immediately logged out of any session on any wiki it is currently logged in to.
A hidden global account's username is not visible in any logs except the global account log.
Wiki sets
wiki set
is a group of wikis specified by a user with the
globalgrouppermissions
right.
Sets can be
opt-in
(wikis are not in it by default) or
opt-out
(wikis are in it unless opted out).
Global user groups
Once you have enabled global user groups as described in the installation section, a migrated steward can use the
Special:GlobalGroupPermissions
interface to configure global user groups, and their rights.
A global user group is active on all wikis (the users in it have its rights on all the wikis) by default, unless the group has been specified to only be active on a specific wiki set (the users in the group only have the rights if they are on a wiki in the set).
Global group permissions are
not
listed at
Special:ListUsers
, but instead
Special:GlobalUsers
They are assigned by a user with the
globalgroupmembership
permission (by default the global group
stewards
), and give the specified rights to the user even if the local rights defined by
$wgGroupPermissions
do not do so.
Account vanishing
See also:
Extension:CentralAuth/GlobalVanishRequest
Licensing and downloads
The extension is available under the GNU General Public License 2.0 or later, and can be
downloaded from Git
, or accessed via the
web-based viewer
The software is provided as-is.
Updates will be made according to the needs of Wikimedia wikis; or where critical vulnerabilities are discovered.
API
See
Extension:CentralAuth/API
References
[Mediawiki-l] CentralAuth problems: Help required
[Mediawiki-l] Need help with CentralAuth
See also
Help:Unified login
on Meta-Wiki
Extension:CentralAuth/authentication
– CentralAuth authentication features
$wgSharedDB
User:Legoktm/evil-plans2.txt
– 2015 plan to phase out CentralAuth at Wikimedia
Global session threat assessment
Integrated watchlists
CentralAuth control flow
Stuck global renames
This extension is being used on one or more
Wikimedia projects
. This probably means that the extension is stable and works well enough to be used by such high-traffic websites. Look for this extension's name in Wikimedia's
CommonSettings.php
and
InitialiseSettings.php
configuration files to see where it's installed. A full list of the extensions installed on a particular wiki can be seen on the wiki's
Special:Version
page.
This extension is included in the following wiki farms/hosts and/or packages:
Miraheze
Retrieved from "
Categories
Stable extensions
User identity extensions
Database extensions
Special page extensions
API extensions
APIGetAllowedParams extensions
AbuseFilter-builder extensions
AbuseFilter-computeVariable extensions
AbuseFilter-generateUserVars extensions
AbuseFilterAlterVariables extensions
AbuseFilterShouldFilterAction extensions
ApiCheckCanExecute extensions
ApiQueryCheckCanExecute extensions
ApiQueryTokensRegisterTypes extensions
AuthChangeFormFields extensions
AuthManagerFilterProviders extensions
AuthManagerVerifyAuthentication extensions
AuthPreserveQueryParams extensions
BeforePageDisplay extensions
BlockIpComplete extensions
ContentSecurityPolicyDefaultSource extensions
ContentSecurityPolicyScriptSource extensions
ContributionsToolLinks extensions
GetLocalURL extensions
GetLogTypesOnUser extensions
GetPreferences extensions
GetSecurityLogContext extensions
GetUserBlock extensions
ImportHandleUnknownUser extensions
InvalidateEmailComplete extensions
LoadExtensionSchemaUpdates extensions
LocalUserCreated extensions
LogEventsListGetExtraInputs extensions
LoginFormValidErrorMessages extensions
MakeGlobalVariablesScript extensions
OtherBlockLogLink extensions
PasswordPoliciesForUser extensions
PostLoginRedirect extensions
RenameUserComplete extensions
RenameUserPreRename extensions
RenameUserWarning extensions
ResourceLoaderForeignApiModules extensions
ResourceLoaderModifyEmbeddedSourceUrls extensions
RestCheckCanExecute extensions
SecurePoll GetUserParams extensions
SecuritySensitiveOperationStatus extensions
SessionCheckInfo extensions
SetupAfterCache extensions
SiteNoticeBefore extensions
SpecialContributionsBeforeMainOutput extensions
SpecialLogAddLogSearchRelations extensions
SpecialPageBeforeExecute extensions
SpecialPage initList extensions
SpecialPasswordResetOnSubmit extensions
TempUserCreatedRedirect extensions
TestCanonicalRedirect extensions
UnblockUserComplete extensions
UnitTestsAfterDatabaseSetup extensions
UnitTestsBeforeDatabaseTeardown extensions
UserArrayFromResult extensions
UserEditCountUpdate extensions
UserGetEmail extensions
UserGetEmailAuthenticationTimestamp extensions
UserGetReservedNames extensions
UserGetRights extensions
UserGroupsChanged extensions
UserIsBot extensions
UserIsLocked extensions
UserLoginComplete extensions
UserLogout extensions
UserLogoutComplete extensions
UserRequirementsCondition extensions
UserRequirementsConditionDisplay extensions
UserSaveSettings extensions
UserSetEmail extensions
UserSetEmailAuthenticationTimestamp extensions
GetUserPermissionsErrors extensions
GetUserPermissionsErrorsExpensive extensions
GPL licensed extensions
Extensions in Wikimedia version control
All extensions
Extensions used on Wikimedia
Extensions included in Miraheze
CentralIdLookup providers
Login extensions
Hidden category:
Extensions with release branches compatibility policy
Extension
CentralAuth
Add topic