A secondary provider mostly acts when the submitted authentication data has already been associated to a MediaWiki user account. More...
Public Member Functions | |
| autoCreatedAccount ( $user, $source) | |
| Post-auto-creation callback. More... | |
| beginSecondaryAccountCreation ( $user, $creator, array $reqs) | |
| Start an account creation flow. More... | |
| beginSecondaryAuthentication ( $user, array $reqs) | |
| Start an authentication flow. More... | |
| continueSecondaryAccountCreation ( $user, $creator, array $reqs) | |
| Continue an authentication flow. More... | |
| continueSecondaryAuthentication ( $user, array $reqs) | |
| Continue an authentication flow. More... | |
| postAccountCreation ( $user, $creator, AuthenticationResponse $response) | |
| Post-creation callback. More... | |
| postAuthentication ( $user, AuthenticationResponse $response) | |
| Post-login callback. More... | |
| providerAllowsAuthenticationDataChange (AuthenticationRequest $req, $checkData=true) | |
| Validate a change of authentication data (e.g. More... | |
| providerAllowsPropertyChange ( $property) | |
| Determine whether a property can change. More... | |
| providerChangeAuthenticationData (AuthenticationRequest $req) | |
| Change or remove authentication data (e.g. More... | |
| providerRevokeAccessForUser ( $username) | |
| Revoke the user's credentials. More... | |
| testForAccountCreation ( $user, $creator, array $reqs) | |
| Determine whether an account creation may begin. More... | |
| testUserForCreation ( $user, $autocreate, array $options=[]) | |
| Determine whether an account may be created. More... | |
 Public Member Functions inherited from MediaWiki\Auth\AuthenticationProvider | |
| getAuthenticationRequests ( $action, array $options) | |
| Return the applicable list of AuthenticationRequests. More... | |
| getUniqueId () | |
| Return a unique identifier for this instance. More... | |
| setConfig (Config $config) | |
| Set configuration. More... | |
| setManager (AuthManager $manager) | |
| Set AuthManager. More... | |
Detailed Description
A secondary provider mostly acts when the submitted authentication data has already been associated to a MediaWiki user account.
For login, a secondary provider performs additional authentication steps after a PrimaryAuthenticationProvider has identified which MediaWiki user is trying to log in. For example, it might implement a password reset, request the second factor for two-factor auth, or prevent the login if the account is blocked.
For account creation, a secondary provider performs optional extra steps after a PrimaryAuthenticationProvider has created the user; for example, it can collect further user information such as a biography.
(For account linking, secondary providers are not involved.)
This interface also provides methods for changing authentication data such as a second-factor token, and callbacks that are invoked after login / account creation succeeded or failed.
- Since
- 1.27
Definition at line 52 of file SecondaryAuthenticationProvider.php.
Member Function Documentation
◆ autoCreatedAccount()
| MediaWiki\Auth\SecondaryAuthenticationProvider::autoCreatedAccount | ( | $user, | |
| $source | |||
| ) |
Post-auto-creation callback.
- Parameters
-
User $user User being created (has been added to the database now). This may become a "UserValue" in the future, or User may be refactored into such. string $source The source of the auto-creation passed to AuthManager::autoCreateUser().
Implemented in MediaWiki\Auth\AbstractSecondaryAuthenticationProvider.
◆ beginSecondaryAccountCreation()
| MediaWiki\Auth\SecondaryAuthenticationProvider::beginSecondaryAccountCreation | ( | $user, | |
| $creator, | |||
| array | $reqs | ||
| ) |
Start an account creation flow.
- Note
- There is no guarantee this will be called in a successful account creation process as the user can just abandon the process at any time after the primary provider has issued a PASS and still have a valid account. Be prepared to handle any database inconsistencies that result from this or continueSecondaryAccountCreation() not being called.
- Parameters
-
User $user User being created (has been added to the database). This may become a "UserValue" in the future, or User may be refactored into such. User $creator User doing the creation. This may become a "UserValue" in the future, or User may be refactored into such. AuthenticationRequest[] $reqs
- Returns
- AuthenticationResponse Expected responses:
- PASS: The user creation is ok. Additional secondary providers may run.
- ABSTAIN: Additional secondary providers may run.
- UI: Additional AuthenticationRequests are needed to complete the process.
- REDIRECT: Redirection to a third party is needed to complete the process.
Implemented in MediaWiki\Auth\CheckBlocksSecondaryAuthenticationProvider, MediaWiki\Auth\ResetPasswordSecondaryAuthenticationProvider, MediaWiki\Auth\EmailNotificationSecondaryAuthenticationProvider, and MediaWiki\Auth\ConfirmLinkSecondaryAuthenticationProvider.
◆ beginSecondaryAuthentication()
| MediaWiki\Auth\SecondaryAuthenticationProvider::beginSecondaryAuthentication | ( | $user, | |
| array | $reqs | ||
| ) |
Start an authentication flow.
Note that this may be called for a user even if beginSecondaryAccountCreation() was never called. The module should take the opportunity to do any necessary setup in that case.
- Parameters
-
User $user User being authenticated. This may become a "UserValue" in the future, or User may be refactored into such. AuthenticationRequest[] $reqs
- Returns
- AuthenticationResponse Expected responses:
- PASS: The user is authenticated. Additional secondary providers may run.
- FAIL: The user is not authenticated. Fail the authentication process.
- ABSTAIN: Additional secondary providers may run.
- UI: Additional AuthenticationRequests are needed to complete the process.
- REDIRECT: Redirection to a third party is needed to complete the process.
Implemented in MediaWiki\Auth\CheckBlocksSecondaryAuthenticationProvider, MediaWiki\Auth\EmailNotificationSecondaryAuthenticationProvider, MediaWiki\Auth\ResetPasswordSecondaryAuthenticationProvider, and MediaWiki\Auth\ConfirmLinkSecondaryAuthenticationProvider.
◆ continueSecondaryAccountCreation()
| MediaWiki\Auth\SecondaryAuthenticationProvider::continueSecondaryAccountCreation | ( | $user, | |
| $creator, | |||
| array | $reqs | ||
| ) |
Continue an authentication flow.
- Parameters
-
User $user User being created (has been added to the database). This may become a "UserValue" in the future, or User may be refactored into such. User $creator User doing the creation. This may become a "UserValue" in the future, or User may be refactored into such. AuthenticationRequest[] $reqs
- Returns
- AuthenticationResponse Expected responses:
- PASS: The user creation is ok. Additional secondary providers may run.
- ABSTAIN: Additional secondary providers may run.
- UI: Additional AuthenticationRequests are needed to complete the process.
- REDIRECT: Redirection to a third party is needed to complete the process.
Implemented in MediaWiki\Auth\AbstractSecondaryAuthenticationProvider, MediaWiki\Auth\ResetPasswordSecondaryAuthenticationProvider, and MediaWiki\Auth\ConfirmLinkSecondaryAuthenticationProvider.
◆ continueSecondaryAuthentication()
| MediaWiki\Auth\SecondaryAuthenticationProvider::continueSecondaryAuthentication | ( | $user, | |
| array | $reqs | ||
| ) |
Continue an authentication flow.
- Parameters
-
User $user User being authenticated. This may become a "UserValue" in the future, or User may be refactored into such. AuthenticationRequest[] $reqs
- Returns
- AuthenticationResponse Expected responses:
- PASS: The user is authenticated. Additional secondary providers may run.
- FAIL: The user is not authenticated. Fail the authentication process.
- ABSTAIN: Additional secondary providers may run.
- UI: Additional AuthenticationRequests are needed to complete the process.
- REDIRECT: Redirection to a third party is needed to complete the process.
Implemented in MediaWiki\Auth\ResetPasswordSecondaryAuthenticationProvider, MediaWiki\Auth\AbstractSecondaryAuthenticationProvider, and MediaWiki\Auth\ConfirmLinkSecondaryAuthenticationProvider.
◆ postAccountCreation()
| MediaWiki\Auth\SecondaryAuthenticationProvider::postAccountCreation | ( | $user, | |
| $creator, | |||
| AuthenticationResponse | $response | ||
| ) |
Post-creation callback.
This will be called at the end of an account creation attempt. It will not be called if the account creation process results in a session timeout (possibly after a successful user creation, while a secondary provider is waiting for a response).
- Parameters
-
User $user User that was attempted to be created. This may become a "UserValue" in the future, or User may be refactored into such. User $creator User doing the creation. This may become a "UserValue" in the future, or User may be refactored into such. AuthenticationResponse $response Authentication response that will be returned (PASS or FAIL)
Implemented in MediaWiki\Auth\AbstractSecondaryAuthenticationProvider.
◆ postAuthentication()
| MediaWiki\Auth\SecondaryAuthenticationProvider::postAuthentication | ( | $user, | |
| AuthenticationResponse | $response | ||
| ) |
Post-login callback.
This will be called at the end of a login attempt. It will not be called for unfinished login attempts that fail by the session timing out.
- Parameters
-
User | null $user User that was attempted to be logged in, if known. This may become a "UserValue" in the future, or User may be refactored into such. AuthenticationResponse $response Authentication response that will be returned (PASS or FAIL)
Implemented in MediaWiki\Auth\AbstractSecondaryAuthenticationProvider.
◆ providerAllowsAuthenticationDataChange()
| MediaWiki\Auth\SecondaryAuthenticationProvider::providerAllowsAuthenticationDataChange | ( | AuthenticationRequest | $req, |
$checkData = true |
|||
| ) |
Validate a change of authentication data (e.g.
passwords)
Return StatusValue::newGood( 'ignored' ) if you don't support this AuthenticationRequest type.
- Parameters
-
AuthenticationRequest $req bool $checkData If false, $req hasn't been loaded from the submission so checks on user-submitted fields should be skipped. $req->username is considered user-submitted for this purpose, even if it cannot be changed via $req->loadFromSubmission.
- Returns
- StatusValue
Implemented in MediaWiki\Auth\AbstractSecondaryAuthenticationProvider.
◆ providerAllowsPropertyChange()
| MediaWiki\Auth\SecondaryAuthenticationProvider::providerAllowsPropertyChange | ( | $property | ) |
Determine whether a property can change.
- Parameters
-
string $property
- Returns
- bool
Implemented in MediaWiki\Auth\AbstractSecondaryAuthenticationProvider.
◆ providerChangeAuthenticationData()
| MediaWiki\Auth\SecondaryAuthenticationProvider::providerChangeAuthenticationData | ( | AuthenticationRequest | $req | ) |
Change or remove authentication data (e.g.
passwords)
If $req was returned for AuthManager::ACTION_CHANGE, the corresponding credentials should result in a successful login in the future.
If $req was returned for AuthManager::ACTION_REMOVE, the corresponding credentials should no longer result in a successful login.
It can be assumed that providerAllowsAuthenticationDataChange with $checkData === true was called before this, and passed. This method should never fail (other than throwing an exception).
- Parameters
-
AuthenticationRequest $req
Implemented in MediaWiki\Auth\AbstractSecondaryAuthenticationProvider.
◆ providerRevokeAccessForUser()
| MediaWiki\Auth\SecondaryAuthenticationProvider::providerRevokeAccessForUser | ( | $username | ) |
Revoke the user's credentials.
This may cause the user to no longer exist for the provider, or the user may continue to exist in a "disabled" state.
The intention is that the named account will never again be usable for normal login (i.e. there is no way to undo the revocation of access).
- Parameters
-
string $username
Implemented in MediaWiki\Auth\AbstractSecondaryAuthenticationProvider.
◆ testForAccountCreation()
| MediaWiki\Auth\SecondaryAuthenticationProvider::testForAccountCreation | ( | $user, | |
| $creator, | |||
| array | $reqs | ||
| ) |
Determine whether an account creation may begin.
Called from AuthManager::beginAccountCreation()
- Note
- No need to test if the account exists, AuthManager checks that
- Parameters
-
User $user User being created (not added to the database yet). This may become a "UserValue" in the future, or User may be refactored into such. User $creator User doing the creation. This may become a "UserValue" in the future, or User may be refactored into such. AuthenticationRequest[] $reqs
- Returns
- StatusValue
Implemented in MediaWiki\Auth\AbstractSecondaryAuthenticationProvider.
◆ testUserForCreation()
| MediaWiki\Auth\SecondaryAuthenticationProvider::testUserForCreation | ( | $user, | |
| $autocreate, | |||
| array | $options = [] |
||
| ) |
Determine whether an account may be created.
- Parameters
-
User $user User being created (not added to the database yet). This may become a "UserValue" in the future, or User may be refactored into such. bool | string $autocreate False if this is not an auto-creation, or the source of the auto-creation passed to AuthManager::autoCreateUser(). array $options - flags: (int) Bitfield of User:READ_* constants, default User::READ_NORMAL
- creating: (bool) If false (or missing), this call is only testing if a user could be created. If set, this (non-autocreation) is for actually creating an account and will be followed by a call to testForAccountCreation(). In this case, the provider might return StatusValue::newGood() here and let the later call to testForAccountCreation() do a more thorough test.
- Returns
- StatusValue
Implemented in MediaWiki\Auth\AbstractSecondaryAuthenticationProvider, and MediaWiki\Auth\CheckBlocksSecondaryAuthenticationProvider.
The documentation for this interface was generated from the following file:
- includes/auth/SecondaryAuthenticationProvider.php
