On Thu, Apr 22, 2021 at 3:46 PM Alex Monk krenair@gmail.com wrote:
The Wikimania wiki is part of the production cluster so gets privileged access to the production CentralAuth database. I'm not sure if the prod wikis can act as an identity provider for other sites to consume
On Thu, 22 Apr 2021 at 19:27, Denny Vrandečić dvrandecic@wikimedia.org wrote:
I would love to do the same! Can you point me to your configuration?
On Wed, Apr 21, 2021 at 9:03 PM billinghurst billinghurstwiki@gmail.com wrote:
Hi Denny,
As a spam defence for Wikimania, we disallowed local account generation, and just leverage WMF's SULs, similarly did the same for wikidata-test to great effect. The one thing that we did was to change the login link to point to somewhere they could create an account. [1] Great success, though not 100% effective against manual spammers, or those that trawl.
I believe that the `wsoauth` role in MediaWiki-Vagrant can do what Denny is looking for. That role provisions https://www.mediawiki.org/wiki/Extension:WSOAuth and configures it to use a shared OAuth grant which works for local testing at a "http://dev.wiki.local.wmftest.net" host (https://meta.wikimedia.org/wiki/Special:OAuthManageConsumers/20c96d141c4ac5bea4fadd6824f6ebda). Beyond using `vagrant roles enable wsoauth`, a Cloud VPS hosted MediaWiki-Vagrant wiki would need to apply for a new OAuth grant that contains the callback URL of the hosted wiki (<https://<something>.wmcloud.org/...>) and then add the OAuth key and secret values for the new grant to the local MediaWiki-Vagrant's hiera configuration. This might look something like:
$ vagrant role enable wsoauth $ vagrant hiera role::wsoauth::oauth_key "the key for the new grant" $ vagrant hiera role::wsoauth::oauth_secret "the secret for the new grant" $ vagrant provision
Bryan