API:Login

This page is part of the MediaWiki action API documentation.

The MediaWiki API may require your application or client to provide authenticated user credentials to the API in order to complete an operation successfully. As of MediaWiki 1.27, there are two API actions used to authenticate: login and clientlogin.

Bots and other non-interactive applications should generally use owner-only OAuth consumers when available to authenticate as it is more secure, however bot passwords can be used with the login action as described on this page.

Interactive applications such as custom editors or patrolling applications that provide a service without intending to fully replace the website should generally also use OAuth for authenticating the tool, as it is easier and more secure, however the clientlogin action can be used if that is unavailable.

Interactive applications such as mobile apps that aim to completely replace access to the web-based user interface should use the clientlogin action to authenticate.

Whether to log in[edit]

Your client will need to log in to MediaWiki if:

• it needs to obtain information or carry out an action that is restricted to users with certain rights
• it is making large queries that would be inefficient without the higher per-request limits reserved for accounts with certain rights

On wikis that allow anonymous editing, it's possible to edit through the API without logging in, but it's highly recommended that you do log in. On private wikis, logging in is required to use any API functionality.

If your client is written in JavaScript running in the user's browser, it will usually act with the credentials of the user who's running it and so will not need to log in itself. In this case, you won't need to login using the web service API--you'll just need to ensure that the user has logged in through the web interface.

If your client is using OAuth or a similar mechanism, it will not need to explicitly log in as all OAuth requests are already authenticated.

Application-specific user accounts[edit]

Rather than having your application log in as yourself, you may want to create a separate user account just for your application. This is especially important if your application:

• is carrying out automated editing or some other bulk operation.
• invokes large or performance-intensive queries.

With a separate account, the changes made by your application can be easily tracked, and special rights (usually a "bot" user group) can be applied to the application's account. Some wikis have a policy related to automated editing, and/or a procedure for dealing with "bot" user group requests.

How to check if you're logged in[edit]

The login mechanism typically uses cookies to track the logged-in status of a session. Clients should check directly if they are logged in, rather than attempting to determine the status by examining the cookies or by blindly logging in whether or not it is required.

The recommended way to ensure that requests are logged in is to use the assert=user parameter accepted on all API calls. When this parameter is provided and the user is not logged in, an assertuserfailed error will be returned.

To directly check which user (if any) you are currently logged in as, use the userinfoAPI:Userinfo query module.

How to log in[edit]

In MediaWiki versions before 1.27, only the login action is available and should be used by all clients needing to login. As of 1.27, the login action should only be used in combination with bot passwords, and clientlogin should be used by interactive applications.

Note that logging in and remaining logged in requires correct HTTP cookie handling by your client on all requests. Typically your framework or HTTP request library will handle this for you.

The login action[edit]

To successfully log in, a login token must first be retrieved. This token should be fetched using a tokensAPI:Tokens query in MediaWiki 1.27 and later. For older versions, a POST to the login action is required instead.

{
    "login": {
        "result": "NeedToken",
        "token": "b5780b6e2f27e20b450921d9461010b4"
    }
}

Other fields might be included in the response, however these are deprecated and should be ignored if present.

Once the token has been fetched, the login may proceed.

Send a login request with POST.

{
    "login": {
        "result": "Success",
        "lguserid": 12345,
        "lgusername": "Bob"
    }
}

Other fields might be included in the response, however these are deprecated and should be ignored if present.

The result field in the output indicates whether the login was successful. Non-successful results include:

• NeedToken if the lgtoken parameter was not provided or no session was active (e.g. your cookie handling is broken).
• WrongToken if the supplied token was not a valid token.
• Failed (since 1.27) if the login failed. A reason field will exist in the response containing and explanation of the failure.
• Aborted (since 1.27) if the login using the main account password (rather than a bot password) cannot proceed because user interaction is required. The clientlogin action should be used instead.
• NoName (before 1.27) if no lgname was provided.
• Illegal (before 1.27) if the lgname is not a valid user name.
• NotExists (before 1.27) if supplied user does not exist.
• EmptyPass (before 1.27) if the supplied password is empty.
• WrongPass or WrongPluginPass (before 1.27) if the password is incorrect.
• CreateBlocked (before 1.27) if auto-creation of the account is required but is not possible.
• Throttled (before 1.27) if login attempts from your IP have been throttled.
• Blocked (before 1.27) if the user being logged in to is blocked and blocks prevent login on the wiki.
• Aborted (before 1.27) if the login was aborted by an extension without further detail. A reason field may be present.

The clientlogin action[edit]

This action implements an interactive login process, which might include CAPTCHAs, interactions with third-party authentication services, two-factor authentication, and more. As such, the specific fields required may vary depending on the configuration of the wiki. A description of the fields needed should be fetched from the authmanagerinfoAPI:Authmanagerinfo query.

On a wiki without any special authentication extensions, the fields needed might include username, password, and optionally rememberMe, so the login request would look something like this:

{
    "clientlogin": {
        "status": "PASS",
        "username": "Bob"
    }
}

On the other hand, a wiki with a CAPTCHA extension, an extension for authentication using OpenID Connect, and a two-factor authentication extension might have a more complicated authentication process.

{
    "clientlogin": {
        "status": "REDIRECT",
        "redirecttarget": "https://openid.example.net/openid-auth.php?scope=openid&response_type=code&client_id=ABC&redirect_uri=https://wiki.example.org/wiki/Special:OpenIDConnectReturn&state=XYZ123",
        "requests": [
            {
                "id": "OpenIdConnectResponseAuthenticationRequest",
                "metadata": {},
                "required": "required",
                "provider": "OpenID Connect at example.net",
                "account": "",
                "fields": {
                    "code": {
                        "type": "string",
                        "label": "OpenID Code",
                        "help": "OpenID Connect code response"
                    },
                    "state": {
                        "type": "string",
                        "label": "OpenID State",
                        "help": "OpenID Connect state response"
                    },
                }
            }
        ]
    }
}

The client would be expected to redirect the user's browser to the provided redirecttarget. The OpenID provider would authenticate, and redirect to Special:OpenIDConnectReturn on the wiki, which would validate the OpenID response and then redirect to the loginreturnurl provided in the first POST to the API with the code and state parameters added. The client gets control of the process back at this point and makes its next API request.

{
    "clientlogin": {
        "status": "UI",
        "message": "Two-factor authentication",
        "requests": [
            {
                "id": "TwoFactorAuthenticationRequest",
                "metadata": {},
                "required": "required",
                "provider": "",
                "account": "",
                "fields": {
                    "code": {
                        "type": "string",
                        "label": "Code",
                        "help": "Two-factor authentication code"
                    }
                }
            }
        ]
    }
}

Now the client needs to ask the user to check their two-factor authentication app for the current code, and submit that back to the server to continue the authentication process.

{
    "clientlogin": {
        "status": "PASS",
        "username": "Alice"
    }
}

The authentication process has finally succeeded.

If at any point authentication fails, a response with status FAIL will be returned, along with a message to display to the user.

In certain cases it's possible to receive a RESTART response, for example if the OpenID Connect extension had no mapping for the OpenID account to any local user. In this case the client might restart the login process from the beginning or might switch to account creation, in either case passing the loginpreservestate or createpreservestate parameter to preserve some state.

The following documentation is the output of Special:ApiHelp/login, generated from login's source code.

action=login (lg)

Log in and get authentication cookies.

This action should only be used in combination with Special:BotPasswords; use for main-account login is deprecated and may fail without warning. To safely log in to the main account, use action=clientlogin.

The following documentation is the output of Special:ApiHelp/clientlogin, generated from clientlogin's source code.

action=clientlogin (login)

Log in to the wiki using the interactive flow.

The general procedure to use this module is:

1. Fetch the fields available from action=query&meta=authmanagerinfo with amirequestsfor=login, and a login token from action=query&meta=tokens.
2. Present the fields to the user, and obtain their submission.
3. Post to this module, supplying loginreturnurl and any relevant fields.
4. Check the status in the response.
   • If you received PASS or FAIL, you're done. The operation either succeeded or it didn't.
   • If you received UI, present the new fields to the user and obtain their submission. Then post to this module with logincontinue and the relevant fields set, and repeat step 4.
   • If you received REDIRECT, direct the user to the redirecttarget and wait for the return to loginreturnurl. Then post to this module with logincontinue and any fields passed to the return URL, and repeat step 4.
   • If you received RESTART, that means the authentication worked but we don't have a linked user account. You might treat this as UI or as FAIL.