Extension talk:OpenID Connect

Jump to navigation Jump to search

About this board

When reporting an error, please be sure to include version information for MediaWiki and all relevant extensions as well as configuration information. Also, please turn on debug logging as described at Manual:How to debug#Logging and include the relevant portions of the debug log.

195.82.130.6 (talkcontribs)

Hi,

I configured openid connect to work with keycloak.

The redirect to keycloak login screen works, I fill in the username and password, I am redirected to wiki but no user is created.

The session for that user exists in keycloak.

These are my configuration properties:

#$wgGroupPermissions['*']['createaccount'] = false;

#$wgGroupPermissions['*']['autocreateaccount'] = true;

$wgWhitelistRead = array ("Help:Contents", "Special:Userlogin", "Special:CreateAccount", "Special:PluggableAuthLogin");

wfLoadExtension( 'PluggableAuth' );

$wgPluggableAuth_EnableAutoLogin = true;

$wgPluggableAuth_EnableLocalLogin = false;

$wgPluggableAuth_EnableLocalProperties = false;

$wgPluggableAuth_Class = 'OpenIDConnect';

wfLoadExtension( 'OpenIDConnect' );

$wgOpenIDConnect_Config['http://192.168.99.100:9080/auth/realms/my_realm/'] = [

    'clientID' => 'mediawiki',

    'clientsecret' => 'some secret',

    'scope' => [ 'openid', 'profile']

];

$wgOpenIDConnect_UseRealNameAsUserName = false;

$wgOpenIDConnect_UseEmailNameAsUserName = false;

$wgOpenIDConnect_MigrateUsersByUserName = true;

$wgOpenIDConnect_MigrateUsersByEmail = true;

$wgOpenIDConnect_ForceLogout = false;

Please tell me what should I do in order to create the user and appear as authenticated in wiki.

Thank you!

Cindy.cicalese (talkcontribs)

Which MediaWiki and extension versions are you using? Please turn on debugging (Manual:How_to_debug#Setting_up_a_debug_log_file) and report here any mentions of PluggableAuth and OpenID Connect in the debug log file. There should hopefully be an indication of an error in the log. It could be that a preferred username is not being correctly returned and you have it set not to use the email address or real name as the username.

195.82.130.6 (talkcontribs)

MediaWiki 1.31.0,

PluggableAuth 5.4

OpenID Connect 4.1

Log:

IP: ::1

Start request GET /mediawiki/index.php/Special:PluggableAuthLogin

HTTP HEADERS:

HOST: localhost

CONNECTION: keep-alive

UPGRADE-INSECURE-REQUESTS: 1

USER-AGENT: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36

ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8

ACCEPT-ENCODING: gzip, deflate, br

ACCEPT-LANGUAGE: ro-RO,ro;q=0.9,en-US;q=0.8,en;q=0.7

COOKIE: SESSION=2fd0ee3b-b156-4fc3-80e1-1c55466c0f64; wikidb_session=e254t7vvbbo6eihrvm2fo0f9f5ppbob9;

[caches] cluster: EmptyBagOStuff, WAN: mediawiki-main-default, stash: db-replicated, message: SqlBagOStuff, session: SqlBagOStuff

[caches] LocalisationCache: using store LCStoreDB

[session] Session "e254t7vvbbo6eihrvm2fo0f9f5ppbob9" requested without UserID cookie

[DBConnection] Wikimedia\Rdbms\LoadBalancer::openConnection: calling initLB() before first connection.

[DBReplication] Cannot use ChronologyProtector with EmptyBagOStuff.

[DBReplication] Wikimedia\Rdbms\LBFactory::getChronologyProtector: using request info {

    "IPAddress": "::1",

    "UserAgent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100 Safari\/537.36",

    "ChronologyProtection": false,

    "ChronologyPositionIndex": 0

}

[DBConnection] Wikimedia\Rdbms\LoadBalancer::openConnection: connected to database 0 at 'localhost'.

[SQLBagOStuff] Connection 2304 will be used for SqlBagOStuff

[DBConnection] Wikimedia\Rdbms\LoadBalancer::openConnection: connected to database 0 at 'localhost'.

[PluggableAuth] In execute()

[PluggableAuth] Getting PluggableAuth singleton

[PluggableAuth] Class name: OpenIDConnect

[session] SessionBackend "e254t7vvbbo6eihrvm2fo0f9f5ppbob9" data dirty due to dirty(): Jumbojett\OpenIDConnectClient->requestAuthorization/session_commit/MediaWiki\Session\PHPSessionHandler->write/MediaWiki\Session\Session->set/MediaWiki\Session\SessionBackend->dirty

[session] SessionBackend "e254t7vvbbo6eihrvm2fo0f9f5ppbob9" data dirty due to dirty(): Jumbojett\OpenIDConnectClient->requestAuthorization/session_commit/MediaWiki\Session\PHPSessionHandler->write/MediaWiki\Session\Session->set/MediaWiki\Session\SessionBackend->dirty

[session] SessionBackend "e254t7vvbbo6eihrvm2fo0f9f5ppbob9" save: dataDirty=1 metaDirty=0 forcePersist=0

#9 E:\htdocs\mediawiki\includes\session\Session.php(616): MediaWiki\Session\SessionBackend->save()

#10 E:\htdocs\mediawiki\includes\session\PHPSessionHandler.php(353): MediaWiki\Session\Session->save()

#11 [internal function]: MediaWiki\Session\PHPSessionHandler->write('e254t7vvbbo6eih...', 'a:5:{s:15:"wsSe...')

#12 E:\htdocs\mediawiki\vendor\jumbojett\openid-connect-php\src\OpenIDConnectClient.php(610): session_commit()

#13 E:\htdocs\mediawiki\vendor\jumbojett\openid-connect-php\src\OpenIDConnectClient.php(393): Jumbojett\OpenIDConnectClient->requestAuthorization()

#14 E:\htdocs\mediawiki\extensions\OpenIDConnect\src\OpenIDConnect.php(152): Jumbojett\OpenIDConnectClient->authenticate()

#15 E:\htdocs\mediawiki\extensions\PluggableAuth\includes\PluggableAuthLogin.php(31): OpenIDConnect->authenticate(NULL, NULL, NULL, NULL, NULL)

#16 E:\htdocs\mediawiki\includes\specialpage\SpecialPage.php(522): PluggableAuthLogin->execute(NULL)

[session] Saving all sessions on shutdown

[DBConnection] Wikimedia\Rdbms\{closure}: closing connection to database 'localhost'.

[DBConnection] Wikimedia\Rdbms\{closure}: closing connection to database 'localhost'.

IP: ::1

Start request GET /mediawiki/index.php/Special:PluggableAuthLogin?state=e2e2d20e1b6d9192f66db9446951338c&code=uss.HJBEChHIKTHMZZ8fiI-cBPfIJvWO0GbCI7tR-ZOFKZU.5dd27c5d-414e-4cef-8ffe-ed0aab9d3088.609eb959-ca7f-4130-999c-6a19409fcdb3

HTTP HEADERS:

HOST: localhost

CONNECTION: keep-alive

CACHE-CONTROL: max-age=0

UPGRADE-INSECURE-REQUESTS: 1

USER-AGENT: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36

ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8

REFERER: http://192.168.99.100:9080/auth/realms/my-realm/protocol/openid-connect/auth?response_type=code&redirect_uri=https%3A%2F%2Flocalhost%2Fmediawiki%2Findex.php%2FSpecial%3APluggableAuthLogin&client_id=mediawiki&nonce=2dbbb67d5621332ea891517120a1218d&state=e2e2d20e1b6d9192f66db9446951338c&scope=openid+profile

ACCEPT-ENCODING: gzip, deflate, br

ACCEPT-LANGUAGE: ro-RO,ro;q=0.9,en-US;q=0.8,en;q=0.7

COOKIE: SESSION=2fd0ee3b-b156-4fc3-80e1-1c55466c0f64; wikidb_session=e254t7vvbbo6eihrvm2fo0f9f5ppbob9;

[caches] cluster: EmptyBagOStuff, WAN: mediawiki-main-default, stash: db-replicated, message: SqlBagOStuff, session: SqlBagOStuff

[caches] LocalisationCache: using store LCStoreDB

[session] Session "e254t7vvbbo6eihrvm2fo0f9f5ppbob9" requested without UserID cookie

[DBConnection] Wikimedia\Rdbms\LoadBalancer::openConnection: calling initLB() before first connection.

[DBReplication] Cannot use ChronologyProtector with EmptyBagOStuff.

[DBReplication] Wikimedia\Rdbms\LBFactory::getChronologyProtector: using request info {

    "IPAddress": "::1",

    "UserAgent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100 Safari\/537.36",

    "ChronologyProtection": false,

    "ChronologyPositionIndex": 0

}

[DBConnection] Wikimedia\Rdbms\LoadBalancer::openConnection: connected to database 0 at 'localhost'.

[SQLBagOStuff] Connection 2306 will be used for SqlBagOStuff

[DBConnection] Wikimedia\Rdbms\LoadBalancer::openConnection: connected to database 0 at 'localhost'.

[PluggableAuth] In execute()

[PluggableAuth] Getting PluggableAuth singleton

[PluggableAuth] Class name: OpenIDConnect

Matching user to email temp@mailinator.com

[CryptRand] 0 bytes of randomness leftover in the buffer.

[session] SessionBackend "e254t7vvbbo6eihrvm2fo0f9f5ppbob9" data dirty due to dirty(): OpenIDConnect->authenticate/MediaWiki\Auth\AuthManager->setAuthenticationSessionData/MediaWiki\Session\Session->setSecret/MediaWiki\Session\Session->set/MediaWiki\Session\SessionBackend->dirty

[session] SessionBackend "e254t7vvbbo6eihrvm2fo0f9f5ppbob9" save: dataDirty=1 metaDirty=0 forcePersist=0

[DBPerformance] Expectation (writes <= 0) by MediaWiki::main not met (actual: 1):

query-m: REPLACE INTO `objectcache` (keyname,value,exptime) VALUES ('X')

#9 E:\htdocs\mediawiki\includes\session\SessionBackend.php(596): MediaWiki\Session\SessionBackend->save()

#10 [internal function]: MediaWiki\Session\SessionBackend->MediaWiki\Session\{closure}()

#11 E:\htdocs\mediawiki\vendor\wikimedia\scoped-callback\src\ScopedCallback.php(76): call_user_func_array(Object(Closure), Array)

#12 E:\htdocs\mediawiki\vendor\wikimedia\scoped-callback\src\ScopedCallback.php(56): Wikimedia\ScopedCallback->__destruct()

#13 E:\htdocs\mediawiki\includes\session\SessionManager.php(886): Wikimedia\ScopedCallback::consume(NULL)

#14 E:\htdocs\mediawiki\includes\session\SessionManager.php(214): MediaWiki\Session\SessionManager->getSessionFromInfo(Object(MediaWiki\Session\SessionInfo), Object(WebRequest))

#15 E:\htdocs\mediawiki\includes\WebRequest.php(730): MediaWiki\Session\SessionManager->getSessionById('e254t7vvbbo6eih...', true, Object(WebRequest))

#16 E:\htdocs\mediawiki\includes\auth\AuthManager.php(2234): WebRequest->getSession()

#17 E:\htdocs\mediawiki\extensions\OpenIDConnect\src\OpenIDConnect.php(194): MediaWiki\Auth\AuthManager->setAuthenticationSessionData('OpenIDConnectIs...', 'http://192.168....')

#18 E:\htdocs\mediawiki\extensions\PluggableAuth\includes\PluggableAuthLogin.php(31): OpenIDConnect->authenticate(NULL, 'Temp', 'tempf templ', 'temp@mailinator...', NULL)

#19 E:\htdocs\mediawiki\includes\specialpage\SpecialPage.php(522): PluggableAuthLogin->execute(NULL)

#20 E:\htdocs\mediawiki\includes\specialpage\SpecialPageFactory.php(568): SpecialPage->run(NULL)

[CryptRand] 0 bytes of randomness leftover in the buffer.

[session] SessionBackend "e254t7vvbbo6eihrvm2fo0f9f5ppbob9" data dirty due to dirty(): OpenIDConnect->authenticate/MediaWiki\Auth\AuthManager->setAuthenticationSessionData/MediaWiki\Session\Session->setSecret/MediaWiki\Session\Session->set/MediaWiki\Session\SessionBackend->dirty

[session] SessionBackend "e254t7vvbbo6eihrvm2fo0f9f5ppbob9" save: dataDirty=1 metaDirty=0 forcePersist=0

#9 E:\htdocs\mediawiki\includes\session\SessionBackend.php(596): MediaWiki\Session\SessionBackend->save()

#10 [internal function]: MediaWiki\Session\SessionBackend->MediaWiki\Session\{closure}()

#11 E:\htdocs\mediawiki\vendor\wikimedia\scoped-callback\src\ScopedCallback.php(76): call_user_func_array(Object(Closure), Array)

#12 E:\htdocs\mediawiki\vendor\wikimedia\scoped-callback\src\ScopedCallback.php(56): Wikimedia\ScopedCallback->__destruct()

#13 E:\htdocs\mediawiki\includes\session\SessionManager.php(886): Wikimedia\ScopedCallback::consume(NULL)

#14 E:\htdocs\mediawiki\includes\session\SessionManager.php(214): MediaWiki\Session\SessionManager->getSessionFromInfo(Object(MediaWiki\Session\SessionInfo), Object(WebRequest))

#15 E:\htdocs\mediawiki\includes\WebRequest.php(730): MediaWiki\Session\SessionManager->getSessionById('e254t7vvbbo6eih...', true, Object(WebRequest))

#16 E:\htdocs\mediawiki\includes\user\User.php(1290): WebRequest->getSession()

#17 E:\htdocs\mediawiki\extensions\PluggableAuth\includes\PluggableAuthLogin.php(33): User->loadDefaults('Temp')

#18 E:\htdocs\mediawiki\includes\specialpage\SpecialPage.php(522): PluggableAuthLogin->execute(NULL)

#19 E:\htdocs\mediawiki\includes\specialpage\SpecialPageFactory.php(568): SpecialPage->run(NULL)

[PluggableAuth] Authenticated new user: Temp

[CryptRand] 0 bytes of randomness leftover in the buffer.

[session] SessionBackend "e254t7vvbbo6eihrvm2fo0f9f5ppbob9" data dirty due to dirty(): PluggableAuthLogin->execute/MediaWiki\Auth\AuthManager->setAuthenticationSessionData/MediaWiki\Session\Session->setSecret/MediaWiki\Session\Session->set/MediaWiki\Session\SessionBackend->dirty

[session] SessionBackend "e254t7vvbbo6eihrvm2fo0f9f5ppbob9" save: dataDirty=1 metaDirty=0 forcePersist=0

#9 E:\htdocs\mediawiki\includes\session\SessionBackend.php(596): MediaWiki\Session\SessionBackend->save()

#10 [internal function]: MediaWiki\Session\SessionBackend->MediaWiki\Session\{closure}()

#11 E:\htdocs\mediawiki\vendor\wikimedia\scoped-callback\src\ScopedCallback.php(76): call_user_func_array(Object(Closure), Array)

#12 E:\htdocs\mediawiki\vendor\wikimedia\scoped-callback\src\ScopedCallback.php(56): Wikimedia\ScopedCallback->__destruct()

#13 E:\htdocs\mediawiki\includes\session\SessionManager.php(886): Wikimedia\ScopedCallback::consume(NULL)

#14 E:\htdocs\mediawiki\includes\session\SessionManager.php(214): MediaWiki\Session\SessionManager->getSessionFromInfo(Object(MediaWiki\Session\SessionInfo), Object(WebRequest))

#15 E:\htdocs\mediawiki\includes\WebRequest.php(730): MediaWiki\Session\SessionManager->getSessionById('e254t7vvbbo6eih...', true, Object(WebRequest))

#16 E:\htdocs\mediawiki\includes\auth\AuthManager.php(2234): WebRequest->getSession()

#17 E:\htdocs\mediawiki\extensions\PluggableAuth\includes\PluggableAuthLogin.php(51): MediaWiki\Auth\AuthManager->setAuthenticationSessionData('PluggableAuthLo...', 'tempf templ')

#18 E:\htdocs\mediawiki\includes\specialpage\SpecialPage.php(522): PluggableAuthLogin->execute(NULL)

#19 E:\htdocs\mediawiki\includes\specialpage\SpecialPageFactory.php(568): SpecialPage->run(NULL)

[CryptRand] 0 bytes of randomness leftover in the buffer.

[session] SessionBackend "e254t7vvbbo6eihrvm2fo0f9f5ppbob9" data dirty due to dirty(): PluggableAuthLogin->execute/MediaWiki\Auth\AuthManager->setAuthenticationSessionData/MediaWiki\Session\Session->setSecret/MediaWiki\Session\Session->set/MediaWiki\Session\SessionBackend->dirty

[session] SessionBackend "e254t7vvbbo6eihrvm2fo0f9f5ppbob9" save: dataDirty=1 metaDirty=0 forcePersist=0

#9 E:\htdocs\mediawiki\includes\session\SessionBackend.php(596): MediaWiki\Session\SessionBackend->save()

#10 [internal function]: MediaWiki\Session\SessionBackend->MediaWiki\Session\{closure}()

#11 E:\htdocs\mediawiki\vendor\wikimedia\scoped-callback\src\ScopedCallback.php(76): call_user_func_array(Object(Closure), Array)

#12 E:\htdocs\mediawiki\vendor\wikimedia\scoped-callback\src\ScopedCallback.php(56): Wikimedia\ScopedCallback->__destruct()

#13 E:\htdocs\mediawiki\includes\session\SessionManager.php(886): Wikimedia\ScopedCallback::consume(NULL)

#14 E:\htdocs\mediawiki\includes\session\SessionManager.php(214): MediaWiki\Session\SessionManager->getSessionFromInfo(Object(MediaWiki\Session\SessionInfo), Object(WebRequest))

#15 E:\htdocs\mediawiki\includes\WebRequest.php(730): MediaWiki\Session\SessionManager->getSessionById('e254t7vvbbo6eih...', true, Object(WebRequest))

#16 E:\htdocs\mediawiki\includes\auth\AuthManager.php(2234): WebRequest->getSession()

#17 E:\htdocs\mediawiki\extensions\PluggableAuth\includes\PluggableAuthLogin.php(53): MediaWiki\Auth\AuthManager->setAuthenticationSessionData('PluggableAuthLo...', 'temp@mailinator...')

#18 E:\htdocs\mediawiki\includes\specialpage\SpecialPage.php(522): PluggableAuthLogin->execute(NULL)

#19 E:\htdocs\mediawiki\includes\specialpage\SpecialPageFactory.php(568): SpecialPage->run(NULL)

[CryptRand] 0 bytes of randomness leftover in the buffer.

[session] SessionBackend "e254t7vvbbo6eihrvm2fo0f9f5ppbob9" data dirty due to dirty(): PluggableAuthLogin->execute/MediaWiki\Auth\AuthManager->setAuthenticationSessionData/MediaWiki\Session\Session->setSecret/MediaWiki\Session\Session->set/MediaWiki\Session\SessionBackend->dirty

[PluggableAuth] User is authorized.

[session] SessionBackend "e254t7vvbbo6eihrvm2fo0f9f5ppbob9" save: dataDirty=1 metaDirty=0 forcePersist=0

#9 E:\htdocs\mediawiki\includes\session\SessionBackend.php(596): MediaWiki\Session\SessionBackend->save()

#10 [internal function]: MediaWiki\Session\SessionBackend->MediaWiki\Session\{closure}()

#11 E:\htdocs\mediawiki\vendor\wikimedia\scoped-callback\src\ScopedCallback.php(76): call_user_func_array(Object(Closure), Array)

#12 E:\htdocs\mediawiki\vendor\wikimedia\scoped-callback\src\ScopedCallback.php(56): Wikimedia\ScopedCallback->__destruct()

#13 E:\htdocs\mediawiki\includes\session\SessionManager.php(886): Wikimedia\ScopedCallback::consume(NULL)

#14 E:\htdocs\mediawiki\includes\session\SessionManager.php(214): MediaWiki\Session\SessionManager->getSessionFromInfo(Object(MediaWiki\Session\SessionInfo), Object(WebRequest))

#15 E:\htdocs\mediawiki\includes\WebRequest.php(730): MediaWiki\Session\SessionManager->getSessionById('e254t7vvbbo6eih...', true, Object(WebRequest))

#16 E:\htdocs\mediawiki\includes\auth\AuthManager.php(2251): WebRequest->getSession()

#17 E:\htdocs\mediawiki\extensions\PluggableAuth\includes\PluggableAuthLogin.php(76): MediaWiki\Auth\AuthManager->getAuthenticationSessionData('PluggableAuthLo...')

#18 E:\htdocs\mediawiki\includes\specialpage\SpecialPage.php(522): PluggableAuthLogin->execute(NULL)

#19 E:\htdocs\mediawiki\includes\specialpage\SpecialPageFactory.php(568): SpecialPage->run(NULL)

[PluggableAuth] ERROR: return to URL is null or empty

MediaWiki::preOutputCommit: primary transaction round committed

MediaWiki::preOutputCommit: pre-send deferred updates completed

MediaWiki::preOutputCommit: LBFactory shutdown completed

[MessageCache] MessageCache::load: Loading en... local cache is empty, global cache is expired/volatile, loading from database

Unstubbing $wgParser on call of $wgParser::firstCallInit from MessageCache->transform

Parser: using preprocessor: Preprocessor_DOM

Unstubbing $wgLang on call of $wgLang::_unstub from ParserOptions->__construct

[gitinfo] Computed cacheFile=E:\htdocs\mediawiki/gitinfo.json for E:\htdocs\mediawiki

[gitinfo] Cache incomplete for E:\htdocs\mediawiki

OutputPage::sendCacheControl: private caching;  **

Request ended normally

[session] Saving all sessions on shutdown

[session] SessionBackend "e254t7vvbbo6eihrvm2fo0f9f5ppbob9" data dirty due to dirty(): MediaWiki\Session\SessionManager->shutdown/session_write_close/MediaWiki\Session\PHPSessionHandler->write/MediaWiki\Session\Session->remove/MediaWiki\Session\SessionBackend->dirty

[session] SessionBackend "e254t7vvbbo6eihrvm2fo0f9f5ppbob9" data dirty due to dirty(): MediaWiki\Session\SessionManager->shutdown/session_write_close/MediaWiki\Session\PHPSessionHandler->write/MediaWiki\Session\Session->remove/MediaWiki\Session\SessionBackend->dirty

[session] SessionBackend "e254t7vvbbo6eihrvm2fo0f9f5ppbob9" save: dataDirty=1 metaDirty=0 forcePersist=0

195.82.130.6 (talkcontribs)

I solved this by switching http to https in $wgServer = "https://localhost";

Now, I have another question.

How can I add the newly created user in a group based on role that he has in keycloak?

Cindy.cicalese (talkcontribs)

I'm glad that worked!

Right now, the only way to integrate external group information is to write an extension that implements PluggableAuth's PluggableAuthPopulateGroups hook. You can see an example in the SimpleSAMLphp extension.

207.61.101.254 (talkcontribs)

Hey there. I'm having what seems to be the exact same issue and the fix is NOT working. My wiki redirects the user to Keycloak where they can log in just fine, even create accounts. Once the user gets sent back to the wiki, however, Special:PluggableAuthLogin is completely blank, MediaWiki doesn't think the user is logged in (the area in the top-right still has a "Log in" link), and no users are created/updated in the MediaWiki database.

KeyCloak is keeping track of the user's session just fine - I can see my account logged in through "mediawiki," username "alkaline." That all works nicely. But MediaWiki isn't actually logged in. Until I manually expire that session I can't re-login - clicking "Log in" just takes me straight back to that blank PluggableAuthLogin page.

However every time I visit a page on my wiki when I log in, I see this in my Keycloak log, complaining about converting OpenID auth codes to tokens and the code being invalid.


03:18:23,380 WARN  [org.keycloak.protocol.oidc.utils.OAuth2CodeParser] (default task-31) Code '<redacted>' already used for userSession '<redacted>' and client '<redacted>'.

03:18:23,381 WARN  [org.keycloak.events] (default task-31) type=CODE_TO_TOKEN_ERROR, realmId=Bit Phoenix Software, clientId=mediawiki, userId=null, ipAddress=<redacted>, error=invalid_code, grant_type=authorization_code, code_id=<redacted>, client_auth_method=client-secret


I'm not sure what's causing this. I mean it sees the code as having "already being used for this session," could that indicate that the code is one-time use? I'm not super sure how OAuth/OpenID Connect works so I don't know exactly what the auth code is used for (other than the fact it's obviously used for....authorization.)

My options are very slim right now because I can't even get into my admin account for my wiki so if you go to the wiki <https://wiki.bitphoenixsoftware.com/> it's literally just as if you installed MediaWiki for the first time (minus the dark theme.)


I don't want to allow users to create an account DIRECTLY in the wiki, I want them going through Keycloak. We have other services on the website such as a forum and I want people logging in to only one account to get into everything. Logging in isn't mandatory, I just want users to be federated across the website. That is why you don't get automatically redirected to Keycloak right when you visit the wiki. People are able to read the wiki, just not edit it, when logged out.


Maybe this is an issue on Keycloak's side, maybe it's not. I don't know. I just know that searches for "mediawiki keycloak" only really bring me here so... might as well post here. Any help is greatly appreciated :)

207.61.101.254 (talkcontribs)

Update: Enabled all the MediaWiki debug stuff and I'm getting similar errors to the OP. Namely

  • [PluggableAuth] ERROR: return to URL is null or empty


HOWEVER, this is different.

Wikimedia\Rdbms\DBQueryError: A database query error has occurred. Did you forget to run your application's database schema updater after upgrading?

Query: SELECT user_name FROM `wiki_user` WHERE subject = '<redacted>' AND issuer = 'https://auth.bitphoenixsoftware.com/auth/realms/bitphoenix/' LIMIT 1

I think I'm having a different issue here - and that would be that I didn't install the extension correctly. Looking in MySQL... The 'issuer' and 'subject' columns in wiki_user DO NOT exist.


Cindy.cicalese (talkcontribs)

> Once the user gets sent back to the wiki, however, Special:PluggableAuthLogin is completely blank . . .


That usually indicates that there is an error in the authentication workflow. When reporting an error, please be sure to include version information for MediaWiki and all relevant extensions as well as configuration information. Also, please turn on debug logging as described at Manual:How to debug#Logging and include the relevant portions of the debug log (especially lines that begin [PluggableAuth] or [OpenID Connect]).

Cindy.cicalese (talkcontribs)

I just saw your most recent message above. It sounds like you did not run the maintenance/update.php script on your database after installing the extension (see Extension:OpenID_Connect#Installation). Also, you are using an older version of the extension. The subject and issuer columns were moved from the user table to a new openid_connect table in version 5.0 (see Extension:OpenID_Connect#Release_Notes).

Reply to "keycloak integration"

MediaWiki SAML integration with SecureAuth

2
Sirajuddink (talkcontribs)

I have made all the require changes given in below URL:

Extension:SimpleSAMLphp and Extension:PluggableAuth also have downloaded and configured simplesamlphp from https://simplesamlphp.org/docs/stable/simplesamlphp-install#section_4.

My LocalSetting.php config:

wfLoadExtension( 'PluggableAuth' );

wfLoadExtension( 'SimpleSAMLphp' );

$wgSimpleSAMLphp_InstallDir = '/var/www/html/extensions/SimpleSAMLphp/';

$wgSimpleSAMLphp_AuthSourceId = 'default-sp';

$wgSimpleSAMLphp_RealNameAttribute = 'cn';

$wgSimpleSAMLphp_EmailAttribute = 'mail';

$wgSimpleSAMLphp_UsernameAttribute = 'uid';

$wgPluggableAuth_Class = 'SimpleSAMLphp';

$wgPluggableAuth_EnableAutoLogin = false;

$wgPluggableAuth_EnableLocalLogin = false;

$wgPluggableAuth_EnableLocalLogin = false;

error_reporting( -1 );

ini_set( 'display_errors', 1 );

$wgResourceLoaderDebug = true;

$wgShowExceptionDetails = true;

$wgDebugLogFile= "/tmp/MediaWikiDebug.log";

After all the configuration my wiki url: https://mydomain/index.php/Main_Page does get redirect to the SecureAuth console but when I am entering my username nothing happens, It does not get redirect to the wiki page with success.

Below are the Debug Logs:

IP: 100.121.36.17

Start request GET /index.php/Special:PluggableAuthLogin

HTTP HEADERS:

HOST: wiki.mydomain.com

X-REQUEST-ID: 733039bc730bc801d15bc512dde451f1

X-REAL-IP: 10.30.1.151

X-FORWARDED-FOR: 10.30.1.151

X-FORWARDED-HOST: wiki.mydomain.com

X-FORWARDED-PORT: 443

X-FORWARDED-PROTO: https

X-ORIGINAL-URI: /index.php/Special:PluggableAuthLogin

X-SCHEME: https

CACHE-CONTROL: max-age=0

UPGRADE-INSECURE-REQUESTS: 1

USER-AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.67 Safari/537.36

ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8

ACCEPT-ENCODING: gzip, deflate, br

ACCEPT-LANGUAGE: en,en-US;q=0.9

COOKIE: dev_mediawikiUserName=Admin; dev_mediawiki_session=cgrqhtumtqmn6tumb5etp1ftvfp3gqap; SimpleSAML=73f1cbd44c130ec20bc3bd52e7851977; SimpleSAMLAuthToken=_e2395383d0d8082eb8d52bff43ef03dfd3a9d7dffd

[caches] cluster: APCUBagOStuff, WAN: mediawiki-main-default, stash: db-replicated, message: APCUBagOStuff, session: SqlBagOStuff

[caches] LocalisationCache: using store LCStoreDB

[session] Session "cgrqhtumtqmn6tumb5etp1ftvfp3gqap" requested without UserID cookie

[DBConnection] Wikimedia\Rdbms\LoadBalancer::openConnection: calling initLB() before first connection.

[DBReplication] Cannot use ChronologyProtector with EmptyBagOStuff.

[DBReplication] Wikimedia\Rdbms\LBFactory::getChronologyProtector: using request info {

    "IPAddress": "100.101.66.17",

    "UserAgent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.67 Safari\/537.36",

    "ChronologyProtection": false,

    "ChronologyPositionIndex": 0

}

[DBConnection] Wikimedia\Rdbms\LoadBalancer::openConnection: connected to database 0 at 'mediawiki-db.mydomain.com'.

[SQLBagOStuff] Connection 12803 will be used for SqlBagOStuff

[DBConnection] Wikimedia\Rdbms\LoadBalancer::openConnection: connected to database 0 at 'mediawiki-db.mydomain.com'.

[PluggableAuth] In execute()

[PluggableAuth] Getting PluggableAuth singleton

[PluggableAuth] Class name: SimpleSAMLphp

[session] Saving all sessions on shutdown

[session] SessionBackend "2a9beabc348b45cdba9e41e80088a4b3" is unsaved, marking dirty in constructor

[session] SessionBackend "2a9beabc348b45cdba9e41e80088a4b3" save: dataDirty=1 metaDirty=1 forcePersist=0

[session] SessionBackend "2a9beabc348b45cdba9e41e80088a4b3" force-persist due to persist()

[session] SessionBackend "2a9beabc348b45cdba9e41e80088a4b3" save: dataDirty=0 metaDirty=1 forcePersist=1

[DBPerformance] Expectation (writes <= 0) by MediaWiki::main not met (actual: 1):

query-m: REPLACE INTO `objectcache` (keyname,value,exptime) VALUES ('X')

#0 /var/www/html/includes/libs/rdbms/TransactionProfiler.php(219): Wikimedia\Rdbms\TransactionProfiler->reportExpectationViolated('writes', 'query-m: REPLAC...', 1)

#1 /var/www/html/includes/libs/rdbms/database/Database.php(1256): Wikimedia\Rdbms\TransactionProfiler->recordQueryCompletion('query-m: REPLAC...', 1541216062.8476, true, 1)

#2 /var/www/html/includes/libs/rdbms/database/Database.php(1151): Wikimedia\Rdbms\Database->doProfiledQuery('REPLACE INTO `o...', 'REPLACE /* SqlB...', true, 'SqlBagOStuff::s...')

#3 /var/www/html/includes/libs/rdbms/database/Database.php(2741): Wikimedia\Rdbms\Database->query('REPLACE INTO `o...', 'SqlBagOStuff::s...')

#4 /var/www/html/includes/libs/rdbms/database/DatabaseMysqlBase.php(516): Wikimedia\Rdbms\Database->nativeReplace('`objectcache`', Array, 'SqlBagOStuff::s...')

#5 /var/www/html/includes/objectcache/SqlBagOStuff.php(361): Wikimedia\Rdbms\DatabaseMysqlBase->replace('objectcache', Array, Array, 'SqlBagOStuff::s...')

#6 /var/www/html/includes/objectcache/SqlBagOStuff.php(376): SqlBagOStuff->setMulti(Array, 1541219662)

#7 /var/www/html/includes/libs/objectcache/CachedBagOStuff.php(65): SqlBagOStuff->set('dev_mediawiki:M...', Array, 1541219662, 1)

#8 /var/www/html/includes/session/SessionBackend.php(738): CachedBagOStuff->set('dev_mediawiki:M...', Array, 1541219662, 1)

#9 /var/www/html/includes/session/SessionBackend.php(607): MediaWiki\Session\SessionBackend->save()

#10 /var/www/html/includes/session/SessionBackend.php(291): MediaWiki\Session\SessionBackend->autosave()

#11 /var/www/html/includes/session/Session.php(127): MediaWiki\Session\SessionBackend->persist()

#12 /var/www/html/includes/session/PHPSessionHandler.php(357): MediaWiki\Session\Session->persist()

#13 [internal function]: MediaWiki\Session\PHPSessionHandler->write('2a9beabc348b45c...', 'a:0:{}')

#14 /var/www/html/includes/session/SessionManager.php(470): session_write_close()

#15 [internal function]: MediaWiki\Session\SessionManager->shutdown()

#16 {main}

[DBConnection] Wikimedia\Rdbms\{closure}: closing connection to database 'mediawiki-db.dev.mydomain.com'.

[DBConnection] Wikimedia\Rdbms\{closure}: closing connection to database 'mediawiki-db.dev.mydomain.com'.

wfClientAcceptsGzip: client accepts gzip.

MediaWiki\OutputHandler::handleGzip() is compressing output

Please guide @Cindy.cicalese

Cindy.cicalese (talkcontribs)
Reply to "MediaWiki SAML integration with SecureAuth"

Error: redirect_uri_mismatch

5
Summary by Cindy.cicalese

Fixed format of redirect URL

Jainam.mehta (talkcontribs)

400. That’s an error.

Error: redirect_uri_mismatch

The redirect URI in the request, 

does not match the ones authorized for the OAuth client. 

implemented OpenID Connect with  PluggableAuth

not able to configure stuck from last 3 days on above error.

CONNECTION: keep-alive

UPGRADE-INSECURE-REQUESTS: 1

[caches] cluster: EmptyBagOStuff, WAN: mediawiki-main-default, stash: db-replicated, message: SqlBagOStuff, parser: EmptyBagOStuff, session: SqlBagOStuff

[caches] LocalisationCache: using store LCStoreCDB

[session] Session "9beliv3oc7v4u04reduto5m6khu9dpgv" requested without UserID cookie

[DBConnection] Connected to database 0 at 'localhost'.

[SQLBagOStuff] Connection 351 will be used for SqlBagOStuff

Fully initialised

[session] SessionBackend "9beliv3oc7v4u04reduto5m6khu9dpgv" data dirty due to dirty(): OpenIDConnectClient->requestAuthorization/session_commit/MediaWiki\Session\PHPSessionHandler->write/MediaWiki\Session\Session->set/MediaWiki\Session\SessionBackend->dirty

[session] SessionBackend "9beliv3oc7v4u04reduto5m6khu9dpgv" data dirty due to dirty(): OpenIDConnectClient->requestAuthorization/session_commit/MediaWiki\Session\PHPSessionHandler->write/MediaWiki\Session\Session->set/MediaWiki\Session\SessionBackend->dirty

[session] SessionBackend "9beliv3oc7v4u04reduto5m6khu9dpgv" save: dataDirty=1 metaDirty=0 forcePersist=0

[DBPerformance] Expectation (writes <= 0) by MediaWiki::main not met:

query-m: REPLACE INTO `ops_objectcache` (keyname,value,exptime) VALUES ('X')

#0 C:\xampp\htdocs\trunk\oim\includes\libs\rdbms\TransactionProfiler.php(215): TransactionProfiler->reportExpectationViolated('writes', 'query-m: REPLAC...')

#1 C:\xampp\htdocs\trunk\oim\includes\libs\rdbms\database\Database.php(958): TransactionProfiler->recordQueryCompletion('query-m: REPLAC...', 1502213335.2084, true, 2)

#2 C:\xampp\htdocs\trunk\oim\includes\libs\rdbms\database\Database.php(870): Database->doProfiledQuery('REPLACE INTO `o...', 'REPLACE /* SqlB...', true, 'SqlBagOStuff::s...')

#3 C:\xampp\htdocs\trunk\oim\includes\libs\rdbms\database\Database.php(2148): Database->query('REPLACE INTO `o...', 'SqlBagOStuff::s...')

#4 C:\xampp\htdocs\trunk\oim\includes\libs\rdbms\database\DatabaseMysqlBase.php(486): Database->nativeReplace('`ops_objectcach...', Array, 'SqlBagOStuff::s...')

#5 C:\xampp\htdocs\trunk\oim\includes\objectcache\SqlBagOStuff.php(365): DatabaseMysqlBase->replace('objectcache', Array, Array, 'SqlBagOStuff::s...')

#6 C:\xampp\htdocs\trunk\oim\includes\objectcache\SqlBagOStuff.php(380): SqlBagOStuff->setMulti(Array, 1502216935)

#7 C:\xampp\htdocs\trunk\oim\includes\libs\objectcache\CachedBagOStuff.php(65): SqlBagOStuff->set('trunk_wiki_db-o...', Array, 1502216935, 1)

#8 C:\xampp\htdocs\trunk\oim\includes\session\SessionBackend.php(737): CachedBagOStuff->set('trunk_wiki_db-o...', Array, 1502216935, 1)

#9 C:\xampp\htdocs\trunk\oim\includes\session\Session.php(616): MediaWiki\Session\SessionBackend->save()

#10 C:\xampp\htdocs\trunk\oim\includes\session\PHPSessionHandler.php(320): MediaWiki\Session\Session->save()

#11 [internal function]: MediaWiki\Session\PHPSessionHandler->write('9beliv3oc7v4u04...', 'a:7:{s:14:"wsTo...')

#12 C:\xampp\htdocs\trunk\oim\extensions\OpenIDConnect\vendor\jumbojett\openid-connect-php\OpenIDConnectClient.php(471): session_commit()

#13 C:\xampp\htdocs\trunk\oim\extensions\OpenIDConnect\vendor\jumbojett\openid-connect-php\OpenIDConnectClient.php(286): OpenIDConnectClient->requestAuthorization()

#14 C:\xampp\htdocs\trunk\oim\extensions\OpenIDConnect\OpenIDConnect.class.php(151): OpenIDConnectClient->authenticate()

#15 C:\xampp\htdocs\trunk\oim\extensions\PluggableAuth\PluggableAuthLogin.php(45): OpenIDConnect->authenticate(NULL, NULL, NULL, NULL, NULL)

#16 C:\xampp\htdocs\trunk\oim\includes\specialpage\SpecialPage.php(522): PluggableAuthLogin->execute(NULL)

#17 C:\xampp\htdocs\trunk\oim\includes\specialpage\SpecialPageFactory.php(576): SpecialPage->run(NULL)

#18 C:\xampp\htdocs\trunk\oim\includes\MediaWiki.php(283): SpecialPageFactory::executePath(Object(Title), Object(RequestContext))

#19 C:\xampp\htdocs\trunk\oim\includes\MediaWiki.php(851): MediaWiki->performRequest()

#20 C:\xampp\htdocs\trunk\oim\includes\MediaWiki.php(512): MediaWiki->main()

#21 C:\xampp\htdocs\trunk\oim\index.php(43): MediaWiki->run()

#22 {main}

[session] Saving all sessions on shutdown

[DBReplication] LBFactory::getChronologyProtector: using request info {

    "IPAddress": "180.211.111.116",

    "UserAgent": "Mozilla\/5.0 (Windows NT 10.0; WOW64; rv:55.0) Gecko\/20100101 Firefox\/55.0",

    "ChronologyProtection": false

}

[DBConnection] Closing connection to database 'localhost'.

Cindy.cicalese (talkcontribs)

When you configure your identity provider, it asks for a redirect URI. You need to set that to the full URL to the Special:PluggableAuthLogin page. The exact format of that URL will depend upon your configuration. You need to figure out what URI it is actually sending and configure your endpoint to match that. If you need further help, please provide the version of all relevant software, including the PHP OpenID Connect library.

Jainam.mehta (talkcontribs)

Hello @Cindy.cicalese thanks you so much for your answer in Google OAuth provider in credential tab i have set

http://<wiki URL>/index.php/Special:UserLogin

http://<wiki URL>/index.php/Special:UserLogin

above 2 as Authorised redirect URIs and that started working !

i have one query will OpenID Connect Library works with custom Authorization provider we have custom requirements to use Open Source tools to make SSO for MediaWiki and ServiceNow so our Customer can login with same credentials.

it would be really great of you if you can guide me to configure OpenID_Connect for Open SSO Provider like, http://www.josso.org/ or some other Open SSO.

Thank you

Cindy.cicalese (talkcontribs)

I'm glad to hear that it is working now.

The page you point to for JSSO states that it supports OpenID Connect, so assuming that it is an accurate implementation of the spec, you should be able to configure the OpenID Connect extension to work with it. If for any reason that does not work, JSSO also claims to support SAML, so you could try the SimpleSAMLphp extension.

Jainam.mehta (talkcontribs)

@Cindy.cicalese Thank you so much for answering my query regarding JOSSO. I will try implementing it with MediaWiki and update here so others can take reference.

I have seen Extension:SimpleSAMLphp also but there is very less description on how to implement with MediaWiki.

As I am new to MediaWiki so it might be difficult to understand.

Thank you.

Problems using newer versions of jumbojett/openid-connect-php

11
Summary by Cindy.cicalese

Updated to new release of OpenID Connect PHP library

HerrTaschenbier (talkcontribs)

I was using OpenID Connect with mediawiki 1.28.2. For some reason I was installing jumbojett/openid-connect-php:0.1.0 manually during installation. Everything was working fine.

With the update to 1.29.1 I figured out that this line was unnessicary because the dependencies are already listed in the composer.json coming with this extension. So I removed it from my Dockerfile (I'm using Docker).

After installation, login didn't work. I switched back to my 1.28.2 build (worked before), removed the same line from my Dockerfile. Similar issue.

I came to the conclusion that the version of jumbojett/openid-connect-php was causing this issue.

I temporarily solved it by editing the composer.json of the "OpenID Connect" extension, requiring version 0.1.0 instead of *.

Does anybody have the same issue?

----------

concrete information:

oAuth server: Gluu Identity Appliance 2.4.4.sp2 (shoudn't matter I guess)

I have this on for debugging

$wgDebugToolbar = true;

$wgDevelopmentWarnings = true;

$wgShowExceptionDetails = true;

$wgShowDBErrorBacktrace = true;

$wgShowSQLErrors = true;

--------------------------------------------------

mw vers: 1.28.2

OpenID vers: 3.0 (648beef)

Pluggable Auth vers: 2.0 (cdb0435)

jumbojett/openid-connect-php:0.1.0:

- works fine

jumbojett/openid-connect-php:0.3.0:

- doesn't work

- get oAuth loginpage if cookie isn't set

- get redirected to "http://wiki.local/index.php/Spezial:PluggableAuthLogin?code=..." (url includes user_id etc.) if oAuth cookie is set

- get this error message at the top of the page 2x:

"Notice: Did not find alias for special page 'PluggableAuthLogin'. Perhaps no aliases are defined for it? [Called from SpecialPageFactory::getLocalNameFor in /var/www/html/wiki/includes/specialpage/SpecialPageFactory.php at line 692] in /var/www/html/wiki/includes/debug/MWDebug.php on line 311"

--------------------------------------------------

mw vers: 1.29.1

OpenID vers: 4.0 (648beef)

Pluggable Auth vers: 4.0 (cdb0435)

jumbojett/openid-connect-php:0.1.0:

- seems to work

jumbojett/openid-connect-php:0.3.0:

- doesn't work

- get oAuth loginpage if cookie isn't set

- get redirected to "http://wiki.local/index.php/Spezial:PluggableAuthLogin?code=..." (url includes user_id etc.) if oAuth cookie is set

- no error visible

- from debug log:

OpenIDConnectClientException: Client authentication failed (e.g. unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the Authorization request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code, and include the WWW-Authenticate response header field matching the authentication scheme used by the client. in /var/www/html/wiki/vendor/jumbojett/openid-connect-php/OpenIDConnectClient.php:228

Stack trace:

#0 /var/www/html/wiki/extensions/OpenIDConnect/OpenIDConnect.class.php(151): OpenIDConnectClient->authenticate()

#1 /var/www/html/wiki/extensions/PluggableAuth/PluggableAuthLogin.php(45): OpenIDConnect->authenticate(NULL, NULL, NULL, NULL, NULL)

#2 /var/www/html/wiki/includes/specialpage/SpecialPage.php(522): PluggableAuthLogin->execute(NULL)

#3 /var/www/html/wiki/includes/specialpage/SpecialPageFactory.php(578): SpecialPage->run(NULL)

#4 /var/www/html/wiki/includes/MediaWiki.php(287): SpecialPageFactory::executePath(Object(Title), Object(RequestContext))

#5 /var/www/html/wiki/includes/MediaWiki.php(862): MediaWiki->performRequest()

#6 /var/www/html/wiki/includes/MediaWiki.php(523): MediaWiki->main()

#7 /var/www/html/wiki/index.php(43): MediaWiki->run()

#8 {main}

Cindy.cicalese (talkcontribs)

There were some necessary fixes made to the library that are available on the dev branch, so earlier this month I patched the extension to use that version of the library. If you checkout the head of the master branch of the extension (currently 2983431ea864), you should see that composer.json specifies dev-master for the library. I have tested this under MediaWiki 1.29.

HerrTaschenbier (talkcontribs)

I would feel a bit uncomfortable using the dev branch. The docker container would always run the latest development version when rebuilding.

There is an issue on GitHub requesting a new release for composer. I guess I'll wait until the new version is released before upgrading.

Thank you for your answer.

Cindy.cicalese (talkcontribs)

Yes, I agree completely. I struggled with the decision to update to the dev branch, but since the last release was no longer working, I made the change. I will switch back once there is a working composer release. Feel free to ping me if I miss a release announcement.

HerrTaschenbier (talkcontribs)

Hi, I decided to update to Mediawiki 1.30.0 since I don't believe that there will be a new release for jumbojett/openid-connect-php any time soon.

Now I'm using Mediawiki 1.30 + (updated) Extensions.

OpenID Connect 4.0 (2983431)

PluggableAuth    5.2 (2528a75)

Everything else is unchanged. When I try to login now, I get this error message:

Error from line 130 of /var/www/html/wiki/extensions/OpenIDConnect/OpenIDConnect.class.php: Class 'OpenIDConnectClient' not found

Adding "use \Jumbojett\OpenIDConnectClient;" to the beginning of OpenIDConnect.class.php seems to be working. However I was rather confused because:

1. I don't think you would miss such an obvious bug

and 2. I compared this version of the extension with the one I'm currently using and there is not much of a difference.

There was no "use \Jumbojett\OpenIDConnectClient;" in the old version either and yet it works. I'm too inexperienced find the cause for this problem. I figured that "require "{$IP}/vendor/autoload.php";" is (?) important to load the library. I'm already using this in my config (before I load PluggableAuth and OpenIDConnect). Am I missing something obvious?

Cindy.cicalese (talkcontribs)

The namespace was added to the jumbojett library after version 4.0 of the extension was released, so the older versions of the extension did not need that line of code. I added the line to include the namespace on January 20, so if you get "master" from git you should get it. But, I see that I forgot to bump the version number to 4.1, tag the release, and update the documentation page. Thank you for bringing this to my attention! I will add that to my to do list.

However, you should not need to require the autoload file. That is handled automatically by the composer autoloader.

Cindy.cicalese (talkcontribs)

Release version 4.1 is now tagged.

HerrTaschenbier (talkcontribs)

So I guess my problem came from the extension requiring master-dev (which you needed to do because there was no new tag for the jumbojett library). When the library updated, the extension broke, because it didn't use the newly added namespace, right?

When I was searching for the root of the problem, I took a look at the composer.json. Currently it looks like this:

<--snip-->

"repositories": [

       {

           "url": "https://github.com/jumbojett/OpenID-Connect-PHP.git",

           "type": "git"

       }

   ],

   "require": {

       "jumbojett/openid-connect-php": "master-dev"

   },

<--snip-->

I did a quick Google search and found this. If I understand this correctly, you can clone the library directly from git via composer and require a specific version. Not just a branch but also a tag or a specific commit (via hash).

Wouldn't your extension be more reliable, if you tested your extension with a specific version of the library and then require this specific commit instead of master-dev? At least until a new version of the jumbojett library is released.

Anyway thank you very much for your fast reply and the new version :)

Cindy.cicalese (talkcontribs)

Yes, I wrestled with whether or not to do that. Since we're using the dev branch, I didn't want to preclude users from getting bug fixes with more recent versions, but I also would like to prevent them from getting bugs from more recent versions. You are correct that pinning to a known good version would probably be best. That version can always be reevaluated and bumped with future releases of the extension. If there is a particular recent git tag that is working well for you, please feel free to suggest it or, better, submit a patch in gerrit to the composer.json file changing the require statement. Thanks!

HerrTaschenbier (talkcontribs)
Cindy.cicalese (talkcontribs)

Excellent! Thanks for letting me know. I will switch back to using the released version of the code as soon as I get a chance to test it and make the change.

Summary by Cindy.cicalese

Authorization is extensible from the parent extension, PluggableAuth.

HerrTaschenbier (talkcontribs)

I'm currently facing the problem of needing to restrict the access to my wiki. I have an identity provider with multiple users, only some of them should be able to access the wiki. OpenID Connect (and my identity provider) supports authorization.

I'm currently evaluating possible solutions. If I'm not mistaken, this extension only supports authentication, but no authorization.

Is there generally a chance of getting authorization functionality with this extension? I might contribute code to this extension to implement this feature, if I decide that this is my best option. But before making this decision I would like to know if you want to have this feature at all or if this extension should just do authentication an nothing more.

Cindy.cicalese (talkcontribs)

This extension depends on Extension:PluggableAuth, which supports both authentication as well as authorization for exactly the scenario you describe: your identity provider can authenticate many users, but only a subset of them are authorized to use a given wiki. PluggableAuth can be configured with one authentication plugin and zero or more authorization plugins. There are currently two authorization extensions that work with PluggableAuth: Extension:Email Authorization and Extension:LDAP Authorization. And, it is not difficult to create your own authorization extension if your domain supports another authorization approach.

HerrTaschenbier (talkcontribs)

Thank you for your answer, I totally missed that. I was only looking at the OpenID extension and didn't thought about Pluggableauth, because I'm using OpenID for authorization too.

Now that you explained this to me, this makes more sense to me. Authorization and authentication are two separate things, handled by two (or more) extensions, which allows more combinations. Like authentication via OpenID Connect but authorization via email address.

For my case, I would need to create an extension, which handles authorization via OpenID Connect.

I'll take a look at it and decide.

Cindy.cicalese (talkcontribs)

Great! If you need any modifications to the OpenID Connect extension to make sure that sufficient information is available to your authorization extension without requiring additional network requests, feel free to propose a patch. It would be great if you were to open source your resulting authorization extension!

Summary by Cindy.cicalese

Fixed in version 5.1

83.161.131.201 (talkcontribs)

Hi Cindy!

When configuring Keycloak and Mediawiki to work together I'm running into the following issue:

- My wiki lives at wiki.internal.domain.com, but is exposed to the world at wiki.domain.com

- My Keycloak lives at auth.domain.com

The configuration for Mediawiki looks like this:

// This is required for the authentication plugins below

$wgGroupPermissions['*']['createaccount'] = false;

$wgGroupPermissions['*']['autocreateaccount'] = true;

// Pluggable authentication

wfLoadExtension( 'PluggableAuth' );

$wgPluggableAuth_EnableAutoLogin = true;

$wgPluggableAuth_EnableLocalLogin = true;

$wgPluggableAuth_EnableLocalProperties = false;

#$wgPluggableAuth_ButtonLabelMessage =

#$wgPluggableAuth_ButtonLabel = null;

#$wgPluggableAuth_ExtraLoginFields = [];

#$wgPluggableAuth_Class = 'OpenIDConnect';

// OpenID connect

wfLoadExtension( 'OpenIDConnect' );

$wgOpenIDConnect_Config['https://auth.domain.com/auth/realms/myfirstrealm'] = [

   'clientID' => 'wiki',

   'clientsecret' => 'somesecret',

   'name' => 'Domain.com SSO',

];

$wgOpenIDConnect_UseRealNameAsUserName = false;

$wgOpenIDConnect_UseEmailNameAsUserName = false;

$wgOpenIDConnect_MigrateUsersByUserName = true;

$wgOpenIDConnect_MigrateUsersByEmail = true;

$wgOpenIDConnect_ForceLogout = false;

The configuration for Keycloak is basically default, with the exception of the Redirect URL (which points to https://wiki.domain.com/index.php/Special:PluggableAuthLogin)

When trying to login I am properly redirected to the Keycloak login page, but I receive an error that the redirect URL is invalid. When inspecting the URL I see that the redirect URL given to Keycloak (from Mediawiki) is https://wiki.internal.domain.com on which it is not reachable.

However, the baseURL I have configured for Mediawiki is https://wiki.domain.com and not the internal name:

## The protocol and server name to use in fully-qualified URLs

$wgServer           = "https://wiki.domain.com";

Am I missing something?

Thanks in advance!

Cindy.cicalese (talkcontribs)

I have a similar setup where there is a different internal and external name for a wiki, and it works correctly. But, there must be something different in the configuration. I think that the code in question might be in the getRedirectURL() function in PHP OpenID Connect library: https://github.com/jumbojett/OpenID-Connect-PHP/blob/master/src/OpenIDConnectClient.php#L511. If the redirect URL has not been explicitly set using setRedirectURL(), the code creates the redirect URL from elements of the $_SERVER variable. You could try adding some debugging in there to see if that's the case and if it is getting the internal URL from that code. If so, we could add an additional optional configuration variable to OpenID Connect which would be used to call setRedirectURL() in cases like this.

83.161.131.201 (talkcontribs)

Hi Cindy,

Right on the spot! I've added the following line to the function you mention:

error_log (sprintf('%s://%s%s/%s', $protocol, $host, $port, @trim(reset(explode("?", $_SERVER['REQUEST_URI'])), '/')));

And the output in the apache errorlog is:

[Fri Sep 21 19:53:22.703986 2018] [:error] [pid 27074] [client 10.1.2.37:50938] https://wiki.internal.domain.com/index.php/Special:PluggableAuthLogin, referer: https://wiki.domain.com/index.php/Special:UserLogin

So, the next step I did was basically hardcoding the URL I wanted to see in the function:

return sprintf('%s', 'https://wiki.domain.com/index.php/Special:PluggableAuthLogin');

And bingo! Works like a charm now.

With regards to the solution, I'd go for always returning the wgServer URL, as that is supposed to designate 'where the wiki lives'. I don't really see a usecase for making it a configurable item in the extension.

Cindy.cicalese (talkcontribs)
83.161.131.201 (talkcontribs)

Hi Cindy,

Thanks for this patch! I have reverted the 'hack' I made in the library above, after installing this new version (don't forget to run update.php ^_^ )it works!

Cindy.cicalese (talkcontribs)

Excellent! That's good to hear. Thanks for testing!

keeps asking for login even after successful authentication

9
Summary by Cindy.cicalese

Reinstalling the extension fixed the problem.

Harish mw (talkcontribs)

Hi,

I am trying to use google as the authentication provider. Even after the successful authentication, i do not see logged in status at the top of the page. And its keep asking for the login.

versions i use are,

MediaWiki 1.31.0
OpenID Connect 4.1 (baea47f)

Settings that i use to configure are,

wfLoadExtension( 'PluggableAuth' );

$wgPluggableAuth_ButtonLabel = "Login using Google Id";

$wgPluggableAuth_EnableLocalLogin = false;

$wgPluggableAuth_Class = "OpenIDConnect";

wfLoadExtension( 'OpenIDConnect' );

$wgOpenIDConnect_Config['https://accounts.google.com'] = [

    'clientID' => '<id>.apps.googleusercontent.com',

    'clientsecret' => '<secret>',

    'scope' => [ 'openid', 'profile', 'email' ]

];

$wgOpenIDConnect_UseEmailNameAsUserName = true;

$wgOpenIDConnect_MigrateUsersByUserName = true;

$wgOpenIDConnect_MigrateUsersByEmail = true;

$wgOpenIDConnect_ForceLogout = false;

What i think is wrong is,

My url structure is like this,

http://example.org/w/index.php?title=Page_title

But i read from the known bug section that it may not work for openid connect. But there is no clear guidance on how to achieve shorturl.

Please help! Thanks.

Cindy.cicalese (talkcontribs)
Harish mw (talkcontribs)

Hi Cindy,

I used the patch you provided but still the login state remains "Not loggedin"

My home page url is ,

https://www..domain.com/wiki/index.php/Main_Page

I set the redirect url in google client as,

https://www.domain.com/wiki/index.php/Special:PluggableAuthLogin

When i click on the login button it takes me to google login page and ieverything works fine but after google login i get this page, (which is empty and login state is still not loggedin).

https://www.domain.com/wiki/index.php/Special:PluggableAuthLogin?state=e43e1fa3162ba32bbcc7709122cfd081&code=4/fQAzWMIvBIeO9gUDXCDfUjoPcA9JJ72l1eMBzVDOmTe6WswQe7r6BG2lShBIJolseRrqSkzFUOYlA7BPBjQou4g&scope=https://www.googleapis.com/auth/userinfo.email+https://www.googleapis.com/auth/plus.me+https://www.googleapis.com/auth/userinfo.profile&authuser=0&session_state=036a6db7a7a2a42a08d2c16a5de79d5efb680e96..cb20&prompt=none

I don't know what wrong am i doing.

Regards,

Harish Kumar

Cindy.cicalese (talkcontribs)
Cindy.cicalese (talkcontribs)
Harish mw (talkcontribs)

Hi Cindy,

I enabled the debug log and i saw this error message,

[DBQuery] SQL ERROR: Table 'domain_c.wiki_openid_connect' doesn't exist (domain.com.mysql)

[OpenID Connect] Wikimedia\Rdbms\DBQueryError: A database query error has occurred. Did you forget to run your application's database schema updater after upgrading?

Query: SELECT  user_id,user_name  FROM `wiki_user` JOIN `wiki_openid_connect` ON ((user_id=oidc_user))   WHERE oidc_subject = '112483205729160165553' AND oidc_issuer = 'https://accounts.google.com'  LIMIT 1  

Function: OpenIDConnect::findUser

Error: 1146 Table 'domain_c.wiki_openid_connect' doesn't exist (domain.com.mysql)

Based on the error message above it looks like there are no database tables created. So i started reinstalling mediawiki from the beginning. But during "Upgrading existing installation" step i got following error,

Creating openid_connect table ...

An error occurred:

Could not open "/customers/0/5/0/domain.com/httpd.www/wiki/extensions/OpenIDConnect/sql/mysql/AddTable.sql"

I checked in the extentions directory under OpenIDConnect/sql/... There is no directory called mysql.

OpenIDConnect extension i downloaded also does not have those file AddTable.sql.

Please let me know if my understanding is wrong. Why the download does not have the file AddTable.sql?

Cindy.cicalese (talkcontribs)

The first error was caused by not running the update.php maintenance script. The second error is odd, almost like you are running the wrong version of the update code. Whatever the cause, that problem should be fixed if you upgrade to version 5.0 of the extension or master from git. If you use Extension Distributor, get the 1.32 version, not the 1.31 version. It will work with MediaWiki 1.31, regardless.

Harish mw (talkcontribs)

Hi Cindy,

I reinstalled the extension from the master version and now everything works fine :-)

Thank you..

Cindy.cicalese (talkcontribs)

Excellent!

34.192.31.106 (talkcontribs)

Hi Cindy! My organization uses Google Apps as an SSO, and I'm trying to use OpenIDConnect to provide authentication to our wiki. I've been able to manage to follow the Google example in the documentation and get it set up with the basics, but we would like to be able to restrict logins to just people with email addresses on our domains. Does this plugin have a facility to do so? If not, do you have any instructions for how to use both this plugin (for an internal OpenIDC server) and the GoogleLogin extension (which can restrict by an array of domains?)

Cindy.cicalese (talkcontribs)

I wrote another extension for exactly that purpose :-) Extension:Email Authorization You can add individual email addresses or you can specify an entire domain with "@mycompany.com".

34.192.31.106 (talkcontribs)

Excellent, thank you!

Reply to "Restricting Google Auth by domain?"

The provider authorization_endpoint has not been set.

4
Summary by Cindy.cicalese

The correct format of the URL in $wgOpenIDConnect_Config for Keycloak is https://{keycloak_server:port}/auth/realm/{your_realm}.

Grady74 (talkcontribs)

Running into an issue where it seems like my configuration is not being pushed from OpenID Connect to Jumbojett\OpenIDConnectClient->authenticate()

This causes it never to try to redirect over to my IdP.

Debug:

  • HTTP HEADERS: UPGRADE-INSECURE-REQUESTS: 1 CONNECTION: keep-alive DNT: 1 COOKIE: _ga=GA1.2.214285112.1516134706; mediawiki_mw_UserName=Admin; VEE=visualeditor; mediawiki_mw__session=k21i5dcg2m9nilgc01c1jc1rarhs3nog; cpPosTime=1522098488.3307 REFERER: http://{redacted}/wiki/Special:PluggableAuthLogin ACCEPT-ENCODING: gzip, deflate ACCEPT-LANGUAGE: en-US,en;q=0.5 ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 USER-AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 HOST: {redacted} CONTENT-LENGTH:
  • [caches] cluster: EmptyBagOStuff, WAN: mediawiki-main-default, stash: db-replicated, message: SqlBagOStuff, session: SqlBagOStuff
  • [caches] LocalisationCache: using store LCStoreDB
  • [session] Session "k21i5dcg2m9nilgc01c1jc1rarhs3nog" requested without UserID cookie
  • [DBReplication] Wikimedia\Rdbms\LBFactory::getChronologyProtector: using request info { "IPAddress": "{redacted}", "UserAgent": "Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko\/20100101 Firefox\/52.0", "ChronologyProtection": false }
  • [DBConnection] Wikimedia\Rdbms\LoadBalancer::openConnection: calling initLB() before first connection.
  • [DBConnection] Connected to database 0 at '172.17.0.2'.
  • [DBQuery] mediawiki SHOW /* Wikimedia\Rdbms\DatabaseMysqlBase::serverIsReadOnly */ GLOBAL VARIABLES LIKE 'read_only'
  • [SQLBagOStuff] Connection 1297 will be used for SqlBagOStuff
  • [DBQuery] mediawiki SELECT /* SqlBagOStuff::getMulti */ keyname,value,exptime FROM `mw_objectcache` WHERE keyname = 'mediawiki-mw_:MWSession:k21i5dcg2m9nilgc01c1jc1rarhs3nog'
  • [smw] [mw.db] connection provider with {"read":-1,"write":-2}
  • [DBConnection] Connected to database 0 at '172.17.0.2'.
  • [DBQuery] mediawiki BEGIN /* Wikimedia\Rdbms\Database::query (LCStoreDB::get) */
  • [DBQuery] mediawiki SELECT /* LCStoreDB::get */ lc_value FROM `mw_l10n_cache` WHERE lc_lang = 'en' AND lc_key = 'deps' LIMIT 1
  • [DBQuery] mediawiki SELECT /* LCStoreDB::get */ lc_value FROM `mw_l10n_cache` WHERE lc_lang = 'en' AND lc_key = 'list' LIMIT 1
  • [DBQuery] mediawiki SELECT /* LCStoreDB::get */ lc_value FROM `mw_l10n_cache` WHERE lc_lang = 'en' AND lc_key = 'preload' LIMIT 1
  • [DBQuery] mediawiki SELECT /* LCStoreDB::get */ lc_value FROM `mw_l10n_cache` WHERE lc_lang = 'en' AND lc_key = 'preload' LIMIT 1
  • [DBQuery] mediawiki SELECT /* LCStoreDB::get */ lc_value FROM `mw_l10n_cache` WHERE lc_lang = 'en' AND lc_key = 'specialPageAliases' LIMIT 1
  • [DBQuery] mediawiki SELECT /* LCStoreDB::get */ lc_value FROM `mw_l10n_cache` WHERE lc_lang = 'en' AND lc_key = 'namespaceGenderAliases' LIMIT 1
  • 0.1010 2.0M Jumbojett\OpenIDConnectClientException: The provider authorization_endpoint has not been set. Make sure your provider has a well known configuration available. in /var/www/w/extensions/OpenIDConnect/vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php:376 Stack trace: #0 /var/www/w/extensions/OpenIDConnect/vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php(455): Jumbojett\OpenIDConnectClient->getProviderConfigValue('authorization_e...') #1 /var/www/w/extensions/OpenIDConnect/vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php(298): Jumbojett\OpenIDConnectClient->requestAuthorization() #2 /var/www/w/extensions/OpenIDConnect/OpenIDConnect.class.php(152): Jumbojett\OpenIDConnectClient->authenticate() #3 /var/www/w/extensions/PluggableAuth/PluggableAuthLogin.php(48): OpenIDConnect->authenticate(NULL, NULL, NULL, NULL, NULL) #4 /var/www/w/includes/specialpage/SpecialPage.php(522): PluggableAuthLogin->execute(NULL) #5 /var/www/w/includes/specialpage/SpecialPageFactory.php(578): SpecialPage->run(NULL) #6 /var/www/w/includes/MediaWiki.php(287): SpecialPageFactory::executePath(Object(Title), Object(RequestContext)) #7 /var/www/w/includes/MediaWiki.php(851): MediaWiki->performRequest() #8 /var/www/w/includes/MediaWiki.php(523): MediaWiki->main() #9 /var/www/w/index.php(43): MediaWiki->run() #10 {main}

My config in LocalSettings.php looks like this:

#PluggableAuth

wfLoadExtension( 'PluggableAuth' );

#OpenID Connect

wfLoadExtension( 'OpenIDConnect' );

$wgOpenIDConnect_Config['http://{redacted}/auth/realms/fst/protocol/openid-connect/auth'] = [

   'clientID' => 'aware',

   'clientsecret' => '{redacted}'

];

########################

#

# DEBUG

#

########################

error_reporting(E_ALL | E_STRICT);

ini_set("display_errors", 1);

$wgDebugLogFile = "/tmp/wiki.log";

$wgShowExceptionDetails = true;

$wgShowSQLErrors        = true;

$wgDebugComments        = true;

$wgLogQueries           = true;

$wgDebugDumpSql         = true;

$wgDevelopmentWarnings  = true;

$wgDebugProfiling       = true;

$wgDebugTimestamps      = true;

$wgResourceLoaderDebug  = true;

$wgDebugToolbar         = true;

Version Info:

MediaWiki 1.30.0

OpenID Connect 4.1 (c8e4d19) 23:41, 9 March 2018

PluggableAuth 5.2 (2528a75) 11:31, 20 August 2017

@Cindy.cicalese - Any thoughts would be greatly appreciated.

Cindy.cicalese (talkcontribs)

The problem is that it is trying to find the configuration for your provider from a well-known configuration endpoint. It tries to find this by adding "/.well-known/openid-configuration" to the end of the provider URL (see https://github.com/jumbojett/OpenID-Connect-PHP/blob/master/src/OpenIDConnectClient.php#L361). The provider URL is the index in the $wgOpenIDConnect_Config array. For example, if you were using Google as your provider, the provider URL would be https://accounts.google.com and the well-known configuration endpoint would be https://accounts.google.com/.well-known/openid-configuration.

Grady74 (talkcontribs)

Thanks Cindy! That was exactly it.

Can confirm that this lib works with Keycloak.

For folks coming after me, the pattern for Keycloak looks like:

$wgOpenIDConnect_Config['https://{keycloak_server:port}/auth/realm/{your_realm}'] =

[

'clientID' => '.....',

'clientsecret' => '.....'

];

Watch if you are running your install insecure on 80 in your dev env. Most modern browser will automatically insert Upgrade-Insecure-Requests=1 to the request Headers, which in turn confuses the code in jumbojett/OpenIDConnectClient.php https://github.com/jumbojett/OpenID-Connect-PHP/blob/master/src/OpenIDConnectClient.php#L419 into thinking that you are running https ( thus providing an https redirect_uri vs http redirect_uriin the authorization part of the auth code flow - leading to a message about invalid_uri from your IdP )

Cindy.cicalese (talkcontribs)

Great! I'm glad you were able to get it working!

It would be great if you could put the information in your reply above on the extension page at Extension:OpenID Connect. Maybe another "Example:..." section after the two that are there? That way folks don't need to search here to find your valuable advice.

Thanks!

Cindy

Username name is not coming if using openidconnect

34
Kishorkunal09 (talkcontribs)

We want mediawiki to connect through identity server (openid connect), after configuring everything as instructed , we are facing two problem.

  1. User are being created with the name "User1","User2" in the user_name column of the User table. User email id is coming as scope from the openid connect server. Want username as emailid.
  2. There is no any "Logout" option if user logged in.

Urgent help is required.

Regards

Kunal

Cindy.cicalese (talkcontribs)

In general, when requesting help for this type of problem, it is important to include the version of MediaWiki and of extensions and any extension dependencies you are using. Also, please include the relevant configuration settings you are using.

If the email is being provided by the server as the scope rather than the email address, that sounds like a configuration issue on the server. But, it is difficult to know without seeing your configuration settings.

Unless you have $wgPluggableAuth_EnableAutoLogin set to true (the default is false), you should be seeing a logout option.

Kishorkunal09 (talkcontribs)

Hi Cindy,

Thanks for reverting back.

Below are the configuration details.

-------LocalSettings.php

.....

# The following permissions were set based on your choice in the installer

# $wgGroupPermissions['*']['createaccount'] = true;

$wgGroupPermissions['*']['edit'] = false;

$wgGroupPermissions['*']['read'] = false;

$wgGroupPermissions['*']['autocreateaccount'] = true;

....

....

# End of automatically generated settings.

# Add more configuration options below.

wfLoadExtension( 'PluggableAuth' );

$wgPluggableAuth_EnableAutoLogin = true;

$wgPluggableAuth_EnableLocalLogin = false;

$wgPluggableAuth_Class = "OpenIDConnect";

wfLoadExtension( 'OpenIDConnect' );

$wgOpenIDConnect_Config['https://login.mycompany.com'] = [

    'clientID' => 'wiki',

    'clientsecret' => 'wikisecret',

'scope' => array( 'openid', 'profile', 'email')

];

$wgOpenIDConnect_UseEmailNameAsUserName = true;

----end---

----versions

Product Version
MediaWiki 1.29.1
PHP 7.1.7 (apache2handler)
MariaDB 10.1.25-MariaDB
Other
Extension Version License Description Authors
OpenID Connect 4.0 (a6d9f08) 21:07, 19 April 2017 Provides authentication using OpenID Connect in conjunction with PluggableAuth Cindy Cicalese
PluggableAuth 4.0 (51af0f3) 18:48, 22 April 2017 Provides framework for pluggable authentication and authorization Cindy Cicalese

Below is the Identity server Resource provider snippet(language c#).

public static IEnumerable<IdentityResource> GetIdentityResources()

        {

            return new List<IdentityResource>

            {

                new IdentityResources.OpenId(),

                new IdentityResources.Profile(),

                new IdentityResources.Email(),

            };

        }

Please Let me know , What am i missing.

Thanks in advance.

Cindy.cicalese (talkcontribs)

The setting

$wgPluggableAuth_EnableAutoLogin = true;

is the reason you are not seeing a Logout link. This setting automatically logs the user in without them selecting the Login link and removes the Logout link.

The settings look correct for using the email id as the username. I have an almost identical configuration with similar software versions running correctly with Google as the identity server. Are the email address and real name getting set correctly in the User table in the database? My suspicion is that the email address is not getting correctly returned by the identity server. I'm afraid I am not familiar with the details of the configuration of your identity server.

Cindy.cicalese (talkcontribs)

Also, if you turn on debug logging as in Manual:How_to_debug, you may see an indication of what is happening in the debug log.

Kishorkunal09 (talkcontribs)

Hi Cindy,

In User table "user_realname" is getting updated with emailId , "user_name" is getting "User1"

and "user_email" is null.

what should i do to populate the "User_name" correctly.

Cindy.cicalese (talkcontribs)

It sounds to me like your identity server is misconfigured to send the email address in the real name field rather than the email address field. I would investigate the identity server configuration.

Kishorkunal09 (talkcontribs)

Hi Cindy,

Below is debug data for the above scenario

  • IP: ::1
  • Start request GET /testWiki/index.php/Special:PluggableAuthLogin?code=39966b6666560930a0e04216cf74fa4e344c86eed84edde4a47e80705d0c8804&scope=openid%20profile%20email&state=8d73c64d038bf49b2c3c8389f598b9ae&session_state=TqiKKFyzNRYrXNQ-dHcyfWaAT0bHYtRh1lSA3BOV7C4.9293c5f0e367e3e266200765e5d72a62HTTP HEADERS:HOST: localhostCONNECTION: keep-aliveCACHE-CONTROL: max-age=0UPGRADE-INSECURE-REQUESTS: 1USER-AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8REFERER: http://localhost:5000/account/login?returnUrl=%2Fconnect%2Fauthorize%2Flogin%3Fresponse_type%3Dcode%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%252FtestWiki%252Findex.php%252FSpecial%253APluggableAuthLogin%26client_id%3Dwiki%26nonce%3D77aa79a2ccd8a463f70295184ca09e29%26state%3D8d73c64d038bf49b2c3c8389f598b9ae%26scope%3Dopenid%2520profile%2520emailACCEPT-ENCODING: gzip, deflate, brACCEPT-LANGUAGE: en-US,en;q=0.8COOKIE: wikidb_session=6ihndahph1fl371vo4cogi7ekmt7d8gv; .AspNetCore.Antiforgery.X5ipDmWKkaA=CfDJ8MkgNPQ2l_9PhDLWMcDNWGyiMbKN0ML_8r4iNYx-JwE1QGlkDthoXWTbB3X2CJCrm6s3z9xpgYqe0wCgseHZCniKb1dA2PsT5koO4FQ3SWfqzeLRfnWO54wx4qO3KCBeyGABVJPjg_JTcs-GCM3TXqY; Identity.Application.session=1e39fce839f6ddf7798620ab4f4250c2; .AspNetCore.Identity.Application=CfDJ8MkgNPQ2l_9PhDLWMcDNWGysefhKrtMLKuOzfqH50PPyeHBjdTj01K8Fv7V2Ltp5oYRwAtkWWNrLUfRzseRMvhQdZkbe5Wo4-nq9zKAXLTkojC4rdS2of4PvKbKVSUFhXihXTUW0I6ErS6jL9bjiE3B2pMK_fief-ln3fCaxI3HeikNW33DVD0GK39Qi4jA3iuYdZVTZHZrlYsxg87pqF6VMkS8oD7UlU_aQqdluQeUKnrWIJdyDYWjtgBQNkEkt7dMc4dAA6WhG4OAJzkjlmj9I7Y0WFubV30i_J5OBT2OMIUMVUXr910a7j3zhFvKRS6yzIkxmwX8F_n9LWVFYgknWp_mN6JmHvnJrXw7Gj5n6U_-KkXvlAC8IU6ZNwoMqXl2maFAmHAM046N0vOV707filthoIrMwP0EvBnudwxq1bmt4SqxiGtfEmBBB4moURqgETFqOM62NEaQ6e7d5mochkZhL5W95vDNlswss11U5ujMgLD1Tbf1IVE0P9RYySYeHPGrtvI8DO_MrnpG74xm69zemNelPanRQxZ4vb41LTenaIXfqOXbWHamhJ-P6MOwngE9_iV8oZx9QD7JWlx18oSeDdXfIt5dnAQVh9AM2a9aFSWxOf3msbpWubxAZWSETflUVgvk6veLuppJNaP-HDnpfhHYo99O3VNYg1yXJYiFSf9q1XedFpB55EV3MxYluxefQBQzMKa1q--pheEwjnlx_lR4DPY2mRKlZdSvoMWW-EpUc82QMtyysdtUa69powW8fr1lVGDW5K81JzSLFDreuFtZav-YVgSzGLdLIpYOkVGrG_KdE88_v6YsQLZcYE_1utP8fDVyD_OMD5gln1GrT9hXoZeafc2Bz5R35
  • [caches] cluster: EmptyBagOStuff, WAN: mediawiki-main-default, stash: db-replicated, message: SqlBagOStuff, parser: SqlBagOStuff, session: SqlBagOStuff
  • [caches] LocalisationCache: using store LCStoreDB
  • [session] Session "6ihndahph1fl371vo4cogi7ekmt7d8gv" requested without UserID cookie
  • [DBReplication] Wikimedia\Rdbms\LBFactory::getChronologyProtector: using request info {"IPAddress": "::1","UserAgent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.100 Safari\/537.36","ChronologyProtection": false}
  • [DBConnection] Wikimedia\Rdbms\LoadBalancer::openConnection: calling initLB() before first connection.
  • [DBConnection] Connected to database 0 at 'localhost'.
  • [SQLBagOStuff] Connection 91 will be used for SqlBagOStuff
  • [DBConnection] Wikimedia\Rdbms\LoadBalancer::openConnection: calling initLB() before first connection.
  • [DBConnection] Connected to database 0 at 'localhost'.
  • OpenIDConnectClientException: Unable to verify JWT claims in C:\xampp\htdocs\testWiki\extensions\OpenIDConnect\vendor\jumbojett\openid-connect-php\OpenIDConnectClient.php:281Stack trace:#0 C:\xampp\htdocs\testWiki\extensions\OpenIDConnect\OpenIDConnect.class.php(151): OpenIDConnectClient->authenticate()#1 C:\xampp\htdocs\testWiki\extensions\PluggableAuth\PluggableAuthLogin.php(46): OpenIDConnect->authenticate(NULL, NULL, NULL, NULL, NULL)#2 C:\xampp\htdocs\testWiki\includes\specialpage\SpecialPage.php(522): PluggableAuthLogin->execute(NULL)#3 C:\xampp\htdocs\testWiki\includes\specialpage\SpecialPageFactory.php(578): SpecialPage->run(NULL)#4 C:\xampp\htdocs\testWiki\includes\MediaWiki.php(287): SpecialPageFactory::executePath(Object(Title), Object(RequestContext))#5 C:\xampp\htdocs\testWiki\includes\MediaWiki.php(862): MediaWiki->performRequest()#6 C:\xampp\htdocs\testWiki\includes\MediaWiki.php(523): MediaWiki->main()#7 C:\xampp\htdocs\testWiki\index.php(43): MediaWiki->run()#8 {main}
  • [session] SessionBackend "6ihndahph1fl371vo4cogi7ekmt7d8gv" data dirty due to dirty(): SpecialPage->run/PluggableAuthLogin->execute/OpenIDConnect->authenticate/MediaWiki\Session\Session->clear/MediaWiki\Session\SessionBackend->dirty
  • [session] SessionBackend "6ihndahph1fl371vo4cogi7ekmt7d8gv" metadata dirty due to user change
  • [session] SessionBackend "6ihndahph1fl371vo4cogi7ekmt7d8gv" save: dataDirty=1 metaDirty=1 forcePersist=0
  • [cookie] setcookie: "wikidb_session", "6ihndahph1fl371vo4cogi7ekmt7d8gv", "0", "/", "", "", "1"
  • [cookie] already deleted setcookie: "wikidbUserID", "", "1477990373", "/", "", "", "1"
  • [cookie] already deleted setcookie: "wikidbToken", "", "1477990373", "/", "", "", "1"
  • [cookie] already deleted setcookie: "forceHTTPS", "", "1477990373", "/", "", "", "1"
  • [DBPerformance] Expectation (writes <= 0) by MediaWiki::main not met:query-m: REPLACE INTO `objectcache` (keyname,value,exptime) VALUES ('X')#0 C:\xampp\htdocs\testWiki\includes\libs\rdbms\TransactionProfiler.php(218): Wikimedia\Rdbms\TransactionProfiler->reportExpectationViolated('writes', 'query-m: REPLAC...')#1 C:\xampp\htdocs\testWiki\includes\libs\rdbms\database\Database.php(979): Wikimedia\Rdbms\TransactionProfiler->recordQueryCompletion('query-m: REPLAC...', 1509526373.0405, true, 2)#2 C:\xampp\htdocs\testWiki\includes\libs\rdbms\database\Database.php(891): Wikimedia\Rdbms\Database->doProfiledQuery('REPLACE INTO `o...', 'REPLACE /* SqlB...', true, 'SqlBagOStuff::s...')#3 C:\xampp\htdocs\testWiki\includes\libs\rdbms\database\Database.php(2173): Wikimedia\Rdbms\Database->query('REPLACE INTO `o...', 'SqlBagOStuff::s...')#4 C:\xampp\htdocs\testWiki\includes\libs\rdbms\database\DatabaseMysqlBase.php(494): Wikimedia\Rdbms\Database->nativeReplace('`objectcache`', Array, 'SqlBagOStuff::s...')#5 C:\xampp\htdocs\testWiki\includes\objectcache\SqlBagOStuff.php(372): Wikimedia\Rdbms\DatabaseMysqlBase->replace('objectcache', Array, Array, 'SqlBagOStuff::s...')#6 C:\xampp\htdocs\testWiki\includes\objectcache\SqlBagOStuff.php(387): SqlBagOStuff->setMulti(Array, 1509529973)#7 C:\xampp\htdocs\testWiki\includes\libs\objectcache\CachedBagOStuff.php(65): SqlBagOStuff->set('wikidb:MWSessio...', Array, 1509529973, 1)#8 C:\xampp\htdocs\testWiki\includes\session\SessionBackend.php(738): CachedBagOStuff->set('wikidb:MWSessio...', Array, 1509529973, 1)#9 C:\xampp\htdocs\testWiki\includes\session\SessionBackend.php(607): MediaWiki\Session\SessionBackend->save()#10 C:\xampp\htdocs\testWiki\includes\session\SessionBackend.php(410): MediaWiki\Session\SessionBackend->autosave()#11 C:\xampp\htdocs\testWiki\includes\session\Session.php(262): MediaWiki\Session\SessionBackend->setUser(Object(User))#12 C:\xampp\htdocs\testWiki\extensions\OpenIDConnect\OpenIDConnect.class.php(198): MediaWiki\Session\Session->clear()#13 C:\xampp\htdocs\testWiki\extensions\PluggableAuth\PluggableAuthLogin.php(46): OpenIDConnect->authenticate(NULL, NULL, NULL, NULL, NULL)#14 C:\xampp\htdocs\testWiki\includes\specialpage\SpecialPage.php(522): PluggableAuthLogin->execute(NULL)#15 C:\xampp\htdocs\testWiki\includes\specialpage\SpecialPageFactory.php(578): SpecialPage->run(NULL)#16 C:\xampp\htdocs\testWiki\includes\MediaWiki.php(287): SpecialPageFactory::executePath(Object(Title), Object(RequestContext))#17 C:\xampp\htdocs\testWiki\includes\MediaWiki.php(862): MediaWiki->performRequest()#18 C:\xampp\htdocs\testWiki\includes\MediaWiki.php(523): MediaWiki->main()#19 C:\xampp\htdocs\testWiki\index.php(43): MediaWiki->run()#20 {main}
  • Authentication failure.
  • [MessageCache] MessageCache::load: Loading en... local cache is empty, global cache is expired/volatile, loading from database
  • [CryptRand] 0 bytes of randomness leftover in the buffer.
  • [session] SessionBackend "6ihndahph1fl371vo4cogi7ekmt7d8gv" data dirty due to dirty(): MediaWiki\Auth\AuthManager->setAuthenticationSessionData/MediaWiki\Session\Session->setSecret/MediaWiki\Session\Session->getSecretKeys/MediaWiki\Session\Session->set/MediaWiki\Session\SessionBackend->dirty
  • [session] SessionBackend "6ihndahph1fl371vo4cogi7ekmt7d8gv" data dirty due to dirty(): MediaWiki\Auth\AuthManager->setAuthenticationSessionData/MediaWiki\Session\Session->setSecret/MediaWiki\Session\Session->getSecretKeys/MediaWiki\Session\Session->set/MediaWiki\Session\SessionBackend->dirty
  • [CryptRand] 0 bytes of randomness leftover in the buffer.
  • [session] SessionBackend "6ihndahph1fl371vo4cogi7ekmt7d8gv" data dirty due to dirty(): PluggableAuthLogin->execute/MediaWiki\Auth\AuthManager->setAuthenticationSessionData/MediaWiki\Session\Session->setSecret/MediaWiki\Session\Session->set/MediaWiki\Session\SessionBackend->dirty
  • [session] SessionBackend "6ihndahph1fl371vo4cogi7ekmt7d8gv" save: dataDirty=1 metaDirty=0 forcePersist=0
  • MediaWiki::preOutputCommit: primary transaction round committed
  • MediaWiki::preOutputCommit: pre-send deferred updates completed
  • MediaWiki::preOutputCommit: LBFactory shutdown completed
  • Unstubbing $wgParser on call of $wgParser::firstCallInit from MessageCache->transform
  • Parser: using preprocessor: Preprocessor_DOM
  • Unstubbing $wgLang on call of $wgLang::_unstub from ParserOptions->__construct

below is configuration snapshot for Identity server

.....

 cs.Add(new Claim(ClaimTypes.Role, user.Designation));

            cs.Add(new Claim(ClaimTypes.Email, user.Email));

            cs.Add(new Claim("designation", user.Designation));

....

need a resolution for this ASAP.

Please help.

Cindy.cicalese (talkcontribs)

This exception is thrown in the OpenID Connect library:

OpenIDConnectClientException: Unable to verify JWT claims in C:\xampp\htdocs\testWiki\extensions\OpenIDConnect\vendor\jumbojett\openid-connect-php\OpenIDConnectClient.php:281

The OpenID Connect PHP library is making an authentication request to the identity server, but it is encountering an error in handling the response. This could be due to an error in the identity server configuration.