Extension talk:OpenID Connect

Jump to navigation Jump to search

About this board

When reporting an error, please be sure to include version information for MediaWiki and all relevant extensions as well as configuration information. Also, please turn on debug logging as described at Manual:How to debug#Logging and include the relevant portions of the debug log.

No email populating via OpenIDConnect and Azure

4
Viiiwonder (talkcontribs)

I have successfully gotten PluggableAuth, and OpenIDConnect, functioning (thank you for your development thereof), and have successfully gotten them talking to Azure/pulling back 'real names' for users. However, at this time I'm still not getting email back. I've verified API permissions in Azure as well.

Debug log indicates:

[OpenID Connect] Real name: DTP Support, Email: , Subject: ...

(Email field is blank in debug)

Are there additional debug options or investigation I can do to perhaps find the root of the issue? Anyone familiar with this issue with Azure?

Cindy.cicalese (talkcontribs)
Viiiwonder (talkcontribs)

I found that that example was actually inaccurate - I have updated the instructions/example to a currently working config. Key issue was the correct location of the /.well-known/openid-configuration.

After changing the endpoint, all works now. I also updated the instructions to be a bit more detailed of 'how' to create the app registration with Azure.

Thanks again for your work on this project.

Cindy.cicalese (talkcontribs)

Wonderful! Thank you so much for fixing the documentation!

Reply to "No email populating via OpenIDConnect and Azure"

Getting logged out again quite fast

4
2001:16B8:2681:AE00:5CB6:AFD2:786:BF32 (talkcontribs)

Hi,

I've an installation of Mediawiki 1.35.1 without OpenID Connect and an installation of the same version with OpenID Connect using Keycloak 10 as authentication service.

In the Mediawiki without OpenID Connect I stay logged in for weeks. I'm sure it uses a cookie.

But in the Mediawiki that uses OpenID Connect, I get logged out after session.gc_maxlifetime. It does not seem to use a cookie. Both installations are configured very similar. Is this behavior by design or is there any way to stay logged in with OpenID Connect for a longer time, besides increasing session.gc_maxlifetime?

Thanks

Timo

Cindy.cicalese (talkcontribs)
80.156.94.66 (talkcontribs)

We had the same Problem with KeyCloak and Wiki Version "1.31.10".

To solve the problem you have to increase the value of the parameter $wgObjectCacheSessionExpiry for example to 8 Hours (28800 seconds). The default value is 3600 seconds.

Cindy.cicalese (talkcontribs)
Reply to "Getting logged out again quite fast"
Natlan21 (talkcontribs)

Hi i am quite new to mediawiki/ openid.

I am trying to authenticate the user on my wiki using OpenIdConnect. I was able to get the issuer's login page and authenticate using that, however the logged in user still shows up as "User" instead of the username from issuer. I see that there is "username" in claims section of /.well-known/openid-provider. Looking at the extension's documentation, i tried adding:

'preferred_username' => 'username' in $wgOpenIDConnect_Config, but that did not seem to work as well. Please suggest on how i can debug or what i could be doing wrong? from the debug info below it also seems i am getting an exception.

Thanks


I am using Mediawiki 1.34.0 with Postgresdb.


Debug info:


[PluggableAuth] In execute()

[PluggableAuth] Getting PluggableAuth singleton

[PluggableAuth] Class name: OpenIDConnect

[OpenID Connect] Redirect URL: http://mydomain.com/mediawiki/index.php?title=Special:PluggableAuthLogin

[error] [db0552df57216921823a746d] /mediawiki/index.php?title=Special:PluggableAuthLogin&code=ORMensQ_p46ogp46Cn5W-m5yaEAtADhFjZ

8AAAAf&state=dd4c766cece486c82df55655a5dfd85e   ErrorException from line 719 of /home/natlan/public_html/mediawiki/vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php: PHP Notice: Undefined property

: stdClass::$alg

#0 /home/natlan/public_html/mediawiki/vendor/jumbojett/openid-connect-php/src/OpenID

ConnectClient.php(719): MWExceptionHandler::handleError(integer, string, string, integer, array)

#1 /home/natlan/public_html/mediawiki/vendor/jumbojett/openid-connect-php/src/OpenID

ConnectClient.php(824): Jumbojett\OpenIDConnectClient->get_key_for_header(array, stdClass)

#2 /home/natlan/public_html/mediawiki/vendor/jumbojett/openid-connect-php/src/OpenID

ConnectClient.php(279): Jumbojett\OpenIDConnectClient->verifyJWTsignature(string)

#3 /home/natlan/public_html/mediawiki/extensions/OpenIDConnect/src/OpenIDConnect.php

(161): Jumbojett\OpenIDConnectClient->authenticate()

#4 /home/natlan/public_html/mediawiki/extensions/PluggableAuth/includes/PluggableAut

hLogin.php(30): OpenIDConnect->authenticate(NULL, NULL, NULL, NULL, NULL)

#5 /home/natlan/public_html/mediawiki/includes/specialpage/SpecialPage.php(575): Plu

ggableAuthLogin->execute(NULL)

#6 /home/natlan/public_html/mediawiki/includes/specialpage/SpecialPageFactory.php(61

1): SpecialPage->run(NULL)

#7 /home/natlan/public_html/mediawiki/includes/MediaWiki.php(296): MediaWiki\Special

\SpecialPageFactory->executePath(Title, RequestContext)

#8 /home/natlan/public_html/mediawiki/includes/MediaWiki.php(900): MediaWiki->perfor

mRequest()

#9 /home/natlan/public_html/mediawiki/includes/MediaWiki.php(527): MediaWiki->main()

#10 /home/natlan/public_html/mediawiki/index.php(44): MediaWiki->run()

#11 {main}

[OpenID Connect] Real name: , Email: , Subject: natlan, Issuer: https://myissuer.com

[OpenID Connect] Found user with matching subject and issuer.

User: cache miss for user 3


Cindy.cicalese (talkcontribs)

I think I may know what is going on. You authenticated before setting the preferred username attribute, so it assigned you a generic User username and saved your subject/issuer information in the openid_connect table in the database. When you subsequently authenticated, it first looks to see if there is an existing user with that subject and issuer. It will only create a new username if that information is not found. So, you would need to manually clear those entries from the openid_connect database table. The exception is also concerning, but it is in the OpenID Connect library. You could try bumping the version of the library in composer.json from 0.5.0 to 0.9.0. That may fix the problem or may cause other issues. But, if it works, please let me know, and I can bump the version of the library in the repo.

Natlan21 (talkcontribs)

Thanks for your reply and help Cindy!

Upgrading to latest version of the library from github fixed the exception issue, i guess due to added error checks.

Also the reason why preferred_username was not getting set properly is because my identity provider does not provide the username etc fields in userinfo endpoint. They instead provide it as part of access token payload. I see there is a helper method in library to read the accesstoken payload but it is not used. Should the extension use that instead of getting information from userinfo endpoint?


I have one question related to authorization - my Identity provider will return user permissions as part of access token. What would be the suggested way to map those to mediawiki roles ? Would the code change submitted below in https://gerrit.wikimedia.org/r/c/mediawiki/extensions/OpenIDConnect/+/572199 help?

Thanks

Cindy.cicalese (talkcontribs)

I'm glad that the updated library worked. I'll try to get the composer.json file updated soon.

It would be great if you could test that patch and let me know if it fixes your situation. I do not currently have a way to test the new behavior, but it appears to work for several people. If it works for you, too, that will give me more confidence in merging it.

Natlan21 (talkcontribs)

Hi Cindy, to make it work for my identity provider, i had to change the patch a bit (this is because payloads have varying information based on individual identity providers). Will think on how we can make it more generic.

Also most of the issues were solved as i mentioned by using the latest version of library code from github. could you update the version in composer? thanks

Ri thomas (talkcontribs)

Apparently Google also does not provide a username field. When I upgraded to Openid Connect Library to 0.9.0 to get around generic usernames I get an error.

Auto-creation of a local account failed: You have not specified a valid username.

Reply to "preferred_username"
2001:16B8:4664:7700:1C98:54F1:3DBA:8493 (talkcontribs)

Hi - I am trying to connect MW (1.31) to Azure using OAuth2.

The Azure people tell me they can't specify a return URI of the form .../index.php?title=Special:PluggableAuthLogin and sugegsted I create a ReWrite rule from .../pluggableauthlogin to point to the noremal target.


All well and good, and easy to set up in Apache, but it doesn'T work because Azure checks that the Return URI is the same as that passed to it (by Mediawiki), and thst is always the ondex.php? variant .


Has anone seen this sort of thing before? Any suggestions?

Reply to "OIDC and Azure"
Pgrungi (talkcontribs)

Hi, just wanted to say thanks for writing this extension. I thought I'd share a couple tidbits for configuring this to use Okta as an identity provider.

I edited the OpenID Connect extension's composer.json to use jumbojett/openid-connect-php 0.9.0 instead of 0.5.0, but as far as I can tell, there weren't any changes between 0.5.0 and 0.9.0 relevant to anything I encountered.

Okta will not honor requests that contain client credentials in the header and post data at the same time, so after authenticating with Okta successfully, the OpenID Connect extension would error out and I'd see a red "Fatal error authenticating user" or similar message. This is an upstream issue with jumbojett/open-id-client-php, and it turns out there's already a pull request for the fix but it hasn't been approved yet. I can't post a link here for some reason, but it's pull request 208 for the project on github - just paste unset($token_params['client_id']); right below or above the existing unset($token_params['client_secret']); inside of extensions/OpenIDConnect/vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php

You'll know this is your issue if you see errors in your Okta system log; or if you have debug logging enabled in MediaWiki, you'll see this in the log: [OpenID Connect] Jumbojett\OpenIDConnectClientException: Cannot supply multiple client credentials. Use one of the following: credentials in the Authorization header, credentials in the post body, or a client_assertion in the post body.

The other important thing to note about using this extension with Okta is that Okta will not provide any useful claims unless you explicitly request the correct scopes. If you don't specify scopes, the OpenID Connect extension will receive null/empty values for Real Name and Email, so if MediaWiki is already configured to auto-create users, you'll be logged in as "User".

To summarize, once the upstream jumbojett/open-id-client-php issue is resolved (just paste in the single line of code from the above github pull request), your $wgOpenIDConnect_Config in LocalSettings.php should look like this to work with Okta:

$wgOpenIDConnect_Config['hxxxx://foo.okta.com'] = [

    'name' => 'Okta',

       'clientID' => '(paste from the OIDC app you created in Okta)',

       'clientsecret' => '(paste from the OIDC app you created in Okta)',

       'scope' => [ 'profile', 'email' ]

  ];

Cindy.cicalese (talkcontribs)

Thank you so much for the feedback! Please fee free to add an Example section on the extension page with the information about configuring the extension to work with Okta.

Pgrungi (talkcontribs)

Will do, thanks.

Would it be a good idea to check for null and throw a warning if the extension receives a null 'name' or 'email' claim from the identity provider? I just wonder if there are any ill effects or edge cases where passing along a null/empty claim that the extension received from the upstream jumbojett OIDC client library would cause issues. It might also circumvent the issue @Natlan21 mentioned, and I also experienced, where an existing user's first successful authentication results in being named "User" in the absence of a non-null/empty claim.

One more thing I noticed... when I enable auto-creation of users who come in through PluggableAuth, and the OIDC extension passes along the new user's username for creation, it is rejected because the 'preferred_username' claim from Okta takes the form of an email address (pgrungi@example.com) and MediaWiki doesn't like the @ symbol in usernames by default.

I tried to overcome this by setting $wgOpenIDConnect_UseEmailNameAsUserName = true; so new users would be created as 'Pgrungi' instead of 'Pgrungi@example.com', but it seems that the OIDC extension prefers to honor the claim it received even if that setting is enabled. It makes sense -- you explained in the option description that the setting is used if no preferred_username is specified. Unfortunately I don't have a way to change Okta's preferred_username claim format, and I don't have a custom claim I can send in the shorter, @-less format.

In the end, my workaround was to set $wgInvalidUsernameCharacters = ''; so the @ would no longer be forbidden. In my environment this is a reasonable workaround, but from what I read elsewhere, it potentially breaks Interwiki functionality, so it may not work for others.

Would you consider a new $wgOpenIDConnect_IgnorePreferredNameClaim option (set to false by default) that enforces using the $wgOpenIDConnect_UseEmailNameAsUserName format, even if the identity provider sends a non-null 'preferred_username' claim?

Cindy.cicalese (talkcontribs)

Thanks for the suggestions! Could you please add feature request tasks in Phabricator for these? Thanks!

Reply to "Using OIDC with Okta"

Consume more user info details

2
89.247.198.108 (talkcontribs)

My Keycloak installation provides additional user details like an avatar picture that I would like to use in my Mediawiki theme. Would it be possible to add a hook between "if ( $oidc->authenticate() ) {" and the call to "findUser" in src/OpenIDConnect.php? The $oidc object should be provided as a parameter to hook handlers.

Cindy.cicalese (talkcontribs)

That is a great suggestion. Please feel free to create a feature request task for this in Phabricator (you can click the "Report a bug" link at the bottom of the sidebar on the extension page). I'll note that we're considering moving some common functionality from the plugins into the PluggableAuth extension, and this might be a candidate for that.

Reply to "Consume more user info details"
ShaunONeil (talkcontribs)

Is there any possibility to map oidc roles to wgGroupPermissions? I see I can add roles to the scopes on the request side, but I can't see a good spot to consume them .

Cindy.cicalese (talkcontribs)
ShaunONeil (talkcontribs)

It's difficult to ignore timing like that! Unfortunately I'm not clear on what value is expected to be configured as 'property', especially in relation to what(?) these 'wiki_roles' and 'global_roles' strings are (in populateGroups). They're passed off into a maze of array shifting that loses me like a circus cup game.


Would it be possible to see an example of the usage of this 'property' configuration and the corresponding json from the access code? I've tried setting 'property' to 'groups' and putting my role list in a claim groups, groups.global_roles, groups.wiki_roles, groups.global_roles.wiki_roles .. It looks like it's so close but just not clicking.

Cindy.cicalese (talkcontribs)

I've asked the patch author to comment here. I haven't had a chance to test the patch yet, so I don't know what the configuration is to be.

Heinebold (talkcontribs)

Hello @ShaunONeil, sorry for the weird array destructuring logic. It's due to the fact that I wanted it to work without caring about whatever nested structure the token json contains and if it gets deserialized as php arrays or objects.

Also sorry for how the code snippets below look, either this comment field or I are too dumb for this, but the important parts are formatted as expected.


I defined separate "wiki_roles" and "global_rules" because Keycloak, which I use, produces a token structure like this with both client-specific and global user roles.

For tokens looking like this: {

 "typ": "Bearer",
 // all the other stuff,
 "realm_access": {
   "roles": [
     "admin",
     "jedi_master"
   ]
 },
 "resource_access": {
   "wiki": {
     "roles": [
       "editor",
       "admin"
     ]
   },
   "other.client": {
     "roles": [
       "manage-account",
       "manage-account-links",
       "view-profile"
     ]
   }
 }

} and assuming you're interested in the user's global roles and those specific to the "wiki" client, the OIDC Plugin config for your issuer should contain this:

$wgOpenIDConnect_Config['<your issuer>'] = [

   'clientID' => '...',
   // config as documented,
   'global_roles' => ['property' => ['realm_access', 'roles']],
   'wiki_roles' => ['property' => ['resource_access', 'wiki', 'roles']]





];

As a result, your user will have the following roles: oidc_admin, oidc_jedi_master, oidc_editor.

These roles are prefixed with oidc_ so that when logging in again with a different token, the plugin will know which roles to modify. Since these roles are coming from the token and thus are subject to change from outside your wiki, you might not want to directly assign rights to them, but rather use them in autopromote conditions. This allows you more easily to adapt to potential changes in your OIDC Issuer's roles.

If you want to add an additional prefixes to either global or wiki-specific roles, you can configure it like this:

$wgOpenIDConnect_Config['<your issuer>'] = [

   'clientID' => '...',
   // config as documented,
   'global_roles' => [
       'property' => ['realm_access', 'roles'],
       'prefix' => 'global'
   ],
   'wiki_roles' => ['property' => ['resource_access', 'wiki', 'roles']]





];
, resulting in these roles: oidc_globaladmin, oidc_globaljedi_master, oidc_editor, oidc_admin.

In this example, the user had only one "oidc_admin" role without an extra prefix, but two distinct roles now.


I will make full public documentation for this once the patch has been accepted. Until then, feel free to ask more questions here.

ShaunONeil (talkcontribs)

Thanks both@Heinebold for the help so far!

It seems my configuration was a red herring (although it did need clarification, I had 'property'=>'nameofclaim', not global_roles=....)

However I seem to be hitting an entirely different issue. Many wfDebugLog later, I appear to be hitting line 371 in https://gerrit.wikimedia.org/r/#/c/mediawiki/extensions/OpenIDConnect/+/572199/2/src/OpenIDConnect.php

This causes getAccessToken() to return null, which causes line 314 to throw an exception, and without a sensible $config, we go downhill rapidly from there.

MW is release 1.34.0, PluggableAuth is master-4d68263 (9-feb), and oidc obviously 04dfc44 from this commit. I'm also testing against Keycloak 9.0.0.

Heinebold (talkcontribs)

Oh, yes I should have put a null check before line 314, thanks. Thats what you get with happy path testing, I should really have been more careful.

As for the problem in 371, I might know an explanation and solution:

Could you compare the iss claim of your access token to the issuer you are using in the $wgOpenIDConnect_Config please? They need to match exactly, so you might be having trouble with a trailing slash or something like it, that's what happened to me.
I was thinking of somehow normalizing it, but putting heuristics in a security setting didn't sound wise. You should be able to just copy the issuer from the token into your config, but all users already associated with it will be broken. You can edit the database table, though, to change the issuer there as well.

ShaunONeil (talkcontribs)

Spot on with the trailing slash! My config has one, my access token doesn't. (This is all in a scratch VM at the moment, so my users won't mind!) And now the magic word, "oidc_testrealmrole". Thank you so much - I was expecting advice on which function I would be best to hook into, and instead got 95% of the solution on a sliver platter.

Re the commit, if I had any suggestions at all, it'd be the use of wbDebugLog() .. this has proven valuable to a process that's difficult to snoop. Otherwise, I'm over the moon right now - this is exactly what I needed.

Cindy.cicalese (talkcontribs)

Wow, what more could I ask for? A patch to add a new feature and another user to test it!

I plan to test this myself. Have you tested with other identity providers than Keycloak? Do you anticipate that it would work with others?

ShaunONeil (talkcontribs)

Keeping in mind I'm less than a week into this project, and oidc in general, so I'm not a voice of experience:

I had an unsuccessful attempt with GitLab (community-edition, self-hosted) as I had it handy and I figured it's the least I can do. I did note the documentation on gitlab as an oidc provider states "Only the sub and sub_legacy claims are included in the ID token, all other claims are available from the /oauth/userinfo endpoint used by OIDC clients". I'm not 100% on whether "ID token" and "Access token" are the same thing, but this sounds very relevant. (I could also be way off, I've been unsuccessful in capturing the JWT to inspect.)


So this may be a limitation; it uses only the access token, and not the userinfo endpoint. In Keycloak, emitting claims in the token is a yes/no option for each claim. There's a lot less knobs to twiddle in GitLab.

This does appear to be the only real limitation, however. As long as the user (the one installing, not the end-user) can discover the names & members of the appropriate odic claim, it does seem appropriate.


The only other possible limitation I discovered is that in Keycloak, the "Claim JSON Type" is a configurable option (default string, options json/int/bool/etc). I discovered json is very much not an acceptable option, it results in Pluggable's big red generic Fatal message. I'm not in a position to evaluate whether this is a problem, hurdle, or irrelevant for other providers.

I have to thank you both for your work here; I started down this path on Friday, had Authentication working on Saturday, and Authorization working on Tuesday. This is a fantastic result far beyond expectations for me!

Heinebold (talkcontribs)

I admit I haven't tested with other providers, and that I forgot that the roles might as well be only in the user info. I just needed the feature and thought, hey, I'm probably not alone, let's share it.

For querying the user info during group population, I'll have to have a closer look to the jumbojett lib and whether I can use it for this without restarting the authentication flow.

I'll definitely add that missing null check and some logging, if another change is ok with you @Cindy.cicalese

Cindy.cicalese (talkcontribs)

Of course, please feel free to continue working on it. In the meantime, I will try to find time to test. I usually use Google as my identity provider, so I'd like to see if there is a way to take advantage of this functionality in that environment.

Cindy.cicalese (talkcontribs)

Sorry I didn't have a chance to test this before, but I did just rebase and reformat it and tested the result. It works fine for my case with no roles defined. I'm still planning to poke around and see if I can make it work with another provider. But, in the meantime, are you both happy with the code as it currently exists? If so, I will go ahead and merge it. Then, if you could please add the documentation to the extension page, @Heinebold, that would be great. Thanks!

Heinebold (talkcontribs)

I am definitely happy with the current state, as I tailored it to my needs ;-) but I saw that there have been some changes on master that should be incorporated into this, which are not solved by a simple rebase alone.

I'll do these changes and commit them, so you can just merge it whenever you like.

As for getting the roles from userInfo instead of only the token, I'd say this will better be a separate change so we can get the basic functinality going.

Cindy.cicalese (talkcontribs)

OK, makes sense. Thank you.

Reply to "oidc roles"

Evolution of OpenId Connect Extension

5
BrunoPenso (talkcontribs)

Hi Team,


Since the problem reported on this page with the title "oidc_subject is null" I made a enhacement on the extension, but I couldn't find the github for the MediaWiki extension of OpenIDConnect.


The customization on the jumbojett (https://github.com/jumbojett/OpenID-Connect-PHP) is ready.


Can you help?

BrunoPenso (talkcontribs)
Cindy.cicalese (talkcontribs)

The OpenID Connect MediaWiki extension is maintained in Gerrit, not github. However, the change that you refer to needs to be made in the OpenID Connect PHP library that you link to above (https://github.com/jumbojett/OpenID-Connect-PHP), not in the OpenID Connect MediaWiki extension. The library is a separate project that is a dependency of the extension. Once the change is made in the library, the extension will be able to take advantage of it by updating the library version in the extension's composer.json file (https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/OpenIDConnect/+/master/composer.json#18).

BrunoPenso (talkcontribs)

Hi Cindy, the customization were made on the Mediawiki and php extension. How should I proceed?

Cindy.cicalese (talkcontribs)

I suggest submitting a pull request to go with the issue you submitted on github (https://github.com/jumbojett/OpenID-Connect-PHP/issues/189). This pull request should only include the changes to the requestUserInfo() function of OpenIDConnectClient.php. I see that you submitted another pull request that includes MediaWiki code, which should not be included (https://github.com/jumbojett/OpenID-Connect-PHP/pull/187/files). It should only include changes to OpenIDConnectClient.php. The MediaWiki code should not have to change.

Reply to "Evolution of OpenId Connect Extension"
Summary by BrunoPenso

After the heavy customization on the requestUserInfo method it worked.


I wil go to an issue on the jumbojett github site.


Thanks for all the help.

BrunoPenso (talkcontribs)

Hi guys,

I'm trying to configure my mediawiki docker image to run with our OpenIdConnect server and I'm getting the error below. Can anyone help?

[8e83b5ad531a9b2e63de4d90] /index.php?title=Special:UserLogin&returnto=Main+Page Wikimedia\Rdbms\DBQueryError from line 1587 of /var/www/html/includes/libs/rdbms/database/Database.php: A database query error has occurred. Did you forget to run your application's database schema updater after upgrading? Query: INSERT INTO openid_connect` (oidc_user,oidc_subject,oidc_issuer) VALUES ('14',NULL,'mylinkhere') ON DUPLICATE KEY UPDATE oidc_subject = NULL,oidc_issuer = 'mylinkhere' Function: OpenIDConnect::saveExtraAttributes Error: 1048 Column 'oidc_subject' cannot be null (mediawiki-mysql)


On the composer file I'm using the version:

"jumbojett/openid-connect-php": "^0.8.0"

And i'm using the extensions:

  • OpenIDConnect-REL1_33-0467f7b.tar.gz
  • PluggableAuth-REL1_33-a69f626.tar.gz
BrunoPenso (talkcontribs)

I also tried to turn the debug but nothingget me attention; Here is the LocalSettings.php

$wgDebugLogFile = "/var/log/mediawiki/debug-{$wgDBname}.log"; $wgDebugComments = true; $wgGroupPermissions['*']['edit'] = false; $wgGroupPermissions['*']['read'] = false; $wgGroupPermissions['*']['autocreateaccount'] = true;

wfLoadExtension( 'PluggableAuth' ); $wgPluggableAuth_EnableAutoLogin = true; $wgPluggableAuth_EnableLocalLogin = false; //The config below will not have effect since wgPluggableAuth_EnableLocalLogin is false $wgPluggableAuth_ButtonLabel = 'Entrar com o Login'; $wgPluggableAuth_Class = "OpenIDConnect"; wfLoadExtension( 'OpenIDConnect' ); $wgOpenIDConnect_Config['mylinkhere'] = [

   'clientID' => 'myclientid',
   'clientsecret' => 'meclientsecret',

'scope' => [ 'openid', 'profile','email'] ]; $wgOpenIDConnect_UseEmailNameAsUserName = true;

!$wgDebugDBTransactions = true; $wgShowExceptionDetails = true; $wgDebugToolbar = true; $wgDevelopmentWarnings = true; $wgShowExceptionDetails = true; $wgShowDBErrorBacktrace = true; $wgShowSQLErrors = true; $wgDebugToolbar = true;

$wgDBerrorLog = '/var/log/mediawiki/dberror.log'; $wgRateLimitLog = '/var/log/mediawiki/ratelimit.log'; $wgDebugLogGroups = array( 'resourceloader' => '/var/log/mediawiki/resourceloader.log', 'exception' => '/var/log/mediawiki/exception.log', 'error' => '/var/log/mediawiki/error.log', #'exception-json' => '/var/log/mediawiki/exception.json', // Extra log groups from your extension #'myextension' => '/var/log/mediawiki/myextension.log', #'somegroup' => '/var/log/mediawiki/somegroup.log', 'PluggableAuth' => '/var/log/mediawiki/pluggableAuth.log', 'OpenID Connect' => '/var/log/mediawiki/openIdConnect.log', 'OpenIDConnect' => '/var/log/mediawiki/openIdConnect.log', );

error_reporting( -1 ); ini_set( 'display_errors', 1 );

Cindy.cicalese (talkcontribs)

Please show all lines from the debug log that begin with [PluggableAuth] or [OpenID Connect] (with any private information removed).

BrunoPenso (talkcontribs)

Hi see the result of the debug log tab.

[PluggableAuth] Real name and email address did not change.

[PluggableAuth] Getting PluggableAuth singleton

[PluggableAuth] Class name: OpenIDConnect


No more logs. I also checked the /var/log and have no information

Cindy.cicalese (talkcontribs)

My first suggestion would be to use the "master" versions of both extensions rather than the release branch versions, since both extensions follow the "master" compatibility policy.

Regardless, you should be seeing the debug statement issued at https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/OpenIDConnect/+/REL1_33/src/OpenIDConnect.php#167. There is currently no debugging in the saveExtraAttributes() function (https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/OpenIDConnect/+/REL1_33/src/OpenIDConnect.php#253) where the error is occurring. But, I would expect the value of "subject" there to match the value in the earlier debug statement. The fact that you are not getting debugging statements from OpenID Connect and that those are the only debugging statements you are getting from PluggableAuth seems suspicious.

Ah, you mention the debug log tab. If you are using the debug toolbar, you will only see the debugging statements for the current web request. You need to file the log file that you point to with $wgDebugLogFile. That will have the statements for all web requests.


BrunoPenso (talkcontribs)

Cindy,

There is no log file. Bellow is my LocalSettings.php. What do you think?

<?php

  1. This file was automatically generated by the MediaWiki 1.33.1
  2. installer. If you make manual changes, please keep track in case you
  3. need to recreate them later.
  4. See includes/DefaultSettings.php for all configurable settings
  5. and their default values, but don't forget to make changes in _this_
  6. file, not there.
  7. Further documentation for configuration settings may be found at:
  8. https://www.mediawiki.org/wiki/Manual:Configuration_settings
  1. Protect against web entry

if ( !defined( 'MEDIAWIKI' ) ) { exit; }


    1. Uncomment this to disable output compression
  1. $wgDisableOutputCompression = true;

$wgSitename = "TI"; $wgMetaNamespace = "TI";

    1. The URL base path to the directory containing the wiki;
    2. defaults for all runtime URL paths are based off of this.
    3. For more information on customizing the URLs
    4. (like /w/index.php/Page_title to /wiki/Page_title) please see:
    5. https://www.mediawiki.org/wiki/Manual:Short_URL

$wgScriptPath = "";

    1. The protocol and server name to use in fully-qualified URLs


    1. The URL path to static resources (images, scripts, etc.)

$wgResourceBasePath = $wgScriptPath;

    1. The URL path to the logo. Make sure you change this from the default,
    2. or else you'll overwrite your logo when you upgrade!

$wgLogo = "$wgResourceBasePath/resources/assets/wiki.png";

    1. UPO means: this is also a user preference option

$wgEnableEmail = true; $wgEnableUserEmail = false; # UPO

$wgEnotifUserTalk = false; # UPO $wgEnotifWatchlist = false; # UPO $wgEmailAuthentication = true;

  1. MySQL specific settings

$wgDBprefix = "";

  1. MySQL table options to use during installation or update

$wgDBTableOptions = "ENGINE=InnoDB, DEFAULT CHARSET=binary";

    1. Shared memory settings

$wgMainCacheType = CACHE_ACCEL; $wgMemCachedServers = [];

    1. To enable image uploads, make sure the 'images' directory
    2. is writable, then set this to true:

$wgEnableUploads = false; $wgUseImageMagick = true; $wgImageMagickConvertCommand = "/usr/bin/convert";

  1. InstantCommons allows wiki to use images from https://commons.wikimedia.org

$wgUseInstantCommons = false;

  1. Periodically send a pingback to https://www.mediawiki.org/ with basic data
  2. about this MediaWiki instance. The Wikimedia Foundation shares this data
  3. with MediaWiki developers to help guide future development efforts.

$wgPingback = true;

    1. If you use ImageMagick (or any other shell command) on a
    2. Linux server, this will need to be set to the name of an
    3. available UTF-8 locale

$wgShellLocale = "C.UTF-8";

    1. Set $wgCacheDirectory to a writable directory on the web server
    2. to make your wiki go slightly faster. The directory should not
    3. be publicly accessible from the web.
  1. $wgCacheDirectory = "$IP/cache";
  1. Site language code, should be one of the list in ./languages/data/Names.php

$wgLanguageCode = "en";

  1. Changing this will log out all existing sessions.

$wgAuthenticationTokenVersion = "1";

  1. Site upgrade key. Must be set to a string (default provided) to turn on the
  2. web installer while LocalSettings.php is in place

$wgUpgradeKey = "62667dda13e1db58";

    1. For attaching licensing metadata to pages, and displaying an
    2. appropriate copyright notice / icon. GNU Free Documentation
    3. License and Creative Commons licenses are supported so far.

$wgRightsPage = ""; # Set to the title of a wiki page that describes your license/copyright $wgRightsUrl = ""; $wgRightsText = ""; $wgRightsIcon = "";

  1. Path to the GNU diff3 utility. Used for conflict resolution.

$wgDiff3 = "/usr/bin/diff3";

    1. Default skin: you can change the default skin. Use the internal symbolic
    2. names, ie 'vector', 'monobook':

$wgDefaultSkin = "vector";

  1. Enabled skins.
  2. The following skins were automatically enabled:

wfLoadSkin( 'MonoBook' ); wfLoadSkin( 'Timeless' ); wfLoadSkin( 'Vector' );


  1. Enabled extensions. Most of the extensions are enabled by adding
  2. wfLoadExtensions('ExtensionName');
  3. to LocalSettings.php. Check specific extension documentation for more details.
  4. The following extensions were automatically enabled:

wfLoadExtension( 'CodeEditor' ); wfLoadExtension( 'WikiEditor' );


  1. End of automatically generated settings.
  2. Add more configuration options below.

$wgDebugLogFile = "/var/log/mediawiki/debug-{$wgDBname}.log"; $wgDebugComments = true; $wgAllowHTMLEmail=true; $wgEnableEmail=true; $wgEnableUserEmail=false; $wgGroupPermissions['*']['edit'] = false; $wgGroupPermissions['*']['read'] = false; $wgGroupPermissions['*']['autocreateaccount'] = true;

wfLoadExtension( 'PluggableAuth' ); $wgPluggableAuth_EnableAutoLogin = true; $wgPluggableAuth_EnableLocalLogin = false; //The config below will not have effect since wgPluggableAuth_EnableLocalLogin is false $wgPluggableAuth_ButtonLabel = 'Entrar com o Login do XXX'; $wgPluggableAuth_Class = "OpenIDConnect"; wfLoadExtension( 'OpenIDConnect' ); $wgOpenIDConnect_Config['url'] = [

   'clientID' => 'id',
   'clientsecret' => 'secret',

'scope' => [ 'openid', 'profile','email'] ]; $wgOpenIDConnect_UseEmailNameAsUserName = true;

!$wgDebugDBTransactions = true; $wgShowExceptionDetails = true; $wgDebugToolbar = true; $wgDevelopmentWarnings = true; $wgShowExceptionDetails = true; $wgShowDBErrorBacktrace = true; $wgShowSQLErrors = true; $wgDebugToolbar = true;

$wgDBerrorLog = '/var/log/mediawiki/dberror.log'; $wgRateLimitLog = '/var/log/mediawiki/ratelimit.log'; $wgDebugLogGroups = array( 'resourceloader' => '/var/log/mediawiki/resourceloader.log', 'exception' => '/var/log/mediawiki/exception.log', 'error' => '/var/log/mediawiki/error.log', #'exception-json' => '/var/log/mediawiki/exception.json', // Extra log groups from your extension #'myextension' => '/var/log/mediawiki/myextension.log', #'somegroup' => '/var/log/mediawiki/somegroup.log', 'PluggableAuth' => '/var/log/mediawiki/pluggableAuth.log', 'OpenID Connect' => '/var/log/mediawiki/openIdConnect.log', 'OpenIDConnect' => '/var/log/mediawiki/openIdConnect.log', );

error_reporting( -1 ); ini_set( 'display_errors', 1 );

Cindy.cicalese (talkcontribs)

Does /var/log/mediawiki exist and is it writable by your web server? It is difficult for me to read the above with the formatting like that, but I don't see anything obvious wrong (except potentially an extra ! at the beginning of $wgDebugDBTransactions, but maybe that is a cut and paste error). You do not need separate logs for all of the logging types (i.e. $wgDebugLogGroups), and, in fact, it would be better to see the authentication errors in the combined log with the web requests to see the sequencing. But, since you cannot find any logs, that is moot.

BrunoPenso (talkcontribs)

HI,

I'm finally manage to see the log files! \o/

Thanks for the tips above. Now I have 3 logs files and I configured the wgDebugLogGroups to point to the same file.

About the "master" versions, I got the extensions from the link below, so I understand that this is the current available version. Am I right?

- https://www.mediawiki.org/wiki/Special:ExtensionDistributor/PluggableAuth

- https://www.mediawiki.org/wiki/Special:ExtensionDistributor/OpenIDConnect


Here is the log result:

2019-12-06 11:49:26 5a08ee3618ad mywiki: In execute()

2019-12-06 11:49:26 5a08ee3618ad mywiki: Getting PluggableAuth singleton

2019-12-06 11:49:26 5a08ee3618ad mywiki: Class name: OpenIDConnect

2019-12-06 11:49:26 5a08ee3618ad mywiki: Redirect URL: http://localhost:8081/index.php/Special:PluggableAuthLogin

2019-12-06 11:49:26 5a08ee3618ad mywiki: In execute() 2019-12-06 11:49:26 5a08ee3618ad mywiki: Getting PluggableAuth singleton 2019-12-06 11:49:26 5a08ee3618ad mywiki: Class name: OpenIDConnect 2019-12-06 11:49:26 5a08ee3618ad mywiki: Redirect URL: http://localhost:8081/index.php/Special:PluggableAuthLogin

2019-12-06 11:49:27 5a08ee3618ad mywiki: [ff73bc883cde9f196c80f5ad] /index.php/Special:PluggableAuthLogin?code=W5B5UBqUtkCYcavTHrVz9w.YHefWEJ61wiPDTUhSoyUO9RsftU.RETE8r1UP3FwG-b_SwRhYNVHXPsldjOaHpn-OKClvPx_aC2N6CkkXdpFhHnb7kbtTNHKFLd9w1-DGvOUnxaWkM14IGMfykHHQohS9Glt0d-daBdYXP5gm6PKLG5gpu3pNWHXUcSLcYvy_wiP4uoXZAQ-3QC59CB-6EffsqVKBm9gn6fL6OJc5jLNId-dcKtDjL3PiX-CKlvHiN9X_HReas_HWBhCx1irYeHrDY2jZKtYYIdwMsz7xeFq0C7T-mcqRH0-3APVMZyWKTA4zHDjUayAJgp1P1lk3dHEUO72OUaGUnX5EtBZiBt3VHNt3ttTDymBM3VBGB9EF_iTGunGTg&state=f6ec5b0b7bcebc3689d1380f1d5cd4f5 ErrorException from line 973 of /var/www/html/vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php: PHP Warning: array_key_exists() expects parameter 2 to be array, null given

  1. 0 [internal function]: MWExceptionHandler::handleError(integer, string, string, integer, array)
  2. 1 /var/www/html/vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php(973): array_key_exists(string, NULL)
  3. 2 /var/www/html/extensions/OpenIDConnect/src/OpenIDConnect.php(165): Jumbojett\OpenIDConnectClient->requestUserInfo(string)
  4. 3 /var/www/html/extensions/PluggableAuth/includes/PluggableAuthLogin.php(31): OpenIDConnect->authenticate(NULL, NULL, NULL, NULL, NULL)
  5. 4 /var/www/html/includes/specialpage/SpecialPage.php(569): PluggableAuthLogin->execute(NULL)
  6. 5 /var/www/html/includes/specialpage/SpecialPageFactory.php(558): SpecialPage->run(NULL)
  7. 6 /var/www/html/includes/MediaWiki.php(288): MediaWiki\Special\SpecialPageFactory->executePath(Title, RequestContext)
  8. 7 /var/www/html/includes/MediaWiki.php(865): MediaWiki->performRequest()
  9. 8 /var/www/html/includes/MediaWiki.php(515): MediaWiki->main()
  10. 9 /var/www/html/index.php(42): MediaWiki->run()
  11. 10 {main}

2019-12-06 11:49:27 5a08ee3618ad mywiki: [ff73bc883cde9f196c80f5ad] /index.php/Special:PluggableAuthLogin?code=W5B5UBqUtkCYcavTHrVz9w.YHefWEJ61wiPDTUhSoyUO9RsftU.RETE8r1UP3FwG-b_SwRhYNVHXPsldjOaHpn-OKClvPx_aC2N6CkkXdpFhHnb7kbtTNHKFLd9w1-DGvOUnxaWkM14IGMfykHHQohS9Glt0d-daBdYXP5gm6PKLG5gpu3pNWHXUcSLcYvy_wiP4uoXZAQ-3QC59CB-6EffsqVKBm9gn6fL6OJc5jLNId-dcKtDjL3PiX-CKlvHiN9X_HReas_HWBhCx1irYeHrDY2jZKtYYIdwMsz7xeFq0C7T-mcqRH0-3APVMZyWKTA4zHDjUayAJgp1P1lk3dHEUO72OUaGUnX5EtBZiBt3VHNt3ttTDymBM3VBGB9EF_iTGunGTg&state=f6ec5b0b7bcebc3689d1380f1d5cd4f5 ErrorException from line 973 of /var/www/html/vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php: PHP Warning: array_key_exists() expects parameter 2 to be array, null given

  1. 0 [internal function]: MWExceptionHandler::handleError(integer, string, string, integer, array)
  2. 1 /var/www/html/vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php(973): array_key_exists(string, NULL)
  3. 2 /var/www/html/extensions/OpenIDConnect/src/OpenIDConnect.php(166): Jumbojett\OpenIDConnectClient->requestUserInfo(string)
  4. 3 /var/www/html/extensions/PluggableAuth/includes/PluggableAuthLogin.php(31): OpenIDConnect->authenticate(NULL, NULL, NULL, NULL, NULL)
  5. 4 /var/www/html/includes/specialpage/SpecialPage.php(569): PluggableAuthLogin->execute(NULL)
  6. 5 /var/www/html/includes/specialpage/SpecialPageFactory.php(558): SpecialPage->run(NULL)
  7. 6 /var/www/html/includes/MediaWiki.php(288): MediaWiki\Special\SpecialPageFactory->executePath(Title, RequestContext)
  8. 7 /var/www/html/includes/MediaWiki.php(865): MediaWiki->performRequest()
  9. 8 /var/www/html/includes/MediaWiki.php(515): MediaWiki->main()
  10. 9 /var/www/html/index.php(42): MediaWiki->run()
  11. 10 {main}

2019-12-06 11:49:27 5a08ee3618ad mywiki: [ff73bc883cde9f196c80f5ad] /index.php/Special:PluggableAuthLogin?code=W5B5UBqUtkCYcavTHrVz9w.YHefWEJ61wiPDTUhSoyUO9RsftU.RETE8r1UP3FwG-b_SwRhYNVHXPsldjOaHpn-OKClvPx_aC2N6CkkXdpFhHnb7kbtTNHKFLd9w1-DGvOUnxaWkM14IGMfykHHQohS9Glt0d-daBdYXP5gm6PKLG5gpu3pNWHXUcSLcYvy_wiP4uoXZAQ-3QC59CB-6EffsqVKBm9gn6fL6OJc5jLNId-dcKtDjL3PiX-CKlvHiN9X_HReas_HWBhCx1irYeHrDY2jZKtYYIdwMsz7xeFq0C7T-mcqRH0-3APVMZyWKTA4zHDjUayAJgp1P1lk3dHEUO72OUaGUnX5EtBZiBt3VHNt3ttTDymBM3VBGB9EF_iTGunGTg&state=f6ec5b0b7bcebc3689d1380f1d5cd4f5 ErrorException from line 973 of /var/www/html/vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php: PHP Warning: array_key_exists() expects parameter 2 to be array, null given

  1. 0 [internal function]: MWExceptionHandler::handleError(integer, string, string, integer, array)
  2. 1 /var/www/html/vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php(973): array_key_exists(string, NULL)
  3. 2 /var/www/html/extensions/OpenIDConnect/src/OpenIDConnect.php(168): Jumbojett\OpenIDConnectClient->requestUserInfo(string)
  4. 3 /var/www/html/extensions/PluggableAuth/includes/PluggableAuthLogin.php(31): OpenIDConnect->authenticate(NULL, NULL, NULL, NULL, NULL)
  5. 4 /var/www/html/includes/specialpage/SpecialPage.php(569): PluggableAuthLogin->execute(NULL)
  6. 5 /var/www/html/includes/specialpage/SpecialPageFactory.php(558): SpecialPage->run(NULL)
  7. 6 /var/www/html/includes/MediaWiki.php(288): MediaWiki\Special\SpecialPageFactory->executePath(Title, RequestContext)
  8. 7 /var/www/html/includes/MediaWiki.php(865): MediaWiki->performRequest()
  9. 8 /var/www/html/includes/MediaWiki.php(515): MediaWiki->main()
  10. 9 /var/www/html/index.php(42): MediaWiki->run()
  11. 10 {main}

2019-12-06 11:49:27 5a08ee3618ad mywiki: Real name: , Email: , Subject: , Issuer: https://mylink/adfs 2019-12-06 11:49:27 5a08ee3618ad mywiki: No user found with matching subject and issuer. 2019-12-06 11:49:27 5a08ee3618ad mywiki: [ff73bc883cde9f196c80f5ad] /index.php/Special:PluggableAuthLogin?code=W5B5UBqUtkCYcavTHrVz9w.YHefWEJ61wiPDTUhSoyUO9RsftU.RETE8r1UP3FwG-b_SwRhYNVHXPsldjOaHpn-OKClvPx_aC2N6CkkXdpFhHnb7kbtTNHKFLd9w1-DGvOUnxaWkM14IGMfykHHQohS9Glt0d-daBdYXP5gm6PKLG5gpu3pNWHXUcSLcYvy_wiP4uoXZAQ-3QC59CB-6EffsqVKBm9gn6fL6OJc5jLNId-dcKtDjL3PiX-CKlvHiN9X_HReas_HWBhCx1irYeHrDY2jZKtYYIdwMsz7xeFq0C7T-mcqRH0-3APVMZyWKTA4zHDjUayAJgp1P1lk3dHEUO72OUaGUnX5EtBZiBt3VHNt3ttTDymBM3VBGB9EF_iTGunGTg&state=f6ec5b0b7bcebc3689d1380f1d5cd4f5 ErrorException from line 973 of /var/www/html/vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php: PHP Warning: array_key_exists() expects parameter 2 to be array, null given

  1. 0 [internal function]: MWExceptionHandler::handleError(integer, string, string, integer, array)
  2. 1 /var/www/html/vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php(973): array_key_exists(string, NULL)
  3. 2 /var/www/html/extensions/OpenIDConnect/src/OpenIDConnect.php(327): Jumbojett\OpenIDConnectClient->requestUserInfo(string)
  4. 3 /var/www/html/extensions/OpenIDConnect/src/OpenIDConnect.php(199): OpenIDConnect::getPreferredUsername(array, Jumbojett\OpenIDConnectClient, NULL, NULL)
  5. 4 /var/www/html/extensions/PluggableAuth/includes/PluggableAuthLogin.php(31): OpenIDConnect->authenticate(NULL, NULL, NULL, NULL, NULL)
  6. 5 /var/www/html/includes/specialpage/SpecialPage.php(569): PluggableAuthLogin->execute(NULL)
  7. 6 /var/www/html/includes/specialpage/SpecialPageFactory.php(558): SpecialPage->run(NULL)
  8. 7 /var/www/html/includes/MediaWiki.php(288): MediaWiki\Special\SpecialPageFactory->executePath(Title, RequestContext)
  9. 8 /var/www/html/includes/MediaWiki.php(865): MediaWiki->performRequest()
  10. 9 /var/www/html/includes/MediaWiki.php(515): MediaWiki->main()
  11. 10 /var/www/html/index.php(42): MediaWiki->run()
  12. 11 {main}

2019-12-06 11:49:27 5a08ee3618ad mywiki: Preferred username: 2019-12-06 11:49:27 5a08ee3618ad mywiki: Available username: User 2019-12-06 11:49:27 5a08ee3618ad mywiki: Authenticated new user: User 2019-12-06 11:49:27 5a08ee3618ad mywiki: User is authorized. 2019-12-06 11:49:28 5a08ee3618ad mywiki: Real name and email address did not change. 2019-12-06 11:49:28 5a08ee3618ad mywiki: Getting PluggableAuth singleton 2019-12-06 11:49:28 5a08ee3618ad mywiki: Class name: OpenIDConnect 2019-12-06 11:49:28 5a08ee3618ad mywiki: aaaa

2019-12-06 11:49:28 5a08ee3618ad mywiki: [8fb10ca1191740ed32f3e795] /index.php?title=Special:UserLogin&returnto=Main+Page Wikimedia\Rdbms\DBQueryError from line 1587 of /var/www/html/includes/libs/rdbms/database/Database.php: A database query error has occurred. Did you forget to run your application's database schema updater after upgrading? Query: INSERT INTO `openid_connect` (oidc_user,oidc_subject,oidc_issuer) VALUES ('79',NULL,'https://mylink/adfs') ON DUPLICATE KEY UPDATE oidc_subject = NULL,oidc_issuer = 'https://mylink/adfs' Function: OpenIDConnect::saveExtraAttributes Error: 1048 Column 'oidc_subject' cannot be null (mediawiki-mysql)

  1. 0 /var/www/html/includes/libs/rdbms/database/Database.php(1556): Wikimedia\Rdbms\Database->getQueryExceptionAndLog(string, integer, string, string)
  2. 1 /var/www/html/includes/libs/rdbms/database/Database.php(1274): Wikimedia\Rdbms\Database->reportQueryError(string, integer, string, string, boolean)
  3. 2 /var/www/html/includes/libs/rdbms/database/DatabaseMysqlBase.php(1380): Wikimedia\Rdbms\Database->query(string, string)
  4. 3 /var/www/html/extensions/OpenIDConnect/src/OpenIDConnect.php(287): Wikimedia\Rdbms\DatabaseMysqlBase->upsert(string, array, array, array, string)
  5. 4 /var/www/html/extensions/PluggableAuth/includes/PluggableAuthPrimaryAuthenticationProvider.php(125): OpenIDConnect->saveExtraAttributes(integer)
  6. 5 /var/www/html/includes/auth/AuthManager.php(2444): PluggableAuthPrimaryAuthenticationProvider->autoCreatedAccount(User, string)
  7. 6 /var/www/html/includes/auth/AuthManager.php(1743): MediaWiki\Auth\AuthManager->callMethodOnProviders(integer, string, array)
  8. 7 /var/www/html/includes/auth/AuthManager.php(622): MediaWiki\Auth\AuthManager->autoCreateUser(User, string, boolean)
  9. 8 /var/www/html/includes/specialpage/AuthManagerSpecialPage.php(355): MediaWiki\Auth\AuthManager->continueAuthentication(array)
  10. 9 /var/www/html/includes/specialpage/AuthManagerSpecialPage.php(482): AuthManagerSpecialPage->performAuthenticationStep(string, array)
  11. 10 /var/www/html/includes/htmlform/HTMLForm.php(660): AuthManagerSpecialPage->handleFormSubmit(array, VFormHTMLForm)
  12. 11 /var/www/html/includes/specialpage/AuthManagerSpecialPage.php(416): HTMLForm->trySubmit()
  13. 12 /var/www/html/includes/specialpage/LoginSignupSpecialPage.php(313): AuthManagerSpecialPage->trySubmit()
  14. 13 /var/www/html/includes/specialpage/SpecialPage.php(569): LoginSignupSpecialPage->execute(NULL)
  15. 14 /var/www/html/includes/specialpage/SpecialPageFactory.php(558): SpecialPage->run(NULL)
  16. 15 /var/www/html/includes/MediaWiki.php(288): MediaWiki\Special\SpecialPageFactory->executePath(Title, RequestContext)
  17. 16 /var/www/html/includes/MediaWiki.php(865): MediaWiki->performRequest()
  18. 17 /var/www/html/includes/MediaWiki.php(515): MediaWiki->main()
  19. 18 /var/www/html/index.php(42): MediaWiki->run()
  20. 19 {main}

2019-12-06 11:49:30 5a08ee3618ad mywiki: In execute() 2019-12-06 11:49:30 5a08ee3618ad mywiki: Getting PluggableAuth singleton 2019-12-06 11:49:30 5a08ee3618ad mywiki: Class name: OpenIDConnect 2019-12-06 11:49:30 5a08ee3618ad mywiki: Redirect URL: http://localhost:8081/index.php/Special:PluggableAuthLogin 2019-12-06 11:49:30 5a08ee3618ad mywiki: In execute() 2019-12-06 11:49:30 5a08ee3618ad mywiki: Getting PluggableAuth singleton 2019-12-06 11:49:30 5a08ee3618ad mywiki: Class name: OpenIDConnect 2019-12-06 11:49:30 5a08ee3618ad mywiki: Redirect URL: http://localhost:8081/index.php/Special:PluggableAuthLogin

2019-12-06 11:49:30 5a08ee3618ad mywiki: [ec80015cd1b0fd355991d57f] /index.php/Special:PluggableAuthLogin?code=W5B5UBqUtkCYcavTHrVz9w.o6LDWkJ61wiQDbe7DL1On919RoY.xezr4l8MeXzCiuVDYnhi3Btfwi1WOg6joBL_eT-DA1esNOhvnlOWiGRz4BY0GDZqUgrxAF8r0cRR4WB_jl07nXdErD8iUtZsI7s2sQZO3hVmpwvEZrRwkx4ahV48u0hao_C9E7S-sUZ8Kvtg3ovg6lLs4c0u37Ai7RSYTzHK2ukZXptZjTvh3OI4EZDc87St_9RUYMdgYyJh4G76pDdWq6fym8LvPp8Kr8Bp37VDg9TE56N-Gbp6aD_ireN9n-rvEYVn2PUf2YWcKclGQXqYZSLSetUHFF2d5G1RX-Kp2wSyRf6WhjlhSpbSKGkyYrc8c2-t1P-oZR7UDs0-DB2vkg&state=5415de77c35827ebb1c8f716c6e10855 ErrorException from line 973 of /var/www/html/vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php: PHP Warning: array_key_exists() expects parameter 2 to be array, null given

  1. 0 [internal function]: MWExceptionHandler::handleError(integer, string, string, integer, array)
  2. 1 /var/www/html/vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php(973): array_key_exists(string, NULL)
  3. 2 /var/www/html/extensions/OpenIDConnect/src/OpenIDConnect.php(165): Jumbojett\OpenIDConnectClient->requestUserInfo(string)
  4. 3 /var/www/html/extensions/PluggableAuth/includes/PluggableAuthLogin.php(31): OpenIDConnect->authenticate(NULL, NULL, NULL, NULL, NULL)
  5. 4 /var/www/html/includes/specialpage/SpecialPage.php(569): PluggableAuthLogin->execute(NULL)
  6. 5 /var/www/html/includes/specialpage/SpecialPageFactory.php(558): SpecialPage->run(NULL)
  7. 6 /var/www/html/includes/MediaWiki.php(288): MediaWiki\Special\SpecialPageFactory->executePath(Title, RequestContext)
  8. 7 /var/www/html/includes/MediaWiki.php(865): MediaWiki->performRequest()
  9. 8 /var/www/html/includes/MediaWiki.php(515): MediaWiki->main()
  10. 9 /var/www/html/index.php(42): MediaWiki->run()
  11. 10 {main}

2019-12-06 11:49:30 5a08ee3618ad mywiki: [ec80015cd1b0fd355991d57f] /index.php/Special:PluggableAuthLogin?code=W5B5UBqUtkCYcavTHrVz9w.o6LDWkJ61wiQDbe7DL1On919RoY.xezr4l8MeXzCiuVDYnhi3Btfwi1WOg6joBL_eT-DA1esNOhvnlOWiGRz4BY0GDZqUgrxAF8r0cRR4WB_jl07nXdErD8iUtZsI7s2sQZO3hVmpwvEZrRwkx4ahV48u0hao_C9E7S-sUZ8Kvtg3ovg6lLs4c0u37Ai7RSYTzHK2ukZXptZjTvh3OI4EZDc87St_9RUYMdgYyJh4G76pDdWq6fym8LvPp8Kr8Bp37VDg9TE56N-Gbp6aD_ireN9n-rvEYVn2PUf2YWcKclGQXqYZSLSetUHFF2d5G1RX-Kp2wSyRf6WhjlhSpbSKGkyYrc8c2-t1P-oZR7UDs0-DB2vkg&state=5415de77c35827ebb1c8f716c6e10855 ErrorException from line 973 of /var/www/html/vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php: PHP Warning: array_key_exists() expects parameter 2 to be array, null given

  1. 0 [internal function]: MWExceptionHandler::handleError(integer, string, string, integer, array)
  2. 1 /var/www/html/vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php(973): array_key_exists(string, NULL)
  3. 2 /var/www/html/extensions/OpenIDConnect/src/OpenIDConnect.php(166): Jumbojett\OpenIDConnectClient->requestUserInfo(string)
  4. 3 /var/www/html/extensions/PluggableAuth/includes/PluggableAuthLogin.php(31): OpenIDConnect->authenticate(NULL, NULL, NULL, NULL, NULL)
  5. 4 /var/www/html/includes/specialpage/SpecialPage.php(569): PluggableAuthLogin->execute(NULL)
  6. 5 /var/www/html/includes/specialpage/SpecialPageFactory.php(558): SpecialPage->run(NULL)
  7. 6 /var/www/html/includes/MediaWiki.php(288): MediaWiki\Special\SpecialPageFactory->executePath(Title, RequestContext)
  8. 7 /var/www/html/includes/MediaWiki.php(865): MediaWiki->performRequest()
  9. 8 /var/www/html/includes/MediaWiki.php(515): MediaWiki->main()
  10. 9 /var/www/html/index.php(42): MediaWiki->run()
  11. 10 {main}

2019-12-06 11:49:30 5a08ee3618ad mywiki: [ec80015cd1b0fd355991d57f] /index.php/Special:PluggableAuthLogin?code=W5B5UBqUtkCYcavTHrVz9w.o6LDWkJ61wiQDbe7DL1On919RoY.xezr4l8MeXzCiuVDYnhi3Btfwi1WOg6joBL_eT-DA1esNOhvnlOWiGRz4BY0GDZqUgrxAF8r0cRR4WB_jl07nXdErD8iUtZsI7s2sQZO3hVmpwvEZrRwkx4ahV48u0hao_C9E7S-sUZ8Kvtg3ovg6lLs4c0u37Ai7RSYTzHK2ukZXptZjTvh3OI4EZDc87St_9RUYMdgYyJh4G76pDdWq6fym8LvPp8Kr8Bp37VDg9TE56N-Gbp6aD_ireN9n-rvEYVn2PUf2YWcKclGQXqYZSLSetUHFF2d5G1RX-Kp2wSyRf6WhjlhSpbSKGkyYrc8c2-t1P-oZR7UDs0-DB2vkg&state=5415de77c35827ebb1c8f716c6e10855 ErrorException from line 973 of /var/www/html/vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php: PHP Warning: array_key_exists() expects parameter 2 to be array, null given

  1. 0 [internal function]: MWExceptionHandler::handleError(integer, string, string, integer, array)
  2. 1 /var/www/html/vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php(973): array_key_exists(string, NULL)
  3. 2 /var/www/html/extensions/OpenIDConnect/src/OpenIDConnect.php(168): Jumbojett\OpenIDConnectClient->requestUserInfo(string)
  4. 3 /var/www/html/extensions/PluggableAuth/includes/PluggableAuthLogin.php(31): OpenIDConnect->authenticate(NULL, NULL, NULL, NULL, NULL)
  5. 4 /var/www/html/includes/specialpage/SpecialPage.php(569): PluggableAuthLogin->execute(NULL)
  6. 5 /var/www/html/includes/specialpage/SpecialPageFactory.php(558): SpecialPage->run(NULL)
  7. 6 /var/www/html/includes/MediaWiki.php(288): MediaWiki\Special\SpecialPageFactory->executePath(Title, RequestContext)
  8. 7 /var/www/html/includes/MediaWiki.php(865): MediaWiki->performRequest()
  9. 8 /var/www/html/includes/MediaWiki.php(515): MediaWiki->main()
  10. 9 /var/www/html/index.php(42): MediaWiki->run()
  11. 10 {main}

2019-12-06 11:49:30 5a08ee3618ad mywiki: Real name: , Email: , Subject: , Issuer: https://mylink/adfs 2019-12-06 11:49:30 5a08ee3618ad mywiki: No user found with matching subject and issuer.

2019-12-06 11:49:30 5a08ee3618ad mywiki: [ec80015cd1b0fd355991d57f] /index.php/Special:PluggableAuthLogin?code=W5B5UBqUtkCYcavTHrVz9w.o6LDWkJ61wiQDbe7DL1On919RoY.xezr4l8MeXzCiuVDYnhi3Btfwi1WOg6joBL_eT-DA1esNOhvnlOWiGRz4BY0GDZqUgrxAF8r0cRR4WB_jl07nXdErD8iUtZsI7s2sQZO3hVmpwvEZrRwkx4ahV48u0hao_C9E7S-sUZ8Kvtg3ovg6lLs4c0u37Ai7RSYTzHK2ukZXptZjTvh3OI4EZDc87St_9RUYMdgYyJh4G76pDdWq6fym8LvPp8Kr8Bp37VDg9TE56N-Gbp6aD_ireN9n-rvEYVn2PUf2YWcKclGQXqYZSLSetUHFF2d5G1RX-Kp2wSyRf6WhjlhSpbSKGkyYrc8c2-t1P-oZR7UDs0-DB2vkg&state=5415de77c35827ebb1c8f716c6e10855 ErrorException from line 973 of /var/www/html/vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php: PHP Warning: array_key_exists() expects parameter 2 to be array, null given

  1. 0 [internal function]: MWExceptionHandler::handleError(integer, string, string, integer, array)
  2. 1 /var/www/html/vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php(973): array_key_exists(string, NULL)
  3. 2 /var/www/html/extensions/OpenIDConnect/src/OpenIDConnect.php(327): Jumbojett\OpenIDConnectClient->requestUserInfo(string)
  4. 3 /var/www/html/extensions/OpenIDConnect/src/OpenIDConnect.php(199): OpenIDConnect::getPreferredUsername(array, Jumbojett\OpenIDConnectClient, NULL, NULL)
  5. 4 /var/www/html/extensions/PluggableAuth/includes/PluggableAuthLogin.php(31): OpenIDConnect->authenticate(NULL, NULL, NULL, NULL, NULL)
  6. 5 /var/www/html/includes/specialpage/SpecialPage.php(569): PluggableAuthLogin->execute(NULL)
  7. 6 /var/www/html/includes/specialpage/SpecialPageFactory.php(558): SpecialPage->run(NULL)
  8. 7 /var/www/html/includes/MediaWiki.php(288): MediaWiki\Special\SpecialPageFactory->executePath(Title, RequestContext)
  9. 8 /var/www/html/includes/MediaWiki.php(865): MediaWiki->performRequest()
  10. 9 /var/www/html/includes/MediaWiki.php(515): MediaWiki->main()
  11. 10 /var/www/html/index.php(42): MediaWiki->run()
  12. 11 {main}

2019-12-06 11:49:30 5a08ee3618ad mywiki: Preferred username: 2019-12-06 11:49:30 5a08ee3618ad mywiki: Available username: User 2019-12-06 11:49:30 5a08ee3618ad mywiki: Authenticated new user: User 2019-12-06 11:49:31 5a08ee3618ad mywiki: User is authorized. 2019-12-06 11:49:32 5a08ee3618ad mywiki: Real name and email address did not change. 2019-12-06 11:49:32 5a08ee3618ad mywiki: Getting PluggableAuth singleton 2019-12-06 11:49:32 5a08ee3618ad mywiki: Class name: OpenIDConnect 2019-12-06 11:49:32 5a08ee3618ad mywiki: aaaa

2019-12-06 11:49:32 5a08ee3618ad mywiki: [8da4766397b93b78864e9c76] /index.php?title=Special:UserLogin&returnto=Main+Page Wikimedia\Rdbms\DBQueryError from line 1587 of /var/www/html/includes/libs/rdbms/database/Database.php: A database query error has occurred. Did you forget to run your application's database schema updater after upgrading? Query: INSERT INTO `openid_connect` (oidc_user,oidc_subject,oidc_issuer) VALUES ('80',NULL,'https://mylink/adfs') ON DUPLICATE KEY UPDATE oidc_subject = NULL,oidc_issuer = 'https://mylink/adfs' Function: OpenIDConnect::saveExtraAttributes Error: 1048 Column 'oidc_subject' cannot be null (mediawiki-mysql)

  1. 0 /var/www/html/includes/libs/rdbms/database/Database.php(1556): Wikimedia\Rdbms\Database->getQueryExceptionAndLog(string, integer, string, string)
  2. 1 /var/www/html/includes/libs/rdbms/database/Database.php(1274): Wikimedia\Rdbms\Database->reportQueryError(string, integer, string, string, boolean)
  3. 2 /var/www/html/includes/libs/rdbms/database/DatabaseMysqlBase.php(1380): Wikimedia\Rdbms\Database->query(string, string)
  4. 3 /var/www/html/extensions/OpenIDConnect/src/OpenIDConnect.php(287): Wikimedia\Rdbms\DatabaseMysqlBase->upsert(string, array, array, array, string)
  5. 4 /var/www/html/extensions/PluggableAuth/includes/PluggableAuthPrimaryAuthenticationProvider.php(125): OpenIDConnect->saveExtraAttributes(integer)
  6. 5 /var/www/html/includes/auth/AuthManager.php(2444): PluggableAuthPrimaryAuthenticationProvider->autoCreatedAccount(User, string)
  7. 6 /var/www/html/includes/auth/AuthManager.php(1743): MediaWiki\Auth\AuthManager->callMethodOnProviders(integer, string, array)
  8. 7 /var/www/html/includes/auth/AuthManager.php(622): MediaWiki\Auth\AuthManager->autoCreateUser(User, string, boolean)
  9. 8 /var/www/html/includes/specialpage/AuthManagerSpecialPage.php(355): MediaWiki\Auth\AuthManager->continueAuthentication(array)
  10. 9 /var/www/html/includes/specialpage/AuthManagerSpecialPage.php(482): AuthManagerSpecialPage->performAuthenticationStep(string, array)
  11. 10 /var/www/html/includes/htmlform/HTMLForm.php(660): AuthManagerSpecialPage->handleFormSubmit(array, VFormHTMLForm)
  12. 11 /var/www/html/includes/specialpage/AuthManagerSpecialPage.php(416): HTMLForm->trySubmit()
  13. 12 /var/www/html/includes/specialpage/LoginSignupSpecialPage.php(313): AuthManagerSpecialPage->trySubmit()
  14. 13 /var/www/html/includes/specialpage/SpecialPage.php(569): LoginSignupSpecialPage->execute(NULL)
  15. 14 /var/www/html/includes/specialpage/SpecialPageFactory.php(558): SpecialPage->run(NULL)
  16. 15 /var/www/html/includes/MediaWiki.php(288): MediaWiki\Special\SpecialPageFactory->executePath(Title, RequestContext)
  17. 16 /var/www/html/includes/MediaWiki.php(865): MediaWiki->performRequest()
  18. 17 /var/www/html/includes/MediaWiki.php(515): MediaWiki->main()
  19. 18 /var/www/html/index.php(42): MediaWiki->run()
  20. 19 {main}

BrunoPenso (talkcontribs)

One thing I notice and I'm not sure if it is related to the problem is:

"Available username: User"

The extension is not reconizing me user from openid (email, realname, ...)

BrunoPenso (talkcontribs)

Some more erros:

Fri Dec 6 11:49:28 UTC 2019 5a08ee3618ad mywiki OpenIDConnect::saveExtraAttributes mediawiki-mysql 1048 Column 'oidc_subject' cannot be null (mediawiki-mysql) INSERT INTO `openid_connect` (oidc_user,oidc_subject,oidc_issuer) VALUES ('79',NULL,'https://mylink/adfs') ON DUPLICATE KEY UPDATE oidc_subject = NULL,oidc_issuer = 'https://mylink/adfs' Fri Dec 6 11:49:28 UTC 2019 5a08ee3618ad mywiki OpenIDConnect::saveExtraAttributes mediawiki-mysql 1048 Column 'oidc_subject' cannot be null (mediawiki-mysql) INSERT INTO `openid_connect` (oidc_user,oidc_subject,oidc_issuer) VALUES ('79',NULL,'https://mylink/adfs') ON DUPLICATE KEY UPDATE oidc_subject = NULL,oidc_issuer = 'https://mylink/adfs' Fri Dec 6 11:49:32 UTC 2019 5a08ee3618ad mywiki OpenIDConnect::saveExtraAttributes mediawiki-mysql 1048 Column 'oidc_subject' cannot be null (mediawiki-mysql) INSERT INTO `openid_connect` (oidc_user,oidc_subject,oidc_issuer) VALUES ('80',NULL,'https://mylink/adfs') ON DUPLICATE KEY UPDATE oidc_subject = NULL,oidc_issuer = 'https://mylink/adfs' Fri Dec 6 11:49:32 UTC 2019 5a08ee3618ad mywiki OpenIDConnect::saveExtraAttributes mediawiki-mysql 1048 Column 'oidc_subject' cannot be null (mediawiki-mysql) INSERT INTO `openid_connect` (oidc_user,oidc_subject,oidc_issuer) VALUES ('80',NULL,'https://mylink/adfs') ON DUPLICATE KEY UPDATE oidc_subject = NULL,oidc_issuer = 'https://mylink/adfs'


Cindy.cicalese (talkcontribs)

The root of the problem appears to be:


ErrorException from line 973 of /var/www/html/vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php: PHP Warning: array_key_exists() expects parameter 2 to be array, null given


Looking at the code in the library, it appears to be having trouble getting the user information from the user information endpoint. It sounds like a configuration problem to me, but you could try adding some additional debugging in the reqeustUserInfo() function in /var/www/html/vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php.

BrunoPenso (talkcontribs)

Hi,


I added some logs. Here is the code:

<code>

  public function requestUserInfo($attribute = null) {

wfDebugLog( 'PluggableAuth', 'attr '.$attribute);

$user_info_endpoint = $this->getProviderConfigValue("userinfo_endpoint");

wfDebugLog( 'PluggableAuth', 'endpoint '.$user_info_endpoint );

        $schema = 'openid';

        $user_info_endpoint .= "?schema=" . $schema;

wfDebugLog( 'PluggableAuth', 'endpoint1 '.$user_info_endpoint);

        //The accessToken has to be send in the Authorization header, so we create a new array with only this header.

        $headers = array("Authorization: Bearer {$this->accessToken}");

wfDebugLog( 'PluggableAuth', 'access token '.$this->accessToken);

$jsonTemp = $this->fetchURL($user_info_endpoint, null, $headers);

$user_json = json_decode($jsonTemp);

#$user_json = json_decode($this->fetchURL($user_info_endpoint,null,$headers));

wfDebugLog( 'PluggableAuth', 'user json '.$jsonTemp);

        $this->userInfo = $user_json;

        if($attribute === null) {

            return $this->userInfo;

        } else if (array_key_exists($attribute, $this->userInfo)) {

            return $this->userInfo->$attribute;

        } else {

            return null;

        }

    }

</code>


Here is the logs:

<code>

2019-12-09 00:36:34 5a08ee3618ad mywiki: attr sub

2019-12-09 00:36:34 5a08ee3618ad mywiki: endpoint https://mylink/adfs/userinfo

2019-12-09 00:36:34 5a08ee3618ad mywiki: endpoint1 https://mylink/adfs/userinfo?schema=openid

2019-12-09 00:36:34 5a08ee3618ad mywiki: access token tokenValue

2019-12-09 00:36:34 5a08ee3618ad mywiki: user json

</code>


So What I understand is that nothing is returning from https://mylink/adfs/userinfo?schema=openid. But I didn't manage to understand what is the http response code yet.


Any ideia?

BrunoPenso (talkcontribs)

I manage to get that the http response code is 401. Do you know where the tokenValue is generated?

Cindy.cicalese (talkcontribs)
189.86.220.160 (talkcontribs)

Hi Cindy,


I finally understand the entire process. Please help me with the situation:

- IN the begging of the openid protocol the request were made to this url mylink/userinfo?schema=openid

- But the modern openid tools looks like (I'm not totally sure) that this userInfo path is not working, because on the access_token and id_token have all the necessary information. Just a matter of opening the JWT token and get the information.


Considering that I'm not sure what is the correct point to fix it, because the method requestUserInfo is called by the extension.


DO you have any ideia?

BrunoPenso (talkcontribs)

Hi, I finally manage to work, but with a heavy change. Look for the first 15 lines.


<code>

    public function requestUserInfo($attribute = null) {

   wfDebugLog( 'PluggableAuth', 'attr '.$attribute);

   if ($attribute == "preferred_username") {

   $attribute = "email";

   }

   if (($attribute == "name" || $attribute == "email") && $this->getAccessTokenPayload() <> '') {

   $v = $this->getAccessTokenPayload()->{$attribute};

   return $v;

   }

    if (($attribute == "sub") && $this->getIdTokenPayload() <> '') {

   $v = $this->getIdTokenPayload()->{$attribute};

   return $v;

   }

   

   $user_info_endpoint = $this->getProviderConfigValue("userinfo_endpoint");

       $schema = 'openid';

        $user_info_endpoint .= "?schema=" . $schema;

        //The accessToken has to be send in the Authorization header, so we create a new array with only this header.

        $headers = array("Authorization: Bearer {$this->accessToken}");

    $jsonTemp = $this->fetchURL($user_info_endpoint, null, $headers);

    $code = (int)$this->getResponseCode();

    if ($code >= 300 || $code <= 100) {

   throw new OpenIDConnectClientException('The communication to retrieve user data has failed with status code '.$code);

    }

$user_json = json_decode($jsonTemp);

#$user_json = json_decode($this->fetchURL($user_info_endpoint,null,$headers));

        $this->userInfo = $user_json;

        if($attribute === null) {

            return $this->userInfo;

        } else if (array_key_exists($attribute, $this->userInfo)) {

            return $this->userInfo->$attribute;

        } else {

            return null;

        }

    }

</code>

Cindy.cicalese (talkcontribs)

That is a relatively substantial change, but perhaps it is necessary. I feel bad suggesting this, since you started with an issue report on that site and I suggested that you move the conversation here, but this does sound like something that should be handled in the library rather than having the client need to know about the details of where the particular attributes should be fetched from. It seems that this should be abstracted away from the client code. You could open another issue there or reopen the one that you closed and point to this discussion here.

Mdmallardi (talkcontribs)

Hi, is there any way to remember the user's session login using this plugin?

Cindy.cicalese (talkcontribs)
Reply to "'Remember Me' feature"