Extension talk:OpenID Connect/2023
Add topic| This page used the Structured Discussions extension to give structured discussions. It has since been converted to wikitext, so the content and history here are only an approximation of what was actually displayed at the time these comments were made. |
When reporting an error, please be sure to include version information for MediaWiki and all relevant extensions as well as configuration information. Also, please turn on debug logging as described at Manual:How to debug#Logging and include the relevant portions of the debug log.
Wrong encoding of Authorization header
[edit]The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.
The header is generated by url encoding the username and password before base64 encoding. This is wrong and may result in authentication errors with special characters within username or credentials.
See requestTokens() and others in /var/www/mediawiki/w/extensions/OpenIDConnect/vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php 130.180.127.74 (talk) 01:39, 23 January 2023 (UTC)
- For issues with the OpenID Connect library, please report/discuss them at https://github.com/jumbojett/OpenID-Connect-PHP/. Cindy.cicalese (talk) 01:51, 23 January 2023 (UTC)
Configuration does not get applied
[edit]The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.
Hello,
I am realatively new here, hope I provide all the information needed to get some helpful tips. We are running a MediaWiki 1.35 in a local company network, right now its runnning on http but we will upgrad to https soon I hope. Anyway, I am trying to connect to our organizations OpenIDConnect server, but having some difficulties I could not find in any other discussion and since I am super new to web applications, I am also not so familiar with the Debug Log interpretation.
I believe my problem is quit basic because my configuration from the LocalSettings.php doesn't seem to get applied at all, the Button Lable does not even change, but I am a bit lost on where to look or how to debug.
This is my LocalSettings.php configuration:
$wgPluggableAuth_Config[] = [
'plugin' => 'OpenIDConnect',
'data' => [
'buttonLabelMessage' => 'Login with XXX-Account',
'providerURL' => '/XXXX/auth/realms/XXXX',
'clientID' => '*****',
'clientsecret' => '*****',
'scope' => ['openid', 'profile', 'email'],
'name' => 'XXX-Account'
]
];
$wgGroupPermissions['*']['autocreateaccount'] = true;
$wgPluggableAuth_EnableAutoLogin = false; # nur für private Wikis
$wgPluggableAuth_EnableLocalLogin = true;
$wgOpenIDConnect_UseRealNameAsUserName = true;
$wgOpenIDConnect_UseEmailNameAsUserName = true;
$wgOpenIDConnect_MigrateUsersByUserName = true;
# In Benutzernamen das '@'-Symbol und Doppelpunkte erlauben, da die
$wgInvalidUsernameCharacters = '';
The Plugins seem to be installed correctly Special:Version Page shows:
OpenIDConnect uses Version: 5.4 (5fdef5d)
PluggableAuth uses Version: 5.7 (6d28813)
I guess this is because I am running the Wiki on Version 1.35 and therefore Version 6 is not used, when selecting the download package for 1.35? The compatibility should be fine according to the matrix 5.4 should work with 5.7 right?
Due to my lack of experience I am not sure which part of the Debug Log is useful, therefore: I copied some parts in here, but can provide more. This is the log when clicking on the "Login with PluggableAuth" which should look like "Login with XXX-Account"
Parts of the debug output:
************
Start request GET /index.php?title=Special:UserLogin&returnto=Special%3ASpecialPages
IP: 172.22.0.3
HTTP HEADERS:
HOST: 141.52.60.39
X-FORWARDED-SCHEME: http
X-FORWARDED-PROTO: http
X-FORWARDED-FOR: 172.30.77.218
X-REAL-IP: 172.30.77.218
CONNECTION: close
USER-AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
ACCEPT-LANGUAGE: de,en-US;q=0.7,en;q=0.3
ACCEPT-ENCODING: gzip, deflate
REFERER: *****/index.php?title=Special:UserLogin&returnto=Special%3ASpecialPages
DNT: 1
UPGRADE-INSECURE-REQUESTS: 1
SEC-GPC: 1
.....
....
....
[session] SessionBackend "kct5tduue74u3eqvca6e5deor76almu5" data dirty due to dirty(): AuthManagerSpecialPage->handleReturnBeforeExecute/MediaWiki\Auth\AuthManager->removeAuthenticationSessionData/MediaWiki\Session\Session->setSecret/MediaWiki\Session\Session->set/MediaWiki\Session\SessionBackend->dirty
[session] SessionBackend "kct5tduue74u3eqvca6e5deor76almu5" save: dataDirty=1 metaDirty=0 forcePersist=0
[MessageCache] MessageCache using store APCUBagOStuff
[MessageCache] MessageCache::load: Loading en... local cache is empty, got from global cache
[DBQuery] LCStoreDB::get [0s] 172.23.0.2: SELECT lc_value FROM `l10n_cache` WHERE lc_lang = 'en' AND lc_key = 'messages:loginreqlink' LIMIT 1
[DBQuery] LCStoreDB::get [0s] 172.23.0.2: SELECT lc_value FROM `l10n_cache` WHERE lc_lang = 'en' AND lc_key = 'messages:login' LIMIT 1
ParserFactory: using default preprocessor
[DBQuery] LCStoreDB::get [0s] 172.23.0.2: SELECT lc_value FROM `l10n_cache` WHERE lc_lang = 'en' AND lc_key = 'magicWords' LIMIT 1
Unstubbing $wgLang on call of $wgLang::unstub from ParserOptions->__construct
[DBQuery] LCStoreDB::get [0s] 172.23.0.2: SELECT lc_value FROM `l10n_cache` WHERE lc_lang = 'en' AND lc_key = 'messages:createacct-helpusername' LIMIT 1
[DBQuery] LCStoreDB::get [0s] 172.23.0.2: SELECT lc_value FROM `l10n_cache` WHERE lc_lang = 'en' AND lc_key = 'messages:userlogin-yourname' LIMIT 1
[DBQuery] LCStoreDB::get [0s] 172.23.0.2: SELECT lc_value FROM `l10n_cache` WHERE lc_lang = 'en' AND lc_key = 'messages:pt-login-continue-button' LIMIT 1
[DBQuery] LCStoreDB::get [0s] 172.23.0.2: SELECT lc_value FROM `l10n_cache` WHERE lc_lang = 'en' AND lc_key = 'messages:helplogin-url' LIMIT 1
[DBQuery] LCStoreDB::get [0s] 172.23.0.2: SELECT lc_value FROM `l10n_cache` WHERE lc_lang = 'en' AND lc_key = 'messages:userlogin-helplink2' LIMIT 1
[session] SessionBackend "kct5tduue74u3eqvca6e5deor76almu5" data dirty due to dirty(): PluggableAuthPrimaryAuthenticationProvider->continuePrimaryAuthentication/MediaWiki\Auth\AuthManager->removeAuthenticationSessionData/MediaWiki\Session\Session->setSecret/MediaWiki\Session\Session->set/MediaWiki\Session\SessionBackend->dirty
[authentication] Login failed in primary authentication by PluggableAuthPrimaryAuthenticationProvider
[DBQuery] LCStoreDB::get [0s] 172.23.0.2: SELECT lc_value FROM `l10n_cache` WHERE lc_lang = 'en' AND lc_key = 'messages:title-invalid-empty' LIMIT 1
[session] SessionBackend "kct5tduue74u3eqvca6e5deor76almu5" data dirty due to dirty(): AuthManagerSpecialPage->handleFormSubmit/AuthManagerSpecialPage->performAuthenticationStep/MediaWiki\Auth\AuthManager->continueAuthentication/MediaWiki\Session\Session->remove/MediaWiki\Session\SessionBackend->dirty
[session] SessionBackend "kct5tduue74u3eqvca6e5deor76almu5" save: dataDirty=1 metaDirty=0 forcePersist=0
[authevents] Login attempt
************************
It would be great if anyone has an idea on why my configuration is not getting applied, meaning neither the url redirect when clicking the button is applied nor the button label etc works. I followed all the steps in the installation process with the dependencies and so on but now I am a bit cluesless. I stumbled across this: Extension:PluggableAuth#Creating an authentication plugin, but I guess its only if I want to creat a new Plugin and not use an existing one.
Help is greatly appreciated!
All the Best EinsForest (talk) 12:55, 23 January 2023 (UTC)
- You are using PluggableAuth version 5.7 but are using the config settings (
$wgPluggableAuth_Config) for PluggableAuth version 6.x. See Extension:PluggableAuth#Configuration. However, it is likely that you will have issues trying to run without HTTPS. Cindy.cicalese (talk) 14:43, 23 January 2023 (UTC) - Oh well, that's my bad! Thanks for the hint.
- Are there any known security issues when running version > 6.x on MediaWiki 1.35? I just installed it and it doesn't seem to break the site. HTTPS is in the making and hopefully I can make it work afterwards :)
- Thanks a lot! EinsForest (talk) 07:49, 24 January 2023 (UTC)
- Great. No, no known security issues. Cindy.cicalese (talk) 15:56, 24 January 2023 (UTC)
- Many thanks to your answers again. The Login now works fine even with http only, just needs the correct rediret url at the provider. Https is in the making anyway.
- Cheers! EinsForest (talk) 22:18, 25 January 2023 (UTC)
IDP based username
[edit]The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.
Hi,
We have a deployment up and running with MediaWiki 1.38.4 with PluggableAuth 6.1 and OpenID Connect 6.1. Login of existing and registration of new users is working. Even setting usernames with preferred_username is working as expected.
We now got to the point, that we want to connect an external OIDC IdP, which also worked. However, we want to add a custom string to their usernames, so it would look something like "John Doe (External)". This is where the problems occur. I tried some things which would adhere to the requirements listed below but was without success so far.
A preferred solution should just include some settings in LocalSettings.php to easily add more IdPs without setting something on the IdP side. Other MediaWiki-server-side adjustments are fine, as long as they would work with multiple providers. Adjustments on the side of the IdP should be as universally usable as possible e.g. adding an extra claim and concatenate it with the 'name' claim in MediaWiki.
Is there a (simple) way to do this?
Any help is appreciated.
Thanks,
Stetit Dolor Stetit Dolor (talk) 20:54, 26 February 2023 (UTC)
- Thank you for your question. There is currently no way to do this for the OpenID Connect extension, but that functionality could be added in a future release. For example, there is currently similar functionality in the SimpleSAMLphp extension that could be added here. You could take a look at Extension:SimpleSAMLphp#Define custom user info provider and see if that would be sufficient for your purposes. If so, please feel free to file a feature request at https://phabricator.wikimedia.org/tag/mediawiki-extensions-openid-connect/. Cindy.cicalese (talk) 04:26, 28 February 2023 (UTC)
HTTP code 502 after clicking on "login"
[edit]The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.
Hi,
I used this Extension to connect my mediawiki docker container with a keycloak container. I tried the steps discribed in the documentation, but unfortunatly it doesn't seem to work. When I click on "login" inside mediawiki, the site loats for arround one minute and then gives me an error stating "fatal Error during user authentication" (not exact words, my wiki is in german). The debug log return the following error:
[OpenIDConnect] Jumbojett\OpenIDConnectClientException: Curl error: (56) Received HTTP code 502 from proxy after CONNECT in /var/www/html/w/extensions/OpenIDConnect/vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php:1232
Stack trace:
- 0 /var/www/html/w/extensions/OpenIDConnect/vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php(528): Jumbojett\OpenIDConnectClient->fetchURL()
- 1 /var/www/html/w/extensions/OpenIDConnect/vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php(504): Jumbojett\OpenIDConnectClient->getWellKnownConfigValue()
- 2 /var/www/html/w/extensions/OpenIDConnect/vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php(640): Jumbojett\OpenIDConnectClient->getProviderConfigValue()
- 3 /var/www/html/w/extensions/OpenIDConnect/vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php(428): Jumbojett\OpenIDConnectClient->requestAuthorization()
- 4 /var/www/html/w/extensions/OpenIDConnect/includes/OpenIDConnect.php(203): Jumbojett\OpenIDConnectClient->authenticate()
- 5 /var/www/html/w/extensions/PluggableAuth/includes/PluggableAuthLogin.php(93): MediaWiki\Extension\OpenIDConnect\OpenIDConnect->authenticate()
- 6 /var/www/html/w/includes/specialpage/SpecialPage.php(700): MediaWiki\Extension\PluggableAuth\PluggableAuthLogin->execute()
- 7 /var/www/html/w/includes/specialpage/SpecialPageFactory.php(1451): SpecialPage->run()
- 8 /var/www/html/w/includes/MediaWiki.php(311): MediaWiki\SpecialPage\SpecialPageFactory->executePath()
- 9 /var/www/html/w/includes/MediaWiki.php(902): MediaWiki->performRequest()
- 10 /var/www/html/w/includes/MediaWiki.php(560): MediaWiki->main()
- 11 /var/www/html/w/index.php(50): MediaWiki->run()
- 12 /var/www/html/w/index.php(46): wfIndexMain()
- 13 {main}
The environment is behind a company proxy, but I defined that in mediawiki, keycloak and even the settings of PluggableAuth, but it keeps happening.
Here are my Settings:
wfLoadExtension( 'PluggableAuth' );
wfLoadExtension( 'OpenIDConnect' );
$wgOpenIDConnect_UseRealNameAsUserName = true;
$wgPluggableAuth_Config[] = [
'plugin' => 'OpenIDConnect',
'data' => [
'providerURL' => 'ht tps:// <server-ip>:8888/auth/realms/mediawiki',
'clientID' => 'mediawiki',
'clientsecret' => '<secret>',
'proxy' => 'ht tp:// <proxy-server>:8080'
]
];
does someone maybe has an idea what might cause this? MasterOkabe (talk) 13:02, 6 March 2023 (UTC)
- disclaimer: I have no Idea why mediawiki transforms my code like this, I put it in a "<code>" box but it keeps breaking apart MasterOkabe (talk) 13:04, 6 March 2023 (UTC)
- That sounds like an error with your proxy configuration. I would check (e.g. with curl) that you can connect to the proxy at the URL provided and that it can correctly proxy to the providerURL. Cindy.cicalese (talk) 13:49, 6 March 2023 (UTC)
- Hi, I checked it, and it was indeed, that it was an issue with my company proxy. Thanks for the Help! :) MasterOkabe (talk) 10:39, 8 March 2023 (UTC)
- Great! I'm happy that fixed it! Cindy.cicalese (talk) 12:30, 8 March 2023 (UTC)
Azure AD configuration issue
[edit]The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.
Hello,
I try many configuration with OpenID Connect and Azure AD authentication but doesn't work.
| Produit | Version |
|---|---|
| MediaWiki | 1.35.9 |
| PHP | 8.1.16 (fpm-fcgi) |
| MariaDB | 10.5.19-MariaDB |
| ICU | 71.1 |
| Produit | Version |
|---|---|
| OpenID Connect | 5.3 (5fdef5d) 16 janvier 2023 à 07:39 |
| PluggableAuth | 5.7 (6d28813) 16 janvier 2023 à 07:39 |
My LocalSettings.php file :
# Load pluggin
wfLoadExtensions([
'PluggableAuth',
'OpenIDConnect'
]);
# Debug
// Show exceptions and DB backtraces
$wgShowExceptionDetails = true;
$wgShowDBErrorBacktrace = true;
$wgDebugToolbar=true;
// Write out MediaWiki debug log messages
$wgDebugLogFile = "/var/log/mediawiki/debug.log";
$wgDebugLogGroups['PluggableAuth'] = "/var/log/mediawiki/PluggableAuth.log";
$wgDebugLogGroups['OpenIDConnect'] = "/var/log/mediawiki/OpenIDConnect.log";
// Disable ALL caching with the following two lines
// $wgEnableParserCache = false;
// $wgCachePages = false;
# Permissions
$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['user']['edit'] = true;
$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['*']['autocreateaccount'] = true;
# Authentification
$wgPluggableAuth_EnableAutoLogin = true;
$wgPluggableAuth_EnableLocalLogin = true;
$wgPluggableAuth_EnableLocalProperties = false;
$wgPluggableAuth_Config['Azure AD'] = [
'plugin' => 'OpenIDConnect',
'data' => [
'providerURL' => 'login.microsoftonline.com/xxxxxx/v2.0/',
'clientID' => 'xxxxxx',
'clientsecret' => 'xxxxxx'
]
];
# Authentification SAML
$wgOpenIDConnect_UseRealNameAsUserName = true;
PluggableAuth.log file :
2023-03-14 17:14:40 server my_wiki: In execute()
2023-03-14 17:14:40 server my_wiki: Getting PluggableAuth singleton
2023-03-14 17:14:40 server my_wiki: Class name: OpenIDConnect
2023-03-14 17:14:40 server my_wiki: Authentication failure.
In debug.log :
[session] SessionBackend "rsp1h0id8fcuhutnopbuabpcoogn7291" data dirty due to dirty(): PluggableAuthPrimaryAuthenticationProvider->continuePrimaryAuthentication/MediaWiki\Auth\AuthManager->removeAuthenticationSessionData/MediaWiki\Session\Session->setSecret/MediaWiki\Session\Session->set/MediaWiki\Session\SessionBackend->dirty
[authentication] Login failed in primary authentication by PluggableAuthPrimaryAuthenticationProvider
Nothing in OpenIDConnect.log
Can you help me complete this configuration? Please
Regards MrManjah (talk) 17:37, 14 March 2023 (UTC)
- It looks like you are using version 5.3 of OpenIDConnect with the version 6.x configuration parameters. Unfortunately, the extension page has been updated with only the new version, but you can consult a previous version of the page to get the old parameters: https://www.mediawiki.org/w/index.php?title=Extension:OpenID_Connect&oldid=5127287. Or you could update to versions 6.x of PluggableAuth and OpenIDConnect. Cindy.cicalese (talk) 13:25, 15 March 2023 (UTC)
- Hi @Cindy.cicalese, thanks for your answer. I implemented simplesaml instead.
- Regards MrManjah (talk) 13:36, 21 March 2023 (UTC)
Mapping Azure AD groups to Mediawiki Groups
[edit]The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.
Hello, we just recently installed a new mediawiki in my company, we're using openid to login via AzureAD.
We would like to limit who can login using our existing Azure Ad Groups, to control who can access data on the wiki.
Does anyone know what we could do to achieve this ? can we do this using this extension or do we need something else ?
ty 185.60.94.47 (talk) 09:49, 15 March 2023 (UTC)
- PluggableAuth does support the concept of authorization plugins to limit the set of users who are authorized to use the wiki. There are two existing authorization plugins: Extension:Email Authorization and Extension:LDAPAuthorization. Perhaps you could use one of them? Or, you could use them as a guide in creating an authorization plugin that works specifically with Azure AD groups. Cindy.cicalese (talk) 13:29, 15 March 2023 (UTC)
Internal error when logging in
[edit]Hi,
We're trying to install mediawiki at my company hosted on AWS using this extension to provide SSO with AzureAD. I'm not sure if I'm having an issue with OpenID Connect or PluggableAuth so I apologize if I'm in the wrong place.
The error displayed on the Log in page (Special:PluggableAuthLogin) is:
Internal error
[394138b2da5662117ca75d18] /wiki/Special:PluggableAuthLogin Error: Class name must be a valid object or a string
Backtrace:
from /var/www/mediawiki/vendor/wikimedia/object-factory/src/ObjectFactory.php(247)
#0 /var/www/mediawiki/vendor/wikimedia/object-factory/src/ObjectFactory.php(152): Wikimedia\ObjectFactory\ObjectFactory::getObjectFromSpec()
#1 /var/www/mediawiki/extensions/PluggableAuth/includes/PluggableAuthFactory.php(167): Wikimedia\ObjectFactory\ObjectFactory->createObject()
#2 /var/www/mediawiki/extensions/PluggableAuth/includes/PluggableAuthLogin.php(90): MediaWiki\Extension\PluggableAuth\PluggableAuthFactory->getInstance()
#3 /var/www/mediawiki/includes/specialpage/SpecialPage.php(671): MediaWiki\Extension\PluggableAuth\PluggableAuthLogin->execute()
#4 /var/www/mediawiki/includes/specialpage/SpecialPageFactory.php(1378): SpecialPage->run()
#5 /var/www/mediawiki/includes/MediaWiki.php(315): MediaWiki\SpecialPage\SpecialPageFactory->executePath()
#6 /var/www/mediawiki/includes/MediaWiki.php(912): MediaWiki->performRequest()
#7 /var/www/mediawiki/includes/MediaWiki.php(563): MediaWiki->main()
#8 /var/www/mediawiki/index.php(53): MediaWiki->run()
#9 /var/www/mediawiki/index.php(46): wfIndexMain()
#10 {main}
PluggableAuth log file:
2023-04-08 10:06:57 ip-10-142-189-139 mediawiki: In execute()
2023-04-08 10:06:57 ip-10-142-189-139 mediawiki: Getting PluggableAuth instance
2023-04-08 10:06:57 ip-10-142-189-139 mediawiki: Plugin name: OpenIDConnect
OpenID Connect log file is empty.
Mediawiki log file:
[PluggableAuth] In execute()
[PluggableAuth] Getting PluggableAuth instance[PluggableAuth] Plugin name: OpenIDConnect[DBQuery] MWExceptionHandler::rollbackPrimaryChangesAndLog [0s] localhost: ROLLBACK[exception] [474e80f8ed3659752136bba0] /wiki/Special:PluggableAuthLogin Error: Class name must be a valid object or a string
Changes done in LocalSettings.php:
wfLoadExtension( 'PluggableAuth' );
wfLoadExtension( 'OpenIDConnect' );
$wgPluggableAuth_EnableAutoLogin = false;
$wgPluggableAuth_EnableLocalLogin = false;
$wgPluggableAuth_Config[] = [
'plugin' => 'OpenIDConnect',
'data' => [
'providerURL' => '*****://login.microsoftonline.***/******************/v2.0/',
'clientID' => '*******************************',
'clientsecret' => '*******************************************'
]
];
And finally here are the versions we're running:
- MediaWiki 1.38.5
- PHP 7.4.33 (fpm-fcgi)
- MariaDB 10.3.38-MariaDB-0ubuntu0.20.04.1
- ICU 66.1
- OpenID Connect 6.1 (8f8bab6) 06:37, 11 January 2023
- PluggableAuth 6.1 (d7cb5c7) 06:37, 11 January 2023
Can anyone please help me here what I'm doing wrong in this configuration? Thanks! Nick Eberhardt (talk) 21:08, 11 April 2023 (UTC)
- Hmm, your config looks good, and an error in the config should not make it fail in the way it is failing. It is failing here, which is called from here. It seems to think that
$spec['class'], which is defined here and refers to this class, is an invalid class name. You could try adding the following after this line: $this->logger->debug( 'Class name: ' . $spec['class'] );- It should print out something like "
MediaWiki\Extension\OpenIDConnect\OpenIDConnect". If it does, then there is something off about the way classes are getting loaded. Cindy.cicalese (talk) 22:55, 11 April 2023 (UTC)
Keycloak OIDC Session doesn't Logout with Mediawiki
[edit]The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.
Logging in via OIDC via Keycloak works great. Logging out of mediawiki follows what this user describes:
Essentially, the keycloak session persists. So when the user tries to login to mediawiki again, they're already logged in via keycloak and are not re-asked auth credentials.
Here is my config:
wfLoadExtension( 'PluggableAuth' );
wfLoadExtension( 'OpenIDConnect' );
$wgPluggableAuth_ButtonLabel = "Log In";
$wgPluggableAuth_Config[] = [
'plugin' => 'OpenIDConnect',
'data' => [
'providerURL' => 'host/auth/realms/gfdl',
'clientID' => 'wiki-openid',
'clientsecret' => 'SECRET',
'scope' => [ 'openid', 'profile', 'email', 'roles' ]
]
];
$wgOpenIDConnect_UseRealNameAsUserName = true;
$wgOpenIDConnect_MigrateUsersByUserName = true;
mediawiki-1.39.2
PluggableAuth: REL1_39
2023-01-17T07:20:59
e7de886
OpenIDConnect: REL1_39
2023-02-26T04:13:46
120f269 Overfeedrumbling (talk) 06:46, 18 April 2023 (UTC)
- Any help would be much appreciated, thanks!
- ... or is this standard functionality? Overfeedrumbling (talk) 16:18, 18 April 2023 (UTC)
- That was previously the expected behavior and is still the default. In the new OpenID Connect version 7.0.0 release, there are a couple of new options that you might want to try:
$wgOpenIDConnect_SingleLogout and $wgOpenIDConnect_ForceReauth.Cindy.cicalese (talk) 13:54, 15 June 2023 (UTC)
Debug output?
[edit]The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.
I have setup the OIDC plugin, and I'm using our intern IAM OIDC provider. They gave me all of the needed information (client id, secret, providorurl, scopes). I gave them the proper redirect url: /index.php/Special:PluggableAuthLogin
When I try to login with the button on the login screen, everything seems to be working as expected, until I'm redirected to the redirecturl. At that page, I simply get the error "Fatal error authenticating user."
Is there anywhere that I can turn on debugging/verbose logging so that I can troubleshoot the issue?
Config:
```
$wgMainCacheType = CACHE_MEMCACHED;
####### Oauth/OIDC Settings #######
$wgOpenIDConnect_MigrateUsersByUserName = true;
$wgPluggableAuth_Config["Login with SSO"] = [
'plugin' => 'OpenIDConnect',
'data' => [
'providerURL' => $OIDC_URL,
'clientID' => (isset($OIDC_CLIENT_ID)? $OIDC_CLIENT_ID : ''),
'clientsecret' => (isset($OIDC_CLIENT_SECRET)? $OIDC_CLIENT_SECRET : ''),
]
];
# Load the extension after the config settings.
wfLoadExtension( 'OpenIDConnect' );
wfLoadExtension( 'PluggableAuth' );
```
Version info:
MediaWiki 1.39.3 (17059c5)
PHP 7.4.33 (apache2handler)
OpenID Connect 6.2
PluggableAuth 6.2 (68bec9b)
LDAP, incase they may be an issue:
LDAPAuthentication2 2.0.0
LDAPAuthorization 1.1.0
LDAPGroups 1.0.3
LDAPProvider 1.0.5
LDAPUserInfo 1.0.0 Frenchbm (talk) 20:47, 10 May 2023 (UTC)
- Yes, turn on debug logging as described at Manual:How to debug#Logging. Look for lines that begin with [PluggableAuth] or [OpenIDConnect]. Cindy.cicalese (talk) 13:59, 15 June 2023 (UTC)
Selinux Blocking cURL
[edit]The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.
I setup the OpenID Connect plugin and was receiving "Fatal error authentication user" when attempting to login.
After enabling debug logging I found that the error being thrown by the OpenID Connect plugin specifically was "Curl error: (7) in /var/www/html/mediawiki/vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php:1504".
After some more troubleshooting I discovered that apache was being blocked from using cURL due to selinux being enabled. The specific selinux boolean that needs to be allowed is "httpd_can_network_connect". I think it may be work adding some verbiage into the setup that calls this out.
Here are the versions of everything I was using (although, I think this specific problem is probably applicable for any version of the OpenID Connect plugin based on how it works):
MediaWiki: 1.39.3
PHP: 7.4.30
PluggableAuth: 6.2
OpenID Connect: 6.2 Tylermuir (talk) 23:37, 10 May 2023 (UTC)
Switching providers leads to duplicated users
[edit]The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.
Switching the OIDC provider to a new one providing the same preferred_username and email leads to duplicated users even if $wgOpenIDConnect_MigrateUsersByEmail = true;
Solution for me was to delete all entries in database table 'openid_connect' Simon Stier (talk) 03:18, 30 May 2023 (UTC)
- That makes sense. Migration only occurs when there is not yet an entry for the user in the openid_connect table. It was initially intended for migrating from another form of authentication to OpenID Connect, not between OpenID Connect providers. Your solution seems like the best one in this case. The alternative could be too broad a condition for usurping accounts, leading to potentially undesirable or unsafe migrations. Cindy.cicalese (talk) 03:39, 30 May 2023 (UTC)
The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.
What does "Using the Client secret will result in the expiration of the key" mean? I somehow have to add the Client secret to my "$wgPluggableAuth_Config configuration", no? [[kgh]] (talk) 16:31, 14 July 2023 (UTC)
- I have never seen that warning before. I'm assuming it is coming from Azure? I agree it does not make sense, since you do need to use the client secret. Cindy.cicalese (talk) 02:47, 15 July 2023 (UTC)
- I will remove it for now. We can still add it again in case evidence pops up that it is a useful note. [[kgh]] (talk) 09:37, 15 July 2023 (UTC)
How to best debug "Fatal error authenticating user."?
[edit]The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.
To me this appears to be a pretty stupid question.
Anyhow after trying to log in via Azure AD, I get this error right after starting the login process. Admittedly I nearly made it before without getting this error. However, I provided the wrong redirect URL for the app at Azure AD (wrong lang - the error is on me ;). After updating the redirect URL for the app at Azure AD, I instantly get the error message rather than going through all the login steps as before when using the wrong redirect URL. Something is in the water.
Anyhow, how do I get a meaningful error indication here? Error logging is enabled for the wiki however the error log remains silent. [[kgh]] (talk) 16:41, 14 July 2023 (UTC)
- My suggestion would have been to enable error logging, but clearly you've already done that.
- You mentioned elsewhere using PluggableAuth 6.3. Are you able to try 7.0? It has many improvements. Cindy.cicalese (talk) 02:51, 15 July 2023 (UTC)
- Good to know that turning on logging is the way to debug best. This info already helps a bunch. I figured it might also come from Azure without logging on the wiki side.
- PA 7.0 requires MW 1.39, but in the end, looking at the EOL of MW 1.35, it is probably best to move on to 1.39 and continue testing. [[kgh]] (talk) 09:15, 15 July 2023 (UTC)
Account merging failing due to case differences
[edit]The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.
We've got Azure AD login working great (MW 1.40), but existing accounts are not being merged with, we *think* because the incoming email addresses have capital letters in them, but the current internal accounts do not, and the code in OpenIDConnectStore just does a direct comparison. Is it possible to for the extension to make this comparison case-insensitive? Skillson (talk) 16:36, 23 November 2023 (UTC)
Steps to setup Openidc required
[edit]Can i get the steps required to setup openidconnect with mediawiki .
Also my mediawiki user database currently has only default users , how can i automate user creation or login ? 165.156.28.87 (talk) 11:04, 9 December 2023 (UTC)
rereading "preferred_username" defaults
[edit]@Cindy.cicalese Hi, from -> this diff can we please reformulate the loop in the sentence "preferred_username — ... defaults to 'preferred_username' ..." ? Thanks. --Christian 🇫🇷 FR (talk) 10:46, 10 December 2023 (UTC)
- I tried to elaborate a bit on it. It isn't really a loop. The default value for 'preferred_username' really is the string 'preferred_username', which is the name of an attribute that contains the preferred username. I'm not sure if the additional words make that any clearer. Cindy.cicalese (talk) 02:18, 11 December 2023 (UTC)
google oauth unconfirmed email
[edit]Is this extension when used with google safe from the attack mentioned at https://trufflesecurity.com/blog/google-oauth-is-broken-sort-of/ ? Bawolff (talk) 15:22, 21 December 2023 (UTC)
- It does not do anything past what the Google identity provider provides, so out of the box it would be vulnerable. However, PluggableAuth can be extended with an authorization plugin that could do a local check to ensure that the account is valid for use. Cindy.cicalese (talk) 16:19, 21 December 2023 (UTC)
Could not get authentication plugin instance
[edit]I have a problem using this with PluggableAuth.
This is in my LocalSettings.php:
wfLoadExtension( 'PluggableAuth' );
wfLoadExtension( 'OpenIDConnect' );
$wgPluggableAuth_Config[] = [
'plugin' => 'OpenIDConnect',
'data' => [
'providerURL' => 'URL....',
'clientID' => client....',
'clientsecret' => 'secret....',
'scope' => [ 'openid', 'roster-core.readonly' ],
'responseType' => 'code'
]
];
$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['*']['autocreateaccount'] = true;
$wgPluggableAuth_EnableAutoLogin = false;
$wgPluggableAuth_EnableFastLogout = true;
$wgDebugLogFile = "debug-{$wgDBname}.log";
$wgDebugLogGroups['PluggableAuth'] = "pluggableauth.log";
$wgDebugLogGroups['OpenIDConnect'] = "openidconnect.log";
$wgDebugLogGroups['http'] = 'http.log';
My Wiki only shows fatal error but in the pluggableauth.log i find the following:
2023-12-31 12:02:48 v2202311158332242983 WU8900: In execute() 2023-12-31 12:02:48 v2202311158332242983 WU8900: Getting PluggableAuth instance 2023-12-31 12:02:48 v2202311158332242983 WU8900: Could not get authentication plugin instance. 2023-12-31 12:02:49 v2202311158332242983 WU8900: ERROR: return to URL is null or empty
which indicates for me, that the error must come from PluggableAuthFactory.php line 190:
if ( $name !== null && isset( $this->pluggableAuthConfig[$name] ) ) {...}
$this->logger->debug( 'Could not get authentication plugin instance.' );
return null;
So it seems to me, that it does not detect the Config correctly, but i don't know that is wrong. I ran the php update and composer update....
Can someone provide some help for me? Schott.schule (talk) 13:19, 31 December 2023 (UTC)