Topic on Extension talk:OpenID Connect

problems to connect to wso2 (openid connect)

12
Summary by CCicalese (WMF)

configuration errors

Ralle kalle (talkcontribs)

Hello,

i have some problems to connect my mediawiki with my wso2 identity server. I've installed all extensions, see below. but I don't know, how url I must configure to connect.

the identity server works with apache websites (openid connect).

which url I must use?

I get this error message:

[DBConnection] Wikimedia\Rdbms\LoadBalancer::openConnection: calling initLB() before first connection.

[DBConnection] Connected to database 0 at 'localhost'.

[session] Session "c4d8r1571peld5sl7sufoaq6mm086ds6" requested without UserID cookie

OpenIDConnectClientException: Curl error: Failed to connect to server_fqdn port 443: Connection refused in /var/www/html/mw/vendor/jumbojett/openid-connect-php/OpenIDConnectClient.php:834

Stack trace:

#0 /var/www/html/mw/vendor/jumbojett/openid-connect-php/OpenIDConnectClient.php(350): OpenIDConnectClient->fetchURL('https://xx-xx-x...')

#1 /var/www/html/mw/vendor/jumbojett/openid-connect-php/OpenIDConnectClient.php(440): OpenIDConnectClient->getProviderConfigValue('authorization_e...')

#2 /var/www/html/mw/vendor/jumbojett/openid-connect-php/OpenIDConnectClient.php(286): OpenIDConnectClient->requestAuthorization()

#3 /var/www/html/mw/extensions/OpenIDConnect/OpenIDConnect.class.php(151): OpenIDConnectClient->authenticate()

#4 /var/www/html/mw/extensions/PluggableAuth/PluggableAuthLogin.php(46): OpenIDConnect->authenticate(NULL, NULL, NULL, NULL, NULL)

#5 /var/www/html/mw/includes/specialpage/SpecialPage.php(522): PluggableAuthLogin->execute(NULL)

#6 /var/www/html/mw/includes/specialpage/SpecialPageFactory.php(578): SpecialPage->run(NULL)

#7 /var/www/html/mw/includes/MediaWiki.php(287): SpecialPageFactory::executePath(Object(Title), Object(RequestContext))

#8 /var/www/html/mw/includes/MediaWiki.php(862): MediaWiki->performRequest()

#9 /var/www/html/mw/includes/MediaWiki.php(523): MediaWiki->main()

#10 /var/www/html/mw/index.php(43): MediaWiki->run()

#11 {main}

# End of automatically generated settings.

# Add more configuration options below.

wfLoadExtension( 'PluggableAuth' );

wfLoadExtension( 'OpenIDConnect' );

$wgPluggableAuth_Class = "OpenIDConnect";

$wgGroupPermissions['*']['autocreateaccount'] = true;

$wgGroupPermissions['*']['createaccount'] = true;

$wgPluggableAuth_EnableLocalLogin = true;

$wgOpenIDConnect_Config['https://server_fqdn'] = [

    'clientID' => 'xxxxxxxxxxxxxxxxxxxx',

    'clientsecret' => 'xxxxxxxxxxxxxxxxxxxx',

    'scope' => [ 'openid' ]

];

Software Version
MediaWiki 1.29.1
PHP 7.0.19-1 (apache2handler)
MariaDB 10.1.26-MariaDB-0+deb9u1
ICU 57.1
Erweiterungen mit Spezialseiten
Sonstige Erweiterungen
OpenID Connect 4.0 (a6d9f08)20:07, 19. Apr. 2017 Ermöglicht eine Authentifizierung mithilfe OpenID Connect in Verbindung mit PluggableAuth Cindy Cicalese
PluggableAuth 4.0 (51af0f3)17:48, 22. Apr. 2017 Ergänzt ein Framework zur Authentifikation und Autorisierung Cindy Cicalese
Bibliothek Version Lizenz Beschreibung Autoren
jumbojett/openid-connect-php 0.3.0 Bare-bones OpenID Connect client
Cindy.cicalese (talkcontribs)
Ralle kalle (talkcontribs)

I doesn't found a working url, maybe I made some errors in my setup.

  1. install a clean Mediawiki
  2. download both extension and copy both into extension folder
  3. install composer and update composer
  4. install opened-connect-php via composer
  5. do an "php maintenance/update.php" update

--> all without errors

but I doesn't change or configure any file

then I do these settings in LocalSettings.php (see above)

is there anything I forgot?

Cindy.cicalese (talkcontribs)

That sounds correct. The error is:

Curl error: Failed to connect to server_fqdn port 443: Connection refused

It is trying to connect to the URL you specified in:

$wgOpenIDConnect_Config['https://server_fqdn'] = [ ...

 Due to the "Connection refused" error, it seems that there may be a configuration error on the identity provider side or the URL you specified is not correct.

Ralle kalle (talkcontribs)

yeah, the problem is, that this is the default wso2 server setting. It is possible to change the port in the mediawiki extensions on which he try's to connect?

if not I could try to change the wso2 server settings

Authorization Endpoint URL: https://server_fqdn:9443/oauth2/authorize
Token Endpoint URL: https://server_fqdn:9443/oauth2/token
Token Revocation Endpoint URL: https://server_fqdn:9443/oauth2/revoke
Token Introspection Endpoint URL: https://server_fqdn:9443/oauth2/introspect
User Info Endpoint URL: https://server_fqdn:9443/oauth2/userinfo
Session IFrame Endpoint URL: https://server_fqdn:9443/oidc/checksession
Logout Endpoint URL: https://server_fqdn:9443/oidc/logout
Cindy.cicalese (talkcontribs)

I would think you would just include the port as part of the URL the way it appears above:

$wgOpenIDConnect_Config['https://server_fqdn:443'] = [ ...

but I have not ever tried that.

Ralle kalle (talkcontribs)

so now I change the default port to 443, but I get the same error.

OpenIDConnectClientException: The provider authorization_endpoint has not been set. Make sure your provider has a well known configuration available. in /var/www/html/mw/vendor/jumbojett/openid-connect-php/OpenIDConnectClient.php:364

I don't know which url is the right one. a normal apache site works with https://server_fqdn/oauth2/oidcdiscovery/.well-known/openid-configuration

Ralle kalle (talkcontribs)

ok, I found the right url, but now the callback url is wrong.

WARN {org.wso2.carbon.identity.oauth2.OAuth2Service} -  Provided Callback URL does not match with the provided one. 

what is the default callback url for this extension?

Cindy.cicalese (talkcontribs)

Try the URL of the Special:PluggableAuthLogin page.

Ralle kalle (talkcontribs)

yeah this works, thanks a lot. I get the logon form from wso2 but then I get a new error.

OpenIDConnectClientException: Unable to verify JWT claims in /var/www/html/mw/vendor/jumbojett/openid-connect-php/OpenIDConnectClient.php:281

I see that https://github.com/jumbojett/OpenID-Connect-PHP/issues/44 but I don't have a trailing slash in my url, any suggestions?

Cindy.cicalese (talkcontribs)

I'm glad that callback URL worked!

I've seen that error reported quite a few times. Unfortunately, I don't have any insight into a fix, but you may be able to get some suggestions from the developers of the library. They are very responsive.

You're getting close!

196.223.159.30 (talkcontribs)

How do i know which claims, should I use?