Topic on Extension talk:GoogleLogin

Some issues with new installation - identification & password login default

4
Nicholaskeown (talkcontribs)

Hi. Thanks for all of your great work with this plugin. I want to share my experience while it is still fresh in my memory and on the back of installing a similar plugin on Wordpress as I think it may be beneficial.

Issues encountered:

Default login still works when clicking "Login with Google":

To reproduce: Enter username and password in login form & click "Login with Google". Expected: Redirect to Google for auth. Actual: logged in using local credentials. Use case: Form saved login details auto-populated but do not wish to login with those credentials or as that user.

Google Auth requires Google+ API:

My recent experience with a Wordpress plugin did not require this and used the email address only for the purpose of identifying a unique user. Is this required due to a limitation in Mediawiki authentication?

"The supplied credentials are not associated with any user on this wiki":

Even though my email address matches my Google email, I am not recognised after authenticating with Google. This suggests that the email address is not the unique identifier or there is some other error I am unaware of? There is nothing that I can see in the documentation to indicate what constitutes identification of a mediawiki user utilising the returned data from Google oauth/API.

Thank you.

Florianschmidtwelzow (talkcontribs)

You're right. The GoogleLoign extension requires the user to have a Google+ account. This is mainly used for account-creation, where the display name of the Google+ account is used as the username of the MediaWiki user. However, I also use the email address from the Google+ response for the login process, which means, that this will also fail, if the user does not have a Google+ account, even if we can get the email from the id_token only. I'm unsure how to proceed here, now, as a change seems to be somewhat a breaking change, that's why I opened task T198439 to track this issue :)

Florianschmidtwelzow (talkcontribs)

Ok, the task I mentioned above is resolved now, which removes the need of the profile scope (which should also remove a user to need a Google+ account).

To the other things:

> Default login still works when clicking "Login with Google":

This is part of the auto-configuration of GoogleLogin. When you enter the username and password, these credentials takes precendence over the GoogleLogin button click. Now when I think about it, that doesn't really makes sense, as the button click on the GoogleLogin button should take precedence in this case. I'll change the behaviour of the auto-configuration :) However, for now, you can change that yourself by manually adding the GoogleLogin auth provider to the authmanager config, just by adding the following code to your LocalSettings.php:

$wgAuthManagerAutoConfig['primaryauth'] += [ 'GoogleLogin\\Auth\\GooglePrimaryAuthenticationProvider' => [
	'class' => 'GoogleLogin\\Auth\\GooglePrimaryAuthenticationProvider',
	'sort' => 1
] ];

See task T199999

> "The supplied credentials are not associated with any user on this wiki":

Currently, GoogleLogin matches the userId of a MediaWiki account with the Google account ID instead of using the e-mail address. I created task T200000 so we can think about matching users by e-mail, too :) Let's see, what's the feedback there is :)

CThompson520 (talkcontribs)

This was the key for me - on the patch page there were the following notes:

* The E-Mail address returned from Google needs to be the E-Mail in the MediaWiki account to match

* The E-Mail address returned from Google must not be assigned to multiple MediaWiki accounts

* The MediaWiki account e-mail address needs to be verified

The 3rd one was what was getting me - once I authenticated emails, it worked. You can do this manually directly against the database like this:

UPDATE mw_user SET user_email_authenticated = '20210907204043' WHERE user_email_authenticated IS NULL;

The "mw_" before user is just the value set in $wgDBprefix. That varchar value that is being updated is just the date in "YmdHis" format, so you could set it to the time you were running the query. Backup your database first, and potentially just try a single user account to start with!

Reply to "Some issues with new installation - identification & password login default"