Topic on Extension talk:OpenID Connect

The provider authorization_endpoint has not been set.

4 comments 01:42, 27 March 2018 6 years ago
4
Summary by Cindy.cicalese

The correct format of the URL in $wgOpenIDConnect_Config for Keycloak is https://{keycloak_server:port}/auth/realm/{your_realm}.

Grady74 (talkcontribs)

Running into an issue where it seems like my configuration is not being pushed from OpenID Connect to Jumbojett\OpenIDConnectClient->authenticate()

This causes it never to try to redirect over to my IdP.

Debug:

  • HTTP HEADERS: UPGRADE-INSECURE-REQUESTS: 1 CONNECTION: keep-alive DNT: 1 COOKIE: _ga=GA1.2.214285112.1516134706; mediawiki_mw_UserName=Admin; VEE=visualeditor; mediawiki_mw__session=k21i5dcg2m9nilgc01c1jc1rarhs3nog; cpPosTime=1522098488.3307 REFERER: http://{redacted}/wiki/Special:PluggableAuthLogin ACCEPT-ENCODING: gzip, deflate ACCEPT-LANGUAGE: en-US,en;q=0.5 ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 USER-AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 HOST: {redacted} CONTENT-LENGTH:
  • [caches] cluster: EmptyBagOStuff, WAN: mediawiki-main-default, stash: db-replicated, message: SqlBagOStuff, session: SqlBagOStuff
  • [caches] LocalisationCache: using store LCStoreDB
  • [session] Session "k21i5dcg2m9nilgc01c1jc1rarhs3nog" requested without UserID cookie
  • [DBReplication] Wikimedia\Rdbms\LBFactory::getChronologyProtector: using request info { "IPAddress": "{redacted}", "UserAgent": "Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko\/20100101 Firefox\/52.0", "ChronologyProtection": false }
  • [DBConnection] Wikimedia\Rdbms\LoadBalancer::openConnection: calling initLB() before first connection.
  • [DBConnection] Connected to database 0 at '172.17.0.2'.
  • [DBQuery] mediawiki SHOW /* Wikimedia\Rdbms\DatabaseMysqlBase::serverIsReadOnly */ GLOBAL VARIABLES LIKE 'read_only'
  • [SQLBagOStuff] Connection 1297 will be used for SqlBagOStuff
  • [DBQuery] mediawiki SELECT /* SqlBagOStuff::getMulti */ keyname,value,exptime FROM `mw_objectcache` WHERE keyname = 'mediawiki-mw_:MWSession:k21i5dcg2m9nilgc01c1jc1rarhs3nog'
  • [smw] [mw.db] connection provider with {"read":-1,"write":-2}
  • [DBConnection] Connected to database 0 at '172.17.0.2'.
  • [DBQuery] mediawiki BEGIN /* Wikimedia\Rdbms\Database::query (LCStoreDB::get) */
  • [DBQuery] mediawiki SELECT /* LCStoreDB::get */ lc_value FROM `mw_l10n_cache` WHERE lc_lang = 'en' AND lc_key = 'deps' LIMIT 1
  • [DBQuery] mediawiki SELECT /* LCStoreDB::get */ lc_value FROM `mw_l10n_cache` WHERE lc_lang = 'en' AND lc_key = 'list' LIMIT 1
  • [DBQuery] mediawiki SELECT /* LCStoreDB::get */ lc_value FROM `mw_l10n_cache` WHERE lc_lang = 'en' AND lc_key = 'preload' LIMIT 1
  • [DBQuery] mediawiki SELECT /* LCStoreDB::get */ lc_value FROM `mw_l10n_cache` WHERE lc_lang = 'en' AND lc_key = 'preload' LIMIT 1
  • [DBQuery] mediawiki SELECT /* LCStoreDB::get */ lc_value FROM `mw_l10n_cache` WHERE lc_lang = 'en' AND lc_key = 'specialPageAliases' LIMIT 1
  • [DBQuery] mediawiki SELECT /* LCStoreDB::get */ lc_value FROM `mw_l10n_cache` WHERE lc_lang = 'en' AND lc_key = 'namespaceGenderAliases' LIMIT 1
  • 0.1010 2.0M Jumbojett\OpenIDConnectClientException: The provider authorization_endpoint has not been set. Make sure your provider has a well known configuration available. in /var/www/w/extensions/OpenIDConnect/vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php:376 Stack trace: #0 /var/www/w/extensions/OpenIDConnect/vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php(455): Jumbojett\OpenIDConnectClient->getProviderConfigValue('authorization_e...') #1 /var/www/w/extensions/OpenIDConnect/vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php(298): Jumbojett\OpenIDConnectClient->requestAuthorization() #2 /var/www/w/extensions/OpenIDConnect/OpenIDConnect.class.php(152): Jumbojett\OpenIDConnectClient->authenticate() #3 /var/www/w/extensions/PluggableAuth/PluggableAuthLogin.php(48): OpenIDConnect->authenticate(NULL, NULL, NULL, NULL, NULL) #4 /var/www/w/includes/specialpage/SpecialPage.php(522): PluggableAuthLogin->execute(NULL) #5 /var/www/w/includes/specialpage/SpecialPageFactory.php(578): SpecialPage->run(NULL) #6 /var/www/w/includes/MediaWiki.php(287): SpecialPageFactory::executePath(Object(Title), Object(RequestContext)) #7 /var/www/w/includes/MediaWiki.php(851): MediaWiki->performRequest() #8 /var/www/w/includes/MediaWiki.php(523): MediaWiki->main() #9 /var/www/w/index.php(43): MediaWiki->run() #10 {main}

My config in LocalSettings.php looks like this:

#PluggableAuth

wfLoadExtension( 'PluggableAuth' );

#OpenID Connect

wfLoadExtension( 'OpenIDConnect' );

$wgOpenIDConnect_Config['http://{redacted}/auth/realms/fst/protocol/openid-connect/auth'] = [

   'clientID' => 'aware',

   'clientsecret' => '{redacted}'

];

########################

#

# DEBUG

#

########################

error_reporting(E_ALL | E_STRICT);

ini_set("display_errors", 1);

$wgDebugLogFile = "/tmp/wiki.log";

$wgShowExceptionDetails = true;

$wgShowSQLErrors        = true;

$wgDebugComments        = true;

$wgLogQueries           = true;

$wgDebugDumpSql         = true;

$wgDevelopmentWarnings  = true;

$wgDebugProfiling       = true;

$wgDebugTimestamps      = true;

$wgResourceLoaderDebug  = true;

$wgDebugToolbar         = true;

Version Info:

MediaWiki 1.30.0

OpenID Connect 4.1 (c8e4d19) 23:41, 9 March 2018

PluggableAuth 5.2 (2528a75) 11:31, 20 August 2017

@Cindy.cicalese - Any thoughts would be greatly appreciated.

21:19, 26 March 2018 6 years ago
Cindy.cicalese (talkcontribs)

The problem is that it is trying to find the configuration for your provider from a well-known configuration endpoint. It tries to find this by adding "/.well-known/openid-configuration" to the end of the provider URL (see https://github.com/jumbojett/OpenID-Connect-PHP/blob/master/src/OpenIDConnectClient.php#L361). The provider URL is the index in the $wgOpenIDConnect_Config array. For example, if you were using Google as your provider, the provider URL would be https://accounts.google.com and the well-known configuration endpoint would be https://accounts.google.com/.well-known/openid-configuration.

22:32, 26 March 2018 6 years ago
Grady74 (talkcontribs)

Thanks Cindy! That was exactly it.

Can confirm that this lib works with Keycloak.

For folks coming after me, the pattern for Keycloak looks like:

$wgOpenIDConnect_Config['https://{keycloak_server:port}/auth/realm/{your_realm}'] =

[

'clientID' => '.....',

'clientsecret' => '.....'

];

Watch if you are running your install insecure on 80 in your dev env. Most modern browser will automatically insert Upgrade-Insecure-Requests=1 to the request Headers, which in turn confuses the code in jumbojett/OpenIDConnectClient.php https://github.com/jumbojett/OpenID-Connect-PHP/blob/master/src/OpenIDConnectClient.php#L419 into thinking that you are running https ( thus providing an https redirect_uri vs http redirect_uriin the authorization part of the auth code flow - leading to a message about invalid_uri from your IdP )

01:03, 27 March 2018 6 years ago
Cindy.cicalese (talkcontribs)

Great! I'm glad you were able to get it working!

It would be great if you could put the information in your reply above on the extension page at Extension:OpenID Connect. Maybe another "Example:..." section after the two that are there? That way folks don't need to search here to find your valuable advice.

Thanks!

Cindy

01:40, 27 March 2018 6 years ago
Retrieved from "https://www.mediawiki.org/wiki/Topic:Ua3q834qy9rir0dk"