Topic on Extension talk:OpenID Connect

Hi Cindy!

When configuring Keycloak and Mediawiki to work together I'm running into the following issue:

- My wiki lives at wiki.internal.domain.com, but is exposed to the world at wiki.domain.com

- My Keycloak lives at auth.domain.com

The configuration for Mediawiki looks like this:

// This is required for the authentication plugins below

$wgGroupPermissions['*']['createaccount'] = false;

$wgGroupPermissions['*']['autocreateaccount'] = true;

// Pluggable authentication

wfLoadExtension( 'PluggableAuth' );

$wgPluggableAuth_EnableAutoLogin = true;

$wgPluggableAuth_EnableLocalLogin = true;

$wgPluggableAuth_EnableLocalProperties = false;

#$wgPluggableAuth_ButtonLabelMessage =

#$wgPluggableAuth_ButtonLabel = null;

#$wgPluggableAuth_ExtraLoginFields = [];

#$wgPluggableAuth_Class = 'OpenIDConnect';

// OpenID connect

wfLoadExtension( 'OpenIDConnect' );

$wgOpenIDConnect_Config['https://auth.domain.com/auth/realms/myfirstrealm'] = [

   'clientID' => 'wiki',

   'clientsecret' => 'somesecret',

   'name' => 'Domain.com SSO',

];

$wgOpenIDConnect_UseRealNameAsUserName = false;

$wgOpenIDConnect_UseEmailNameAsUserName = false;

$wgOpenIDConnect_MigrateUsersByUserName = true;

$wgOpenIDConnect_MigrateUsersByEmail = true;

$wgOpenIDConnect_ForceLogout = false;

The configuration for Keycloak is basically default, with the exception of the Redirect URL (which points to https://wiki.domain.com/index.php/Special:PluggableAuthLogin)

When trying to login I am properly redirected to the Keycloak login page, but I receive an error that the redirect URL is invalid. When inspecting the URL I see that the redirect URL given to Keycloak (from Mediawiki) is https://wiki.internal.domain.com on which it is not reachable.

However, the baseURL I have configured for Mediawiki is https://wiki.domain.com and not the internal name:

## The protocol and server name to use in fully-qualified URLs

$wgServer           = "https://wiki.domain.com";

Am I missing something?

Thanks in advance!

I have a similar setup where there is a different internal and external name for a wiki, and it works correctly. But, there must be something different in the configuration. I think that the code in question might be in the getRedirectURL() function in PHP OpenID Connect library: https://github.com/jumbojett/OpenID-Connect-PHP/blob/master/src/OpenIDConnectClient.php#L511. If the redirect URL has not been explicitly set using setRedirectURL(), the code creates the redirect URL from elements of the $_SERVER variable. You could try adding some debugging in there to see if that's the case and if it is getting the internal URL from that code. If so, we could add an additional optional configuration variable to OpenID Connect which would be used to call setRedirectURL() in cases like this.

Hi Cindy,

Right on the spot! I've added the following line to the function you mention:

error_log (sprintf('%s://%s%s/%s', $protocol, $host, $port, @trim(reset(explode("?", $_SERVER['REQUEST_URI'])), '/')));

And the output in the apache errorlog is:

[Fri Sep 21 19:53:22.703986 2018] [:error] [pid 27074] [client 10.1.2.37:50938] https://wiki.internal.domain.com/index.php/Special:PluggableAuthLogin, referer: https://wiki.domain.com/index.php/Special:UserLogin

So, the next step I did was basically hardcoding the URL I wanted to see in the function:

return sprintf('%s', 'https://wiki.domain.com/index.php/Special:PluggableAuthLogin');

And bingo! Works like a charm now.

With regards to the solution, I'd go for always returning the wgServer URL, as that is supposed to designate 'where the wiki lives'. I don't really see a usecase for making it a configurable item in the extension.

I just uploaded a patch that may fix this issue: https://gerrit.wikimedia.org/r/c/mediawiki/extensions/OpenIDConnect/+/465200. Could you please test it? Thanks!

Hi Cindy,

Thanks for this patch! I have reverted the 'hack' I made in the library above, after installing this new version (don't forget to run update.php ^_^ )it works!

Excellent! That's good to hear. Thanks for testing!