Hi Cindy!
When configuring Keycloak and Mediawiki to work together I'm running into the following issue:
- My wiki lives at wiki.internal.domain.com, but is exposed to the world at wiki.domain.com
- My Keycloak lives at auth.domain.com
The configuration for Mediawiki looks like this:
// This is required for the authentication plugins below
$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['*']['autocreateaccount'] = true;
// Pluggable authentication
wfLoadExtension( 'PluggableAuth' );
$wgPluggableAuth_EnableAutoLogin = true;
$wgPluggableAuth_EnableLocalLogin = true;
$wgPluggableAuth_EnableLocalProperties = false;
#$wgPluggableAuth_ButtonLabelMessage =
#$wgPluggableAuth_ButtonLabel = null;
#$wgPluggableAuth_ExtraLoginFields = [];
#$wgPluggableAuth_Class = 'OpenIDConnect';
// OpenID connect
wfLoadExtension( 'OpenIDConnect' );
$wgOpenIDConnect_Config['https://auth.domain.com/auth/realms/myfirstrealm'] = [
'clientID' => 'wiki',
'clientsecret' => 'somesecret',
'name' => 'Domain.com SSO',
];
$wgOpenIDConnect_UseRealNameAsUserName = false;
$wgOpenIDConnect_UseEmailNameAsUserName = false;
$wgOpenIDConnect_MigrateUsersByUserName = true;
$wgOpenIDConnect_MigrateUsersByEmail = true;
$wgOpenIDConnect_ForceLogout = false;
The configuration for Keycloak is basically default, with the exception of the Redirect URL (which points to https://wiki.domain.com/index.php/Special:PluggableAuthLogin)
When trying to login I am properly redirected to the Keycloak login page, but I receive an error that the redirect URL is invalid. When inspecting the URL I see that the redirect URL given to Keycloak (from Mediawiki) is https://wiki.internal.domain.com on which it is not reachable.
However, the baseURL I have configured for Mediawiki is https://wiki.domain.com and not the internal name:
## The protocol and server name to use in fully-qualified URLs
$wgServer = "https://wiki.domain.com";
Am I missing something?
Thanks in advance!