Topic on Extension talk:OpenID Connect

Summary by CCicalese (WMF)

Needed https

195.82.130.6 (talkcontribs)

Hi,

I configured openid connect to work with keycloak.

The redirect to keycloak login screen works, I fill in the username and password, I am redirected to wiki but no user is created.

The session for that user exists in keycloak.

These are my configuration properties:

#$wgGroupPermissions['*']['createaccount'] = false;

#$wgGroupPermissions['*']['autocreateaccount'] = true;

$wgWhitelistRead = array ("Help:Contents", "Special:Userlogin", "Special:CreateAccount", "Special:PluggableAuthLogin");

wfLoadExtension( 'PluggableAuth' );

$wgPluggableAuth_EnableAutoLogin = true;

$wgPluggableAuth_EnableLocalLogin = false;

$wgPluggableAuth_EnableLocalProperties = false;

$wgPluggableAuth_Class = 'OpenIDConnect';

wfLoadExtension( 'OpenIDConnect' );

$wgOpenIDConnect_Config['http://192.168.99.100:9080/auth/realms/my_realm/'] = [

    'clientID' => 'mediawiki',

    'clientsecret' => 'some secret',

    'scope' => [ 'openid', 'profile']

];

$wgOpenIDConnect_UseRealNameAsUserName = false;

$wgOpenIDConnect_UseEmailNameAsUserName = false;

$wgOpenIDConnect_MigrateUsersByUserName = true;

$wgOpenIDConnect_MigrateUsersByEmail = true;

$wgOpenIDConnect_ForceLogout = false;

Please tell me what should I do in order to create the user and appear as authenticated in wiki.

Thank you!

Cindy.cicalese (talkcontribs)

Which MediaWiki and extension versions are you using? Please turn on debugging (Manual:How_to_debug#Setting_up_a_debug_log_file) and report here any mentions of PluggableAuth and OpenID Connect in the debug log file. There should hopefully be an indication of an error in the log. It could be that a preferred username is not being correctly returned and you have it set not to use the email address or real name as the username.

195.82.130.6 (talkcontribs)

MediaWiki 1.31.0,

PluggableAuth 5.4

OpenID Connect 4.1

Log:

IP: ::1

Start request GET /mediawiki/index.php/Special:PluggableAuthLogin

HTTP HEADERS:

HOST: localhost

CONNECTION: keep-alive

UPGRADE-INSECURE-REQUESTS: 1

USER-AGENT: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36

ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8

ACCEPT-ENCODING: gzip, deflate, br

ACCEPT-LANGUAGE: ro-RO,ro;q=0.9,en-US;q=0.8,en;q=0.7

COOKIE: SESSION=2fd0ee3b-b156-4fc3-80e1-1c55466c0f64; wikidb_session=e254t7vvbbo6eihrvm2fo0f9f5ppbob9;

[caches] cluster: EmptyBagOStuff, WAN: mediawiki-main-default, stash: db-replicated, message: SqlBagOStuff, session: SqlBagOStuff

[caches] LocalisationCache: using store LCStoreDB

[session] Session "e254t7vvbbo6eihrvm2fo0f9f5ppbob9" requested without UserID cookie

[DBConnection] Wikimedia\Rdbms\LoadBalancer::openConnection: calling initLB() before first connection.

[DBReplication] Cannot use ChronologyProtector with EmptyBagOStuff.

[DBReplication] Wikimedia\Rdbms\LBFactory::getChronologyProtector: using request info {

    "IPAddress": "::1",

    "UserAgent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100 Safari\/537.36",

    "ChronologyProtection": false,

    "ChronologyPositionIndex": 0

}

[DBConnection] Wikimedia\Rdbms\LoadBalancer::openConnection: connected to database 0 at 'localhost'.

[SQLBagOStuff] Connection 2304 will be used for SqlBagOStuff

[DBConnection] Wikimedia\Rdbms\LoadBalancer::openConnection: connected to database 0 at 'localhost'.

[PluggableAuth] In execute()

[PluggableAuth] Getting PluggableAuth singleton

[PluggableAuth] Class name: OpenIDConnect

[session] SessionBackend "e254t7vvbbo6eihrvm2fo0f9f5ppbob9" data dirty due to dirty(): Jumbojett\OpenIDConnectClient->requestAuthorization/session_commit/MediaWiki\Session\PHPSessionHandler->write/MediaWiki\Session\Session->set/MediaWiki\Session\SessionBackend->dirty

[session] SessionBackend "e254t7vvbbo6eihrvm2fo0f9f5ppbob9" data dirty due to dirty(): Jumbojett\OpenIDConnectClient->requestAuthorization/session_commit/MediaWiki\Session\PHPSessionHandler->write/MediaWiki\Session\Session->set/MediaWiki\Session\SessionBackend->dirty

[session] SessionBackend "e254t7vvbbo6eihrvm2fo0f9f5ppbob9" save: dataDirty=1 metaDirty=0 forcePersist=0

#9 E:\htdocs\mediawiki\includes\session\Session.php(616): MediaWiki\Session\SessionBackend->save()

#10 E:\htdocs\mediawiki\includes\session\PHPSessionHandler.php(353): MediaWiki\Session\Session->save()

#11 [internal function]: MediaWiki\Session\PHPSessionHandler->write('e254t7vvbbo6eih...', 'a:5:{s:15:"wsSe...')

#12 E:\htdocs\mediawiki\vendor\jumbojett\openid-connect-php\src\OpenIDConnectClient.php(610): session_commit()

#13 E:\htdocs\mediawiki\vendor\jumbojett\openid-connect-php\src\OpenIDConnectClient.php(393): Jumbojett\OpenIDConnectClient->requestAuthorization()

#14 E:\htdocs\mediawiki\extensions\OpenIDConnect\src\OpenIDConnect.php(152): Jumbojett\OpenIDConnectClient->authenticate()

#15 E:\htdocs\mediawiki\extensions\PluggableAuth\includes\PluggableAuthLogin.php(31): OpenIDConnect->authenticate(NULL, NULL, NULL, NULL, NULL)

#16 E:\htdocs\mediawiki\includes\specialpage\SpecialPage.php(522): PluggableAuthLogin->execute(NULL)

[session] Saving all sessions on shutdown

[DBConnection] Wikimedia\Rdbms\{closure}: closing connection to database 'localhost'.

[DBConnection] Wikimedia\Rdbms\{closure}: closing connection to database 'localhost'.

IP: ::1

Start request GET /mediawiki/index.php/Special:PluggableAuthLogin?state=e2e2d20e1b6d9192f66db9446951338c&code=uss.HJBEChHIKTHMZZ8fiI-cBPfIJvWO0GbCI7tR-ZOFKZU.5dd27c5d-414e-4cef-8ffe-ed0aab9d3088.609eb959-ca7f-4130-999c-6a19409fcdb3

HTTP HEADERS:

HOST: localhost

CONNECTION: keep-alive

CACHE-CONTROL: max-age=0

UPGRADE-INSECURE-REQUESTS: 1

USER-AGENT: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36

ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8

REFERER: http://192.168.99.100:9080/auth/realms/my-realm/protocol/openid-connect/auth?response_type=code&redirect_uri=https%3A%2F%2Flocalhost%2Fmediawiki%2Findex.php%2FSpecial%3APluggableAuthLogin&client_id=mediawiki&nonce=2dbbb67d5621332ea891517120a1218d&state=e2e2d20e1b6d9192f66db9446951338c&scope=openid+profile

ACCEPT-ENCODING: gzip, deflate, br

ACCEPT-LANGUAGE: ro-RO,ro;q=0.9,en-US;q=0.8,en;q=0.7

COOKIE: SESSION=2fd0ee3b-b156-4fc3-80e1-1c55466c0f64; wikidb_session=e254t7vvbbo6eihrvm2fo0f9f5ppbob9;

[caches] cluster: EmptyBagOStuff, WAN: mediawiki-main-default, stash: db-replicated, message: SqlBagOStuff, session: SqlBagOStuff

[caches] LocalisationCache: using store LCStoreDB

[session] Session "e254t7vvbbo6eihrvm2fo0f9f5ppbob9" requested without UserID cookie

[DBConnection] Wikimedia\Rdbms\LoadBalancer::openConnection: calling initLB() before first connection.

[DBReplication] Cannot use ChronologyProtector with EmptyBagOStuff.

[DBReplication] Wikimedia\Rdbms\LBFactory::getChronologyProtector: using request info {

    "IPAddress": "::1",

    "UserAgent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100 Safari\/537.36",

    "ChronologyProtection": false,

    "ChronologyPositionIndex": 0

}

[DBConnection] Wikimedia\Rdbms\LoadBalancer::openConnection: connected to database 0 at 'localhost'.

[SQLBagOStuff] Connection 2306 will be used for SqlBagOStuff

[DBConnection] Wikimedia\Rdbms\LoadBalancer::openConnection: connected to database 0 at 'localhost'.

[PluggableAuth] In execute()

[PluggableAuth] Getting PluggableAuth singleton

[PluggableAuth] Class name: OpenIDConnect

Matching user to email temp@mailinator.com

[CryptRand] 0 bytes of randomness leftover in the buffer.

[session] SessionBackend "e254t7vvbbo6eihrvm2fo0f9f5ppbob9" data dirty due to dirty(): OpenIDConnect->authenticate/MediaWiki\Auth\AuthManager->setAuthenticationSessionData/MediaWiki\Session\Session->setSecret/MediaWiki\Session\Session->set/MediaWiki\Session\SessionBackend->dirty

[session] SessionBackend "e254t7vvbbo6eihrvm2fo0f9f5ppbob9" save: dataDirty=1 metaDirty=0 forcePersist=0

[DBPerformance] Expectation (writes <= 0) by MediaWiki::main not met (actual: 1):

query-m: REPLACE INTO `objectcache` (keyname,value,exptime) VALUES ('X')

#9 E:\htdocs\mediawiki\includes\session\SessionBackend.php(596): MediaWiki\Session\SessionBackend->save()

#10 [internal function]: MediaWiki\Session\SessionBackend->MediaWiki\Session\{closure}()

#11 E:\htdocs\mediawiki\vendor\wikimedia\scoped-callback\src\ScopedCallback.php(76): call_user_func_array(Object(Closure), Array)

#12 E:\htdocs\mediawiki\vendor\wikimedia\scoped-callback\src\ScopedCallback.php(56): Wikimedia\ScopedCallback->__destruct()

#13 E:\htdocs\mediawiki\includes\session\SessionManager.php(886): Wikimedia\ScopedCallback::consume(NULL)

#14 E:\htdocs\mediawiki\includes\session\SessionManager.php(214): MediaWiki\Session\SessionManager->getSessionFromInfo(Object(MediaWiki\Session\SessionInfo), Object(WebRequest))

#15 E:\htdocs\mediawiki\includes\WebRequest.php(730): MediaWiki\Session\SessionManager->getSessionById('e254t7vvbbo6eih...', true, Object(WebRequest))

#16 E:\htdocs\mediawiki\includes\auth\AuthManager.php(2234): WebRequest->getSession()

#17 E:\htdocs\mediawiki\extensions\OpenIDConnect\src\OpenIDConnect.php(194): MediaWiki\Auth\AuthManager->setAuthenticationSessionData('OpenIDConnectIs...', 'http://192.168....')

#18 E:\htdocs\mediawiki\extensions\PluggableAuth\includes\PluggableAuthLogin.php(31): OpenIDConnect->authenticate(NULL, 'Temp', 'tempf templ', 'temp@mailinator...', NULL)

#19 E:\htdocs\mediawiki\includes\specialpage\SpecialPage.php(522): PluggableAuthLogin->execute(NULL)

#20 E:\htdocs\mediawiki\includes\specialpage\SpecialPageFactory.php(568): SpecialPage->run(NULL)

[CryptRand] 0 bytes of randomness leftover in the buffer.

[session] SessionBackend "e254t7vvbbo6eihrvm2fo0f9f5ppbob9" data dirty due to dirty(): OpenIDConnect->authenticate/MediaWiki\Auth\AuthManager->setAuthenticationSessionData/MediaWiki\Session\Session->setSecret/MediaWiki\Session\Session->set/MediaWiki\Session\SessionBackend->dirty

[session] SessionBackend "e254t7vvbbo6eihrvm2fo0f9f5ppbob9" save: dataDirty=1 metaDirty=0 forcePersist=0

#9 E:\htdocs\mediawiki\includes\session\SessionBackend.php(596): MediaWiki\Session\SessionBackend->save()

#10 [internal function]: MediaWiki\Session\SessionBackend->MediaWiki\Session\{closure}()

#11 E:\htdocs\mediawiki\vendor\wikimedia\scoped-callback\src\ScopedCallback.php(76): call_user_func_array(Object(Closure), Array)

#12 E:\htdocs\mediawiki\vendor\wikimedia\scoped-callback\src\ScopedCallback.php(56): Wikimedia\ScopedCallback->__destruct()

#13 E:\htdocs\mediawiki\includes\session\SessionManager.php(886): Wikimedia\ScopedCallback::consume(NULL)

#14 E:\htdocs\mediawiki\includes\session\SessionManager.php(214): MediaWiki\Session\SessionManager->getSessionFromInfo(Object(MediaWiki\Session\SessionInfo), Object(WebRequest))

#15 E:\htdocs\mediawiki\includes\WebRequest.php(730): MediaWiki\Session\SessionManager->getSessionById('e254t7vvbbo6eih...', true, Object(WebRequest))

#16 E:\htdocs\mediawiki\includes\user\User.php(1290): WebRequest->getSession()

#17 E:\htdocs\mediawiki\extensions\PluggableAuth\includes\PluggableAuthLogin.php(33): User->loadDefaults('Temp')

#18 E:\htdocs\mediawiki\includes\specialpage\SpecialPage.php(522): PluggableAuthLogin->execute(NULL)

#19 E:\htdocs\mediawiki\includes\specialpage\SpecialPageFactory.php(568): SpecialPage->run(NULL)

[PluggableAuth] Authenticated new user: Temp

[CryptRand] 0 bytes of randomness leftover in the buffer.

[session] SessionBackend "e254t7vvbbo6eihrvm2fo0f9f5ppbob9" data dirty due to dirty(): PluggableAuthLogin->execute/MediaWiki\Auth\AuthManager->setAuthenticationSessionData/MediaWiki\Session\Session->setSecret/MediaWiki\Session\Session->set/MediaWiki\Session\SessionBackend->dirty

[session] SessionBackend "e254t7vvbbo6eihrvm2fo0f9f5ppbob9" save: dataDirty=1 metaDirty=0 forcePersist=0

#9 E:\htdocs\mediawiki\includes\session\SessionBackend.php(596): MediaWiki\Session\SessionBackend->save()

#10 [internal function]: MediaWiki\Session\SessionBackend->MediaWiki\Session\{closure}()

#11 E:\htdocs\mediawiki\vendor\wikimedia\scoped-callback\src\ScopedCallback.php(76): call_user_func_array(Object(Closure), Array)

#12 E:\htdocs\mediawiki\vendor\wikimedia\scoped-callback\src\ScopedCallback.php(56): Wikimedia\ScopedCallback->__destruct()

#13 E:\htdocs\mediawiki\includes\session\SessionManager.php(886): Wikimedia\ScopedCallback::consume(NULL)

#14 E:\htdocs\mediawiki\includes\session\SessionManager.php(214): MediaWiki\Session\SessionManager->getSessionFromInfo(Object(MediaWiki\Session\SessionInfo), Object(WebRequest))

#15 E:\htdocs\mediawiki\includes\WebRequest.php(730): MediaWiki\Session\SessionManager->getSessionById('e254t7vvbbo6eih...', true, Object(WebRequest))

#16 E:\htdocs\mediawiki\includes\auth\AuthManager.php(2234): WebRequest->getSession()

#17 E:\htdocs\mediawiki\extensions\PluggableAuth\includes\PluggableAuthLogin.php(51): MediaWiki\Auth\AuthManager->setAuthenticationSessionData('PluggableAuthLo...', 'tempf templ')

#18 E:\htdocs\mediawiki\includes\specialpage\SpecialPage.php(522): PluggableAuthLogin->execute(NULL)

#19 E:\htdocs\mediawiki\includes\specialpage\SpecialPageFactory.php(568): SpecialPage->run(NULL)

[CryptRand] 0 bytes of randomness leftover in the buffer.

[session] SessionBackend "e254t7vvbbo6eihrvm2fo0f9f5ppbob9" data dirty due to dirty(): PluggableAuthLogin->execute/MediaWiki\Auth\AuthManager->setAuthenticationSessionData/MediaWiki\Session\Session->setSecret/MediaWiki\Session\Session->set/MediaWiki\Session\SessionBackend->dirty

[session] SessionBackend "e254t7vvbbo6eihrvm2fo0f9f5ppbob9" save: dataDirty=1 metaDirty=0 forcePersist=0

#9 E:\htdocs\mediawiki\includes\session\SessionBackend.php(596): MediaWiki\Session\SessionBackend->save()

#10 [internal function]: MediaWiki\Session\SessionBackend->MediaWiki\Session\{closure}()

#11 E:\htdocs\mediawiki\vendor\wikimedia\scoped-callback\src\ScopedCallback.php(76): call_user_func_array(Object(Closure), Array)

#12 E:\htdocs\mediawiki\vendor\wikimedia\scoped-callback\src\ScopedCallback.php(56): Wikimedia\ScopedCallback->__destruct()

#13 E:\htdocs\mediawiki\includes\session\SessionManager.php(886): Wikimedia\ScopedCallback::consume(NULL)

#14 E:\htdocs\mediawiki\includes\session\SessionManager.php(214): MediaWiki\Session\SessionManager->getSessionFromInfo(Object(MediaWiki\Session\SessionInfo), Object(WebRequest))

#15 E:\htdocs\mediawiki\includes\WebRequest.php(730): MediaWiki\Session\SessionManager->getSessionById('e254t7vvbbo6eih...', true, Object(WebRequest))

#16 E:\htdocs\mediawiki\includes\auth\AuthManager.php(2234): WebRequest->getSession()

#17 E:\htdocs\mediawiki\extensions\PluggableAuth\includes\PluggableAuthLogin.php(53): MediaWiki\Auth\AuthManager->setAuthenticationSessionData('PluggableAuthLo...', 'temp@mailinator...')

#18 E:\htdocs\mediawiki\includes\specialpage\SpecialPage.php(522): PluggableAuthLogin->execute(NULL)

#19 E:\htdocs\mediawiki\includes\specialpage\SpecialPageFactory.php(568): SpecialPage->run(NULL)

[CryptRand] 0 bytes of randomness leftover in the buffer.

[session] SessionBackend "e254t7vvbbo6eihrvm2fo0f9f5ppbob9" data dirty due to dirty(): PluggableAuthLogin->execute/MediaWiki\Auth\AuthManager->setAuthenticationSessionData/MediaWiki\Session\Session->setSecret/MediaWiki\Session\Session->set/MediaWiki\Session\SessionBackend->dirty

[PluggableAuth] User is authorized.

[session] SessionBackend "e254t7vvbbo6eihrvm2fo0f9f5ppbob9" save: dataDirty=1 metaDirty=0 forcePersist=0

#9 E:\htdocs\mediawiki\includes\session\SessionBackend.php(596): MediaWiki\Session\SessionBackend->save()

#10 [internal function]: MediaWiki\Session\SessionBackend->MediaWiki\Session\{closure}()

#11 E:\htdocs\mediawiki\vendor\wikimedia\scoped-callback\src\ScopedCallback.php(76): call_user_func_array(Object(Closure), Array)

#12 E:\htdocs\mediawiki\vendor\wikimedia\scoped-callback\src\ScopedCallback.php(56): Wikimedia\ScopedCallback->__destruct()

#13 E:\htdocs\mediawiki\includes\session\SessionManager.php(886): Wikimedia\ScopedCallback::consume(NULL)

#14 E:\htdocs\mediawiki\includes\session\SessionManager.php(214): MediaWiki\Session\SessionManager->getSessionFromInfo(Object(MediaWiki\Session\SessionInfo), Object(WebRequest))

#15 E:\htdocs\mediawiki\includes\WebRequest.php(730): MediaWiki\Session\SessionManager->getSessionById('e254t7vvbbo6eih...', true, Object(WebRequest))

#16 E:\htdocs\mediawiki\includes\auth\AuthManager.php(2251): WebRequest->getSession()

#17 E:\htdocs\mediawiki\extensions\PluggableAuth\includes\PluggableAuthLogin.php(76): MediaWiki\Auth\AuthManager->getAuthenticationSessionData('PluggableAuthLo...')

#18 E:\htdocs\mediawiki\includes\specialpage\SpecialPage.php(522): PluggableAuthLogin->execute(NULL)

#19 E:\htdocs\mediawiki\includes\specialpage\SpecialPageFactory.php(568): SpecialPage->run(NULL)

[PluggableAuth] ERROR: return to URL is null or empty

MediaWiki::preOutputCommit: primary transaction round committed

MediaWiki::preOutputCommit: pre-send deferred updates completed

MediaWiki::preOutputCommit: LBFactory shutdown completed

[MessageCache] MessageCache::load: Loading en... local cache is empty, global cache is expired/volatile, loading from database

Unstubbing $wgParser on call of $wgParser::firstCallInit from MessageCache->transform

Parser: using preprocessor: Preprocessor_DOM

Unstubbing $wgLang on call of $wgLang::_unstub from ParserOptions->__construct

[gitinfo] Computed cacheFile=E:\htdocs\mediawiki/gitinfo.json for E:\htdocs\mediawiki

[gitinfo] Cache incomplete for E:\htdocs\mediawiki

OutputPage::sendCacheControl: private caching;  **

Request ended normally

[session] Saving all sessions on shutdown

[session] SessionBackend "e254t7vvbbo6eihrvm2fo0f9f5ppbob9" data dirty due to dirty(): MediaWiki\Session\SessionManager->shutdown/session_write_close/MediaWiki\Session\PHPSessionHandler->write/MediaWiki\Session\Session->remove/MediaWiki\Session\SessionBackend->dirty

[session] SessionBackend "e254t7vvbbo6eihrvm2fo0f9f5ppbob9" data dirty due to dirty(): MediaWiki\Session\SessionManager->shutdown/session_write_close/MediaWiki\Session\PHPSessionHandler->write/MediaWiki\Session\Session->remove/MediaWiki\Session\SessionBackend->dirty

[session] SessionBackend "e254t7vvbbo6eihrvm2fo0f9f5ppbob9" save: dataDirty=1 metaDirty=0 forcePersist=0

195.82.130.6 (talkcontribs)

I solved this by switching http to https in $wgServer = "https://localhost";

Now, I have another question.

How can I add the newly created user in a group based on role that he has in keycloak?

Cindy.cicalese (talkcontribs)

I'm glad that worked!

Right now, the only way to integrate external group information is to write an extension that implements PluggableAuth's PluggableAuthPopulateGroups hook. You can see an example in the SimpleSAMLphp extension.

207.61.101.254 (talkcontribs)

Hey there. I'm having what seems to be the exact same issue and the fix is NOT working. My wiki redirects the user to Keycloak where they can log in just fine, even create accounts. Once the user gets sent back to the wiki, however, Special:PluggableAuthLogin is completely blank, MediaWiki doesn't think the user is logged in (the area in the top-right still has a "Log in" link), and no users are created/updated in the MediaWiki database.

KeyCloak is keeping track of the user's session just fine - I can see my account logged in through "mediawiki," username "alkaline." That all works nicely. But MediaWiki isn't actually logged in. Until I manually expire that session I can't re-login - clicking "Log in" just takes me straight back to that blank PluggableAuthLogin page.

However every time I visit a page on my wiki when I log in, I see this in my Keycloak log, complaining about converting OpenID auth codes to tokens and the code being invalid.


03:18:23,380 WARN  [org.keycloak.protocol.oidc.utils.OAuth2CodeParser] (default task-31) Code '<redacted>' already used for userSession '<redacted>' and client '<redacted>'.

03:18:23,381 WARN  [org.keycloak.events] (default task-31) type=CODE_TO_TOKEN_ERROR, realmId=Bit Phoenix Software, clientId=mediawiki, userId=null, ipAddress=<redacted>, error=invalid_code, grant_type=authorization_code, code_id=<redacted>, client_auth_method=client-secret


I'm not sure what's causing this. I mean it sees the code as having "already being used for this session," could that indicate that the code is one-time use? I'm not super sure how OAuth/OpenID Connect works so I don't know exactly what the auth code is used for (other than the fact it's obviously used for....authorization.)

My options are very slim right now because I can't even get into my admin account for my wiki so if you go to the wiki <https://wiki.bitphoenixsoftware.com/> it's literally just as if you installed MediaWiki for the first time (minus the dark theme.)


I don't want to allow users to create an account DIRECTLY in the wiki, I want them going through Keycloak. We have other services on the website such as a forum and I want people logging in to only one account to get into everything. Logging in isn't mandatory, I just want users to be federated across the website. That is why you don't get automatically redirected to Keycloak right when you visit the wiki. People are able to read the wiki, just not edit it, when logged out.


Maybe this is an issue on Keycloak's side, maybe it's not. I don't know. I just know that searches for "mediawiki keycloak" only really bring me here so... might as well post here. Any help is greatly appreciated :)

207.61.101.254 (talkcontribs)

Update: Enabled all the MediaWiki debug stuff and I'm getting similar errors to the OP. Namely

  • [PluggableAuth] ERROR: return to URL is null or empty


HOWEVER, this is different.

Wikimedia\Rdbms\DBQueryError: A database query error has occurred. Did you forget to run your application's database schema updater after upgrading?

Query: SELECT user_name FROM `wiki_user` WHERE subject = '<redacted>' AND issuer = 'https://auth.bitphoenixsoftware.com/auth/realms/bitphoenix/' LIMIT 1

I think I'm having a different issue here - and that would be that I didn't install the extension correctly. Looking in MySQL... The 'issuer' and 'subject' columns in wiki_user DO NOT exist.


Cindy.cicalese (talkcontribs)

> Once the user gets sent back to the wiki, however, Special:PluggableAuthLogin is completely blank . . .


That usually indicates that there is an error in the authentication workflow. When reporting an error, please be sure to include version information for MediaWiki and all relevant extensions as well as configuration information. Also, please turn on debug logging as described at Manual:How to debug#Logging and include the relevant portions of the debug log (especially lines that begin [PluggableAuth] or [OpenID Connect]).

Cindy.cicalese (talkcontribs)

I just saw your most recent message above. It sounds like you did not run the maintenance/update.php script on your database after installing the extension (see Extension:OpenID_Connect#Installation). Also, you are using an older version of the extension. The subject and issuer columns were moved from the user table to a new openid_connect table in version 5.0 (see Extension:OpenID_Connect#Release_Notes).