Topic on Extension talk:OpenID Connect

Natlan21 (talkcontribs)

Hi i am quite new to mediawiki/ openid.

I am trying to authenticate the user on my wiki using OpenIdConnect. I was able to get the issuer's login page and authenticate using that, however the logged in user still shows up as "User" instead of the username from issuer. I see that there is "username" in claims section of /.well-known/openid-provider. Looking at the extension's documentation, i tried adding:

'preferred_username' => 'username' in $wgOpenIDConnect_Config, but that did not seem to work as well. Please suggest on how i can debug or what i could be doing wrong? from the debug info below it also seems i am getting an exception.

Thanks


I am using Mediawiki 1.34.0 with Postgresdb.


Debug info:


[PluggableAuth] In execute()

[PluggableAuth] Getting PluggableAuth singleton

[PluggableAuth] Class name: OpenIDConnect

[OpenID Connect] Redirect URL: http://mydomain.com/mediawiki/index.php?title=Special:PluggableAuthLogin

[error] [db0552df57216921823a746d] /mediawiki/index.php?title=Special:PluggableAuthLogin&code=ORMensQ_p46ogp46Cn5W-m5yaEAtADhFjZ

8AAAAf&state=dd4c766cece486c82df55655a5dfd85e   ErrorException from line 719 of /home/natlan/public_html/mediawiki/vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php: PHP Notice: Undefined property

: stdClass::$alg

#0 /home/natlan/public_html/mediawiki/vendor/jumbojett/openid-connect-php/src/OpenID

ConnectClient.php(719): MWExceptionHandler::handleError(integer, string, string, integer, array)

#1 /home/natlan/public_html/mediawiki/vendor/jumbojett/openid-connect-php/src/OpenID

ConnectClient.php(824): Jumbojett\OpenIDConnectClient->get_key_for_header(array, stdClass)

#2 /home/natlan/public_html/mediawiki/vendor/jumbojett/openid-connect-php/src/OpenID

ConnectClient.php(279): Jumbojett\OpenIDConnectClient->verifyJWTsignature(string)

#3 /home/natlan/public_html/mediawiki/extensions/OpenIDConnect/src/OpenIDConnect.php

(161): Jumbojett\OpenIDConnectClient->authenticate()

#4 /home/natlan/public_html/mediawiki/extensions/PluggableAuth/includes/PluggableAut

hLogin.php(30): OpenIDConnect->authenticate(NULL, NULL, NULL, NULL, NULL)

#5 /home/natlan/public_html/mediawiki/includes/specialpage/SpecialPage.php(575): Plu

ggableAuthLogin->execute(NULL)

#6 /home/natlan/public_html/mediawiki/includes/specialpage/SpecialPageFactory.php(61

1): SpecialPage->run(NULL)

#7 /home/natlan/public_html/mediawiki/includes/MediaWiki.php(296): MediaWiki\Special

\SpecialPageFactory->executePath(Title, RequestContext)

#8 /home/natlan/public_html/mediawiki/includes/MediaWiki.php(900): MediaWiki->perfor

mRequest()

#9 /home/natlan/public_html/mediawiki/includes/MediaWiki.php(527): MediaWiki->main()

#10 /home/natlan/public_html/mediawiki/index.php(44): MediaWiki->run()

#11 {main}

[OpenID Connect] Real name: , Email: , Subject: natlan, Issuer: https://myissuer.com

[OpenID Connect] Found user with matching subject and issuer.

User: cache miss for user 3


Cindy.cicalese (talkcontribs)

I think I may know what is going on. You authenticated before setting the preferred username attribute, so it assigned you a generic User username and saved your subject/issuer information in the openid_connect table in the database. When you subsequently authenticated, it first looks to see if there is an existing user with that subject and issuer. It will only create a new username if that information is not found. So, you would need to manually clear those entries from the openid_connect database table. The exception is also concerning, but it is in the OpenID Connect library. You could try bumping the version of the library in composer.json from 0.5.0 to 0.9.0. That may fix the problem or may cause other issues. But, if it works, please let me know, and I can bump the version of the library in the repo.

Natlan21 (talkcontribs)

Thanks for your reply and help Cindy!

Upgrading to latest version of the library from github fixed the exception issue, i guess due to added error checks.

Also the reason why preferred_username was not getting set properly is because my identity provider does not provide the username etc fields in userinfo endpoint. They instead provide it as part of access token payload. I see there is a helper method in library to read the accesstoken payload but it is not used. Should the extension use that instead of getting information from userinfo endpoint?


I have one question related to authorization - my Identity provider will return user permissions as part of access token. What would be the suggested way to map those to mediawiki roles ? Would the code change submitted below in https://gerrit.wikimedia.org/r/c/mediawiki/extensions/OpenIDConnect/+/572199 help?

Thanks

Cindy.cicalese (talkcontribs)

I'm glad that the updated library worked. I'll try to get the composer.json file updated soon.

It would be great if you could test that patch and let me know if it fixes your situation. I do not currently have a way to test the new behavior, but it appears to work for several people. If it works for you, too, that will give me more confidence in merging it.

Natlan21 (talkcontribs)

Hi Cindy, to make it work for my identity provider, i had to change the patch a bit (this is because payloads have varying information based on individual identity providers). Will think on how we can make it more generic.

Also most of the issues were solved as i mentioned by using the latest version of library code from github. could you update the version in composer? thanks

Ri thomas (talkcontribs)

Apparently Google also does not provide a username field. When I upgraded to Openid Connect Library to 0.9.0 to get around generic usernames I get an error.

Auto-creation of a local account failed: You have not specified a valid username.

Reply to "preferred_username"