Topic on Extension talk:OpenID Connect

Curl error in jumbojett/openid-connect-php

7 comments 19:07, 22 March 2024 1 month ago
7
Summary by Libresauce

SELinux was preventing httpd from communicating with the Azure endpoint on port 443, producing a curl error in the openid-connect-php client.

Libresauce (talkcontribs)

I'm trying to set up Azure Entra ID login. Right now instead of sending me to Azure I get "Fatal error authenticating user." I double-checked my providerURL and it seems to be correct. Any idea where I'm going wrong? I keep getting <abusefilter-warning-linkspam> when posting this, so I had to strip out some information.

Logs

Stack trace:

#0 /var/www/mediawiki-1.41.0/extensions/OpenIDConnect/vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php(658): Jumbojett\OpenIDConnectClient->fetchURL()

#1 /var/www/mediawiki-1.41.0/extensions/OpenIDConnect/vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php(634): Jumbojett\OpenIDConnectClient->getWellKnownConfigValue()

#2 /var/www/mediawiki-1.41.0/extensions/OpenIDConnect/vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php(787): Jumbojett\OpenIDConnectClient->getProviderConfigValue()

#3 /var/www/mediawiki-1.41.0/extensions/OpenIDConnect/vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php(447): Jumbojett\OpenIDConnectClient->requestAuthorization()

#4 /var/www/mediawiki-1.41.0/extensions/OpenIDConnect/includes/OpenIDConnect.php(229): Jumbojett\OpenIDConnectClient->authenticate()

#5 /var/www/mediawiki-1.41.0/extensions/PluggableAuth/includes/PluggableAuthLogin.php(101): MediaWiki\Extension\OpenIDConnect\OpenIDConnect->authenticate()

#6 /var/www/mediawiki-1.41.0/includes/specialpage/SpecialPage.php(727): MediaWiki\Extension\PluggableAuth\PluggableAuthLogin->execute()

#7 /var/www/mediawiki-1.41.0/includes/specialpage/SpecialPageFactory.php(1621): MediaWiki\SpecialPage\SpecialPage->run()

#8 /var/www/mediawiki-1.41.0/includes/MediaWiki.php(357): MediaWiki\SpecialPage\SpecialPageFactory->executePath()

#9 /var/www/mediawiki-1.41.0/includes/MediaWiki.php(960): MediaWiki->performRequest()

#10 /var/www/mediawiki-1.41.0/includes/MediaWiki.php(613): MediaWiki->main()

#11 /var/www/mediawiki-1.41.0/index.php(50): MediaWiki->run()

#12 /var/www/mediawiki-1.41.0/index.php(46): wfIndexMain()

#13 {main}

[PluggableAuth] Authentication failure.

[PluggableAuth] ERROR: Jumbojett\OpenIDConnectClientException: Curl error: (7) in /var/www/mediawiki-1.41.0/extensions/OpenIDConnect/vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php:1495

Configuration

MediaWiki 1.41.0

PHP 8.1.27

PHP curl and json modules installed

MariaDB 10.5.22

jumbojett/openid-connect-php 0.9.10

Latest PluggableAuth and OpenID Connect extensions (just did git pull)

Relevant portion of LocalSettings.php

wfLoadExtension( 'PluggableAuth' );

wfLoadExtension( 'OpenIDConnect' );

$wgPluggableAuth_Config[] = [

    'plugin' => 'OpenIDConnect',

    'buttonLabelMessage' => 'Login with Entra ID',

    'data' => [

        'providerURL' => 'https://login.microsoftonline.com/930d382e-dc17-46c9-a847-e0eb41cc16f7/v2.0/',

        'clientID' => ***************************,

        'clientsecret' => '***************'

    ]

];

$wgOpenIDConnect_UseEmailNameAsUserName = true;

$wgOpenIDConnect_MigrateUsersByEmail = true;

$wgPluggableAuth_EnableLocalLogin = true;
Edited 18:33, 21 March 2024 1 month ago
Cindy.cicalese (talkcontribs)

Curl error 7 is "could not connect to host". Why are there <nowiki> tags in your provider URL?

Edited 17:33, 21 March 2024 1 month ago
Libresauce (talkcontribs)

Sorry, didn't realize those tags were in there. They're not in the actual LocalSettings.php. I confirmed that provider URL matches the OpenID Connect metadata document URL from the Azure portal, minus /.well-known/openid-configuration

19:15, 21 March 2024 1 month ago
Cindy.cicalese (talkcontribs)
22:46, 21 March 2024 1 month ago
Libresauce (talkcontribs)
15:59, 22 March 2024 1 month ago
Cindy.cicalese (talkcontribs)
16:43, 22 March 2024 1 month ago
Libresauce (talkcontribs)

Discovered it was being blocked by SELinux. setsebool -P httpd_can_network_connect 1 fixed it.

18:59, 22 March 2024 1 month ago
Retrieved from "https://www.mediawiki.org/wiki/Topic:Y1f26cet93mlnisb"