Extension talk:JWTAuth

This extension is promising, but in a very rough state currently.

With the provided documentation, it is not currently possible to use this extension. According to other comments on the github issue, documentation has been critically out of date for at least nearly a year. Given it is not currently usable, I would like to move this to 'unmaintained' until the creator returns.

I spent numerous hours on it today and found at least these issues before finally giving up and throwing in the towel:

1) Documentation references a non-existent endpoint 'JWTLogin' which does not exist in the code anymore -- possibly correct endpoint is Special:PluggableAuth (?)

2) Extension requires composer libs, but these do not appear to properly autoload even after running the `composer update --no-dev` command. Was able to temporarily work around this by `require_once("/home/wiki/core/extensions/JWTAuth/vendor/autoload.php");` inside JWTAuth.php but this is definitely not the correct solution.

3) The documented $wgJWTAuthDebugMode appears to do nothing (?)

4) Documentation does not notify user that running the update/upgrade script is required, but it definitely is.

5) Even after that, auth is dying with 'Fatal error authenticating user.' possibly due to '[PluggableAuth] ERROR: return to URL is null or empty' (???)

Because of this, I must strongly recommend this extension not be tagged 'stable' as the typical wiki operator would not be able to use it out of box in its current state and long out of date docs appear this has been abandoned. I hope this comment is not discouraging to the author, because I can see there is some great effort here, but it is not currently functional. ContribNote (talk) 08:19, 6 June 2024 (UTC)Reply

I am still here and apologize for the rough state of the documentation. I have not had time to update the documentation since our move to PluggableAuth and I have been very busy over the past year. The extension is not "unusable", it is just poorly documented. There is a difference. That being said, it may be functionally useless to most people, but it works for a few. So, I support putting a disclaimer about the documentation being inconsistent and out of date, but it isn't unstable. Jeffrey Wang 16:08, 6 June 2024 (UTC)Reply

I do empathize of your busy schedule. That said, if the plugin is not in a usable state by the typical wiki operator, it should not be classified as 'stable.'

Here are additional issues I found:

6) Does not document that $wgPluggableAuth_Config needs to be set up (??)

7) Even after resolving all errors, and getting a '[PluggableAuth] User is authorized' it doesn't seem to actually save the session so the login does not work.

As you have replied, 'unmaintained' is indeed the wrong status, and instead I will advocate for 'unstable'. I would encourage you to address the multitude of issues before changing the status back to 'stable' (ideally to experimental first). Having lost a day+ of work time to this plugin, I am now unfortunately committed to making sure that others are properly informed of the status before they embark on a similar experience. ContribNote (talk) 22:38, 6 June 2024 (UTC)Reply

Update - I continued trying to wrangle this, ended up getting tons of problems with "[PluggableAuth] Could not get authentication plugin instance."  For some reason, PluggableAuth wouldn't load JWTAuth anymore, no idea why (for some reason 'name' field in init kept being "" (????)).  

I gave up on PluggableAuth entirely and tried JWTAuth 1.x (last change from your github before the PluggableAuth upgrade), and that... seems to be working great!

So, I think there may be some problems with the v2/PluggableAuth upgrade specifically (including but not only documentation.) The 1.x branch of this plugin is a great resource (and I thank you for developing it). I think it would be fair to consider 1.x 'stable' -- but I don't think 2.x seems anywhere near production-ready currently. I wish you good luck on 2.x development when/if you have time for it later :) ContribNote (talk) 02:29, 7 June 2024 (UTC)Reply

I've added info about v1 versus v2 on the page, including the documentation and source code that represents the best version of v1 before it was replaced in favor of v2. I do apologize for all of the confusion, but I am glad to know at least you can use v1 very happily!

I'm very sorry that you spent over a day's worth of time to figuring this out. I personally feel very sad about that and I completely understand why you wouldn't want others to be in the same position. I hope, with the current notices posted, it will become more obvious to people that they have a choice to use the old v1 if they so wish. Jeffrey Wang 21:13, 10 August 2024 (UTC)Reply

Just confirming which repo is the valid one for the extension, the one on the wmf gerrit (https://gerrit.wikimedia.org/g/mediawiki/extensions/JWTAuth) or the github one (https://github.com/jeffw16/JWTAuth)? P858snake (talk) 20:52, 6 June 2024 (UTC)Reply

For version 2 and above the WMF source control repo is the official one. Prior to v2, development was done on my GitHub. Jeffrey Wang 22:58, 12 June 2024 (UTC)Reply