Extension talk:OpenID Connect

About this board

When reporting an error, please be sure to include version information for MediaWiki and all relevant extensions as well as configuration information. Also, please turn on debug logging as described at Manual:How to debug#Logging and include the relevant portions of the debug log.

Redirect Loop - MediaWiki 1.39.10 - OpenID Connect 8.0.3

1
HadleySo (talkcontribs)

I'm experiencing a redirect loop after my SSO provider redirects to Special:PluggableAuthLogin. The OIDC SSO provider seems to be redirecting properly, its just OpenIDConnect redirecting Special:PluggableAuthLogin?state back to Special:PluggableAuthLogin.

Here are the debug logs:

Start request GET /wiki/Special:PluggableAuthLogin?state=07dbd59553fb0f9c8ebed8771d6aa47f&session_state=b56c1ea2-5975-4e66-876f-d1aadae65a89&iss=https%3A%2F%2Fsso.example.com&code=be5093f1-5273-4d74-913f-77b2eac806fe.b56c1ea2-5975-4e66-876f-d1aadae65a89.97d98546-6fa9-497c-af83-595c3af66152
IP: xxx
HTTP HEADERS:
PRIORITY: u=0, i
SEC-FETCH-USER: ?1
SEC-FETCH-SITE: none
SEC-FETCH-MODE: navigate
SEC-FETCH-DEST: document
UPGRADE-INSECURE-REQUESTS: 1
SEC-GPC: 1
DNT: 1
ACCEPT-ENCODING: br,gzip
TE: trailers
ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
ACCEPT-LANGUAGE: en-US,en;q=0.5
COOKIE: wiki_session=ua72ias8mb99gf6nht20c6q5e7vvv84j
CONNECTION: Keep-Alive
USER-AGENT: xxx
HOST: wiki.example.com
CONTENT-LENGTH: 
CONTENT-TYPE: 
(end headers)
[session] SessionManager using store APCUBagOStuff
[localisation] LocalisationCache using store LCStoreDB
[session] Session "ua72ias8mb99gf6nht20c6q5e7vvv84j" requested without UserID cookie
[SQLBagOStuff] MainObjectStash using store ReplicatedBagOStuff
[DBQuery] Wikimedia\Rdbms\DatabaseMysqlBase::open [0s] localhost: SET group_concat_max_len = 262144, `sql_mode` = 
[DBReplication] Wikimedia\Rdbms\LBFactory::getChronologyProtector: request info {
    "IPAddress": "xxx",
    "UserAgent": "xxx",
    "ChronologyProtection": false,
    "ChronologyPositionIndex": 0,
    "ChronologyClientId": false
}
[DBReplication] ChronologyProtector using store APCUBagOStuff
[DBReplication] ChronologyProtector fetching positions for 2cadb52aa76dab2a339c763c86bd0b11
[DBReplication] Wikimedia\Rdbms\ChronologyProtector::applySessionReplicationPosition: DEFAULT (localhost) has no position
[DBConnection] Wikimedia\Rdbms\LoadBalancer::lazyLoadReplicationPositions: executed chronology callback.
[DBConnection] Wikimedia\Rdbms\LoadBalancer::getLocalConnection: opened new connection for local/0
[DBQuery] Wikimedia\Rdbms\DatabaseMysqlBase::serverIsReadOnly [0s] localhost: SELECT @@GLOBAL.read_only AS Value
[DBQuery] Wikimedia\Rdbms\Database::beginIfImplied (LCStoreDB::get) [0s] localhost: BEGIN
[DBQuery] LCStoreDB::get [0s] localhost: SELECT  lc_value  FROM `my_wiki_l10n_cache`    WHERE lc_lang = 'en' AND lc_key = 'deps'  LIMIT 1  
[DBConnection] Wikimedia\Rdbms\LoadBalancer::getLocalConnection: reused a connection for local/0
[DBQuery] LCStoreDB::get [0s] localhost: SELECT  lc_value  FROM `my_wiki_l10n_cache`    WHERE lc_lang = 'en' AND lc_key = 'list'  LIMIT 1  
[DBConnection] Wikimedia\Rdbms\LoadBalancer::getLocalConnection: reused a connection for local/0
[DBQuery] LCStoreDB::get [0s] localhost: SELECT  lc_value  FROM `my_wiki_l10n_cache`    WHERE lc_lang = 'en' AND lc_key = 'preload'  LIMIT 1  
[DBConnection] Wikimedia\Rdbms\LoadBalancer::getLocalConnection: reused a connection for local/0
[DBQuery] LCStoreDB::get [0s] localhost: SELECT  lc_value  FROM `my_wiki_l10n_cache`    WHERE lc_lang = 'en' AND lc_key = 'preload'  LIMIT 1  
[DBConnection] Wikimedia\Rdbms\LoadBalancer::getLocalConnection: reused a connection for local/0
[DBQuery] LCStoreDB::get [0s] localhost: SELECT  lc_value  FROM `my_wiki_l10n_cache`    WHERE lc_lang = 'en' AND lc_key = 'specialPageAliases'  LIMIT 1  
[DBConnection] Wikimedia\Rdbms\LoadBalancer::getLocalConnection: reused a connection for local/0
[DBQuery] LCStoreDB::get [0s] localhost: SELECT  lc_value  FROM `my_wiki_l10n_cache`    WHERE lc_lang = 'en' AND lc_key = 'namespaceGenderAliases'  LIMIT 1  
ContextSource::getContext (MediaWiki\Skins\Vector\SkinVector22): called and $context is null. Using RequestContext::getMain()
[MessageCache] MessageCache using store APCUBagOStuff
[MessageCache] MessageCache::loadUnguarded: Loading en... local cache is empty, got from global cache
[PluggableAuth] In execute()
[PluggableAuth] Getting PluggableAuth instance
[PluggableAuth] Plugin name: OpenIDConnect
[OpenIDConnect] Redirect URL: https://wiki.example.com/wiki/Special:PluggableAuthLogin
[session] SessionBackend "ua72ias8mb99gf6nht20c6q5e7vvv84j" data dirty due to dirty(): Jumbojett\OpenIDConnectClient->commitSession/session_write_close/MediaWiki\Session\PHPSessionHandler->write/MediaWiki\Session\Session->set/MediaWiki\Session\SessionBackend->dirty
[session] SessionBackend "ua72ias8mb99gf6nht20c6q5e7vvv84j" data dirty due to dirty(): Jumbojett\OpenIDConnectClient->commitSession/session_write_close/MediaWiki\Session\PHPSessionHandler->write/MediaWiki\Session\Session->set/MediaWiki\Session\SessionBackend->dirty
[session] SessionBackend "ua72ias8mb99gf6nht20c6q5e7vvv84j" save: dataDirty=1 metaDirty=0 forcePersist=0
[session] Saving all sessions on shutdown
Reply to "Redirect Loop - MediaWiki 1.39.10 - OpenID Connect 8.0.3"

update.php crashes with Error 1060: Duplicate column name 'oidc_id' when run again

1
Planetenxin (talkcontribs)
  • MW 1.39
  • OIDC 8.0.3
$wgOpenIDConnect_UseRealNameAsUserName = true;
$wgOpenIDConnect_MigrateUsersByEmail = true;

When running update.php more than once, it crashes as follows:

Modifying table openid_connect...Wikimedia\Rdbms\DBQueryError from line 1618 of /var/www/html/includes/libs/rdbms/database/Database.php: Error 1060: Duplicate column name 'oidc_id'
Function: Wikimedia\Rdbms\Database::sourceFile( /var/www/html/extensions/OpenIDConnect/includes/../sql/mysql/ChangePrimaryKey.sql )
Query: ALTER TABLE  `openid_connect`
 ADD  oidc_id INT UNSIGNED AUTO_INCREMENT NOT NULL,
 DROP  PRIMARY KEY,
 ADD  PRIMARY KEY (oidc_id)
Reply to "update.php crashes with Error 1060: Duplicate column name 'oidc_id' when run again"

Usage of emailProcessor

2
82.174.158.69 (talkcontribs)

How to properly use emailProcessor parameter? The JWT contains an collection of emails as 'emails' which will only contain a single email in our case.

However the extension looks for the 'email' string, is it possible to use the emailProcessor parameter to use the emails collection attribute?

82.174.158.69 (talkcontribs)

Managed to change the content of the token with the IdP.

Reply to "Usage of emailProcessor"

mediawiki 1.36.1 and keycloak

7
Tina533253 (talkcontribs)

Hello,

I am having problems with the integration of Wiki with Keycloak and I am testing and troubleshooting for three days so far .. wiki is not redirecting user login at all and after clicking on the button for login with OpenIDConnect error message "Fatal error authenticating user." is printed out as a content of the special page "Special:PluggableAuthLogin" (URL is <our_wiki_app>/wiki/Special:PluggableAuthLogin


Mediawiki version: 1.36.1

OpenID Connect: 5.4 (4fc6d36) 05:55, 7 December 2021

PluggableAuth: 5.7

PHP: 7.3.29 (apache2handler)

MariaDB: 10.5.12-MariaDB

Relevant onfiguration in LocalSettings.php is:

164 $wgGroupPermissions['*']['autocreateaccount'] = true;

## openid config

187 $wgWhitelistRead = array ("Help:Contents", "Special:Userlogin", "Special:CreateAccount", "Special:PluggableAuthL#

188 wfLoadExtension( 'PluggableAuth' );

189 $wgPluggableAuth_EnableAutoLogin = true;

190 $wgPluggableAuth_EnableLocalLogin = true;

191 $wgPluggableAuth_EnableLocalProperties = true;

192 $wgPluggableAuth_Class = 'OpenIDConnect';

193 wfLoadExtension( 'OpenIDConnect' );

194 $wgOpenIDConnect_Config['<our_keycloak_app>/auth/realms/master/'] = [

195         'clientID' => 'mediawiki-test',

196         'clientsecret' => '.........................',

197         'scope' => [ 'openid', 'profile', 'email' ]

198         ];

199 $wgOpenIDConnect_UseRealNameAsUserName = false;

200 $wgOpenIDConnect_UseEmailNameAsUserName = false;

201 $wgOpenIDConnect_MigrateUsersByUserName = true;

202 $wgOpenIDConnect_MigrateUsersByEmail = true;

203 $wgPluggableAuth_ButtonLabelMessage = 'Login with SSO token';

204 $wgOpenIDConnect_ForceLogout = true;

After installing extension OpenIDConnect composer.json is modified such that this block is added:

  "extra": {

                "installer-name": "OpenIDConnect"

                "merge-plugin": {

                    "include": [

                         "extensions/OpenIDConnect/composer.json"

                         ]

        }

Two issues not addressed so far are (may be unimportant, but just to mention..):

- executing update.php (I can not find this script and I think that its execution is not required for this version of mediawiki). However jumbojett lib version 0.9.1 is installed (this can be seen on wiki GUI)

- debug log is not functional and I can not see details on the application (to help myself in troubleshooting I am just recording the traffic using tcpsump)

Debug conf is:

223 $wgDebugLogFile = "/var/log/debug-{$wgDBname}.log";

224

225 error_reporting( -1 );

226 ini_set( 'display_errors', 1 );

227 $wgShowExceptionDetails = true;

I hope there is a solution for this .. your suggestions are welcome :)

Thank you in advance!

Tina

Tina533253 (talkcontribs)

To configure SSO with keycloak two extensions are installed:

PluggableAuth

OpenIDConnect

LocalSettings.php is modified

composer.json for the OpenIDConnect extension is modified

and client "mediawiki-test" on keyclock is created for wiki with redirect URI: http://<our_wiki_app>/wiki/Special:PluggableAuthLogin and access type: confidential

**SSL is configured on keycloak, but it is not configured on test wiki app

Cindy.cicalese (talkcontribs)

You do need to run update.php (in the mediawiki core maintenance directory) to create the database table needed by OpenID Connect.

Tina533253 (talkcontribs)

Table already exists in db.

Tina533253 (talkcontribs)

Does anyone have any suggestion about this issue?

StingNapas (talkcontribs)

Hello,

Did you find a solution? I have the same problem

Anollamh (talkcontribs)
Reply to "mediawiki 1.36.1 and keycloak"

Account merging failing due to case differences

1
Summary by Skillson

Looks like this is fixed in the latest release!

Skillson (talkcontribs)

We've got Azure AD login working great (MW 1.40), but existing accounts are not being merged with, we *think* because the incoming email addresses have capital letters in them, but the current internal accounts do not, and the code in OpenIDConnectStore just does a direct comparison. Is it possible to for the extension to make this comparison case-insensitive?

AADSTS50011: redirect URI specified in request does not match redirect URIs configured for the application

4
Wikiphpnoob (talkcontribs)

i have windows server 2016, MediaWiki 1.41.1, PHP 8.3.4, mysql 8.3.0, PluggableAuth 7.1.0, OpenID Connect 8.0.1

when i attempt to log in, i get the redirect to the microsoft page, enter my creds, confirm via authenticator app on my phone and am presented with the following error:

Message: AADSTS50011: The redirect URI 'https://raawiki.acme.org/RAAWIKI/index.php?title=Special:PluggableAuthLogin' specified in the request does not match the redirect URIs configured for the application '6856ee73-9078-420f-a7af-b2da67a686dc'. Make sure the redirect URI sent in the request matches one added to your application in the Azure portal. Navigate to https://aka.ms/redirectUriMismatchError to learn more about how to fix this.


the URI in AZURE AD has been set to https://raawiki.acme.org/RAAWIKI/index.php/Special:PluggableAuthLogin

all i'm trying to do at this point is test the log in.

my pluggableauth log shows...

2024-04-12 20:07:08 server raawiki: In execute()

2024-04-12 20:07:08 server raawiki: Getting PluggableAuth instance

2024-04-12 20:07:08 server raawiki: Plugin name: OpenIDConnect

my openid connect logs shows...

2024-04-12 20:07:08 server raawiki: Redirect URL: https://raawiki.acme.org/RAAWIKI/index.php?title=Special:PluggableAuthLogin

Where is it pulling https://raawiki.acme.org/RAAWIKI/index.php?title=Special:PluggableAuthLogin from?

LocalSettings.php

<?php

# This file was automatically generated by the MediaWiki 1.41.1

# installer. If you make manual changes, please keep track in case you

# need to recreate them later.

#

# See includes/MainConfigSchema.php for all configurable settings

# and their default values, but don't forget to make changes in _this_

# file, not there.

#

# Further documentation for configuration settings may be found at:

# https://www.mediawiki.org/wiki/Manual:Configuration_settings

# Protect against web entry

if ( !defined( 'MEDIAWIKI' ) ) {

exit;

}

## Uncomment this to disable output compression

# $wgDisableOutputCompression = true;

$wgSitename = "RAAWIKI";

## The URL base path to the directory containing the wiki;

## defaults for all runtime URL paths are based off of this.

## For more information on customizing the URLs

## (like /w/index.php/Page_title to /wiki/Page_title) please see:

## https://www.mediawiki.org/wiki/Manual:Short_URL

$wgScriptPath = "/RAAWIKI";

## The protocol and server name to use in fully-qualified URLs

$wgServer = "https://raawiki.acme.org";

## The URL path to static resources (images, scripts, etc.)

$wgResourceBasePath = $wgScriptPath;

## The URL paths to the logo.  Make sure you change this from the default,

## or else you'll overwrite your logo when you upgrade!

$wgLogos = [

'1x' => "$wgResourceBasePath/resources/assets/XXX.jpg",

'wordmark' => [

"src" => "$wgResourceBasePath/resources/assets/XXX.jpg",

"width" => 200,

"height" => 25,

],

'tagline' => [

"src" => "$wgResourceBasePath/resources/assets/XXX.jpg",

"width" => 119,

"height" => 18,

],

'icon' => "$wgResourceBasePath/resources/assets/XXX.jpg",

];

## UPO means: this is also a user preference option

$wgEnableEmail = false;

$wgEnableUserEmail = true; # UPO

$wgEmergencyContact = "";

$wgPasswordSender = "";

$wgEnotifUserTalk = false; # UPO

$wgEnotifWatchlist = false; # UPO

$wgEmailAuthentication = true;

## Database settings

$wgDBtype = "mysql";

$wgDBserver = "localhost";

$wgDBname = "acmewiki";

$wgDBuser = "XXX";

$wgDBpassword = "XXX";

# MySQL specific settings

$wgDBprefix = "";

$wgDBssl = false;

# MySQL table options to use during installation or update

$wgDBTableOptions = "ENGINE=InnoDB, DEFAULT CHARSET=binary";

# Shared database table

# This has no effect unless $wgSharedDB is also set.

$wgSharedTables[] = "actor";

## Shared memory settings

$wgMainCacheType = CACHE_NONE;

$wgMemCachedServers = [];

## To enable image uploads, make sure the 'images' directory

## is writable, then set this to true:

$wgEnableUploads = false;

#$wgUseImageMagick = true;

#$wgImageMagickConvertCommand = "/usr/bin/convert";

# InstantCommons allows wiki to use images from https://commons.wikimedia.org

$wgUseInstantCommons = false;

# Periodically send a pingback to https://www.mediawiki.org/ with basic data

# about this MediaWiki instance. The Wikimedia Foundation shares this data

# with MediaWiki developers to help guide future development efforts.

$wgPingback = false;

# Site language code, should be one of the list in ./includes/languages/data/Names.php

$wgLanguageCode = "en";

# Time zone

$wgLocaltimezone = "EST";

## Set $wgCacheDirectory to a writable directory on the web server

## to make your wiki go slightly faster. The directory should not

## be publicly accessible from the web.

#$wgCacheDirectory = "$IP/cache";

$wgSecretKey = "XXX";

# Changing this will log out all existing sessions.

$wgAuthenticationTokenVersion = "1";

# Site upgrade key. Must be set to a string (default provided) to turn on the

# web installer while LocalSettings.php is in place

$wgUpgradeKey = "XXX";

## For attaching licensing metadata to pages, and displaying an

## appropriate copyright notice / icon. GNU Free Documentation

## License and Creative Commons licenses are supported so far.

$wgRightsPage = ""; # Set to the title of a wiki page that describes your license/copyright

$wgRightsUrl = "";

$wgRightsText = "";

$wgRightsIcon = "";

# Path to the GNU diff3 utility. Used for conflict resolution.

$wgDiff3 = "";

## Default skin: you can change the default skin. Use the internal symbolic

## names, e.g. 'vector' or 'monobook':

$wgDefaultSkin = "citizen";

# Enabled skins.

# The following skins were automatically enabled:

wfLoadSkin( 'MinervaNeue' );

wfLoadSkin( 'MonoBook' );

wfLoadSkin( 'Timeless' );

wfLoadSkin( 'Vector' );

# Enabled extensions. Most of the extensions are enabled by adding

# wfLoadExtension( 'ExtensionName' );

# to LocalSettings.php. Check specific extension documentation for more details.

# The following extensions were automatically enabled:

wfLoadExtension( 'CategoryTree' );

wfLoadExtension( 'Cite' );

wfLoadExtension( 'CodeEditor' );

wfLoadExtension( 'DiscussionTools' );

wfLoadExtension( 'ImageMap' );

wfLoadExtension( 'InputBox' );

wfLoadExtension( 'Interwiki' );

wfLoadExtension( 'Linter' );

wfLoadExtension( 'Math' );

wfLoadExtension( 'Nuke' );

wfLoadExtension( 'OATHAuth' );

wfLoadExtension( 'ParserFunctions' );

wfLoadExtension( 'PdfHandler' );

wfLoadExtension( 'ReplaceText' );

wfLoadExtension( 'TemplateData' );

wfLoadExtension( 'VisualEditor' );

wfLoadExtension( 'WikiEditor' );

wfLoadSkin( 'Citizen' );

# End of automatically generated settings.

# Add more configuration options below.

$wgShowExceptionDetails = true;

require_once "$IP/vendor/autoload.php";

$wgGroupPermissions['*']['edit'] = false;

$wgGroupPermissions['user']['edit'] = false;

$wgGroupPermissions['trusted']['edit'] = true; // 'trusted' is a custom group you would create

$wgGroupPermissions['*']['createaccount'] = false;

$wgGroupPermissions['*']['autocreateaccount'] = true;

# Authenticaion

wfLoadExtension( 'PluggableAuth' );

wfLoadExtension( 'OpenIDConnect' );

# Configure PluggableAuth

$wgPluggableAuth_EnableAutoLogin = false;

$wgPluggableAuth_EnableLocalLogin = false;

$wgPluggableAuth_EnableLocalProperties = false;

$wgPluggableAuth_EnableFastLogout = false;

$wgPluggableAuth_Config[] = [

    'plugin' => 'OpenIDConnect',

'buttonLabelMessage' => 'RAAWIKI Login',

    'data' => [

        'providerURL' => 'https://login.microsoftonline.com/XXX/v2.0/',

        'clientID' => 'XXX',

        'clientsecret' => 'XXX',

'scope' => ['openid', 'profile', 'email'],

'preferred_username' => ''

    ]

];

$wgOpenIDConnect_UseRealNameAsUserName = true;

$wgShowExceptionDetails = true;

$wgDebugToolbar = true;

$wgShowDebug = true;

$wgDevelopmentWarnings = true;

$wgDebugLogFile = 'C:/Windows/Temp/Debug.log';

$wgDebugLogGroups['PluggableAuth'] = 'C:/Windows/Temp/PLUG.log';

$wgDebugLogGroups['OpenIDConnect'] = 'C:/Windows/Temp/OpenID.log';

Cindy.cicalese (talkcontribs)
Wikiphpnoob (talkcontribs)

THANK YOU THANK YOU THANK YOU!!! that helped tremendously!!!

For others that will come here searching for answers if you also have a similar set up as me:

For IIS, if you dont already have it, install PHP Manager and URL Rewrite for IIS Manager. They are incredibly helpful

Your web.config file in your wiki project root folder will work with URL Rewrite, so it'll be easier to configure that file.

mine, for example, was :

<rule name="Short Wiki URLs" stopProcessing="true">

<match url="^acme/index\.php/(.+)$" />

<action type="Rewrite" url="acme/index.php?title={R:1}" />

</rule>


the following were added to my LocalSettings:

$wgArticlePath = "/acme/index.php/$1";

$wgUsePathInfo = true;


HOPE THAT HELPS OTHERS AS IT DID ME!

Wikiphpnoob (talkcontribs)

hello again @Cindy.cicalese

i am running into troubles sync'ing group memberships/group members from azure to wiki

can you take a look here and help me out?

on special:specialpages....looking in User group rights, User list, User rights, i see list of users that have logged in, i see the information_technology and finance groups, but i cant find the users in those groups that should be there

# Authenticaion

wfLoadExtension( 'PluggableAuth' );

wfLoadExtension( 'OpenIDConnect' );

# Configure PluggableAuth

$wgPluggableAuth_EnableAutoLogin = false;

$wgPluggableAuth_EnableLocalLogin = false;

$wgPluggableAuth_EnableLocalProperties = false;

$wgPluggableAuth_EnableFastLogout = false;

$wgPluggableAuth_Config[] = [

    'plugin' => 'OpenIDConnect',

'buttonLabelMessage' => 'RAAWIKI Login',

    'data' => [

        'providerURL' => 'https://login.microsoftonline.com/XXX/v2.0/',

        'clientID' => 'XXX',

        'clientsecret' => 'XXX',

'scope' => ['openid', 'profile', 'email'],

'preferred_username' => ''

    ],

'groupsyncs' => [

[

'type' => 'mapped',

'map' => [

'information_technology' => [ 'Information Technology' ],

'finance' => [ 'Finance' ]

]

]

]

];

$wgOpenIDConnect_UseRealNameAsUserName = true;

# used JavascriptSlideshow to create Main Page login insruction

wfLoadExtension( 'JavascriptSlideshow' );

$wgHtml5= true;

require_once "$IP/extensions/JavascriptSlideshow/JavascriptSlideshow.php";

wfLoadExtension( 'Lockdown' ); //this extension restricts access to specific namespaces and special pages

# defined constants for custom namespaces

define("NS_INFORMATION_TECHNOLOGY", 100);

define("NS_FINANCE", 102);

# custom namespaces

$wgExtraNamespaces[NS_INFORMATION_TECHNOLOGY] = "information_technology";

$wgExtraNamespaces[NS_FINANCE] = "Finance";

# restrict read access to custom namespaces to specidied groups

$wgNamespacePermissionLockdown[NS_INFORMATION_TECHNOLOGY]['read'] = ['information_technology'];

$wgNamespacePermissionLockdown[NS_FINANCE]['read'] = ['finance', 'information_technology'];

$wgNamespacePermissionLockdown[NS_FINANCE]['edit'] = ['finance', 'information_technology'];

$wgNamespacePermissionLockdown[NS_FINANCE]['create'] = ['information_technology'];

# basic permissions

$wgGroupPermissions['*']['edit'] = false; //by default, all/anon users prevented from editing

$wgGroupPermissions['*']['read'] = true;

$wgGroupPermissions['user']['edit'] = true; //registered and logged in users can edit

$wgGroupPermissions['user']['read'] = true; //allow user group to read pages

$wgGroupPermissions['*']['createaccount'] = false; //disables ability for all users to create new accounts

$wgGroupPermissions['*']['autocreateaccount'] = true; //used w/ auth extensions for authentication against external systems. allows auto account creation when user logs in through external auth system if account not already created

# Allow information_technology group to have all permissions

$wgGroupPermissions['information_technology']['read'] = true;

$wgGroupPermissions['information_technology']['edit'] = true;

$wgGroupPermissions['information_technology']['delete'] = true;

$wgGroupPermissions['information_technology']['protect'] = true;

$wgGroupPermissions['information_technology']['createpage'] = true;

# Finance permissions

$wgGroupPermissions['finance']['read'] = true;

$wgGroupPermissions['finance']['edit'] = true;

$wgGroupPermissions['finance']['createpage'] = false;

$wgGroupPermissions['finance']['delete'] = false;

Reply to "AADSTS50011: redirect URI specified in request does not match redirect URIs configured for the application"

difference between using this and LDAP for authentication

1
Summary by Wikiphpnoob

switched from using ldap to azure/entra and oidc

Wikiphpnoob (talkcontribs)

i've hit a wall trying to set up authentication using LDAP and am curious which is easier to set up and maintain between the two

i have MediaWiki 1.41.0, PHP 8.3.3 on Windows Server 2016 ( i know, its old), with IIS 10

just curious what peoples thoughts are, thanks for any feedback

curl error 6 while downloading https://composer.wikimedia.org/packages.json

1
Wikiphpnoob (talkcontribs)
Reply to "curl error 6 while downloading https://composer.wikimedia.org/packages.json"

Curl error in jumbojett/openid-connect-php

7
Summary by Libresauce

SELinux was preventing httpd from communicating with the Azure endpoint on port 443, producing a curl error in the openid-connect-php client.

Libresauce (talkcontribs)

I'm trying to set up Azure Entra ID login. Right now instead of sending me to Azure I get "Fatal error authenticating user." I double-checked my providerURL and it seems to be correct. Any idea where I'm going wrong? I keep getting <abusefilter-warning-linkspam> when posting this, so I had to strip out some information.

Logs

Stack trace:

#0 /var/www/mediawiki-1.41.0/extensions/OpenIDConnect/vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php(658): Jumbojett\OpenIDConnectClient->fetchURL()

#1 /var/www/mediawiki-1.41.0/extensions/OpenIDConnect/vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php(634): Jumbojett\OpenIDConnectClient->getWellKnownConfigValue()

#2 /var/www/mediawiki-1.41.0/extensions/OpenIDConnect/vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php(787): Jumbojett\OpenIDConnectClient->getProviderConfigValue()

#3 /var/www/mediawiki-1.41.0/extensions/OpenIDConnect/vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php(447): Jumbojett\OpenIDConnectClient->requestAuthorization()

#4 /var/www/mediawiki-1.41.0/extensions/OpenIDConnect/includes/OpenIDConnect.php(229): Jumbojett\OpenIDConnectClient->authenticate()

#5 /var/www/mediawiki-1.41.0/extensions/PluggableAuth/includes/PluggableAuthLogin.php(101): MediaWiki\Extension\OpenIDConnect\OpenIDConnect->authenticate()

#6 /var/www/mediawiki-1.41.0/includes/specialpage/SpecialPage.php(727): MediaWiki\Extension\PluggableAuth\PluggableAuthLogin->execute()

#7 /var/www/mediawiki-1.41.0/includes/specialpage/SpecialPageFactory.php(1621): MediaWiki\SpecialPage\SpecialPage->run()

#8 /var/www/mediawiki-1.41.0/includes/MediaWiki.php(357): MediaWiki\SpecialPage\SpecialPageFactory->executePath()

#9 /var/www/mediawiki-1.41.0/includes/MediaWiki.php(960): MediaWiki->performRequest()

#10 /var/www/mediawiki-1.41.0/includes/MediaWiki.php(613): MediaWiki->main()

#11 /var/www/mediawiki-1.41.0/index.php(50): MediaWiki->run()

#12 /var/www/mediawiki-1.41.0/index.php(46): wfIndexMain()

#13 {main}

[PluggableAuth] Authentication failure.

[PluggableAuth] ERROR: Jumbojett\OpenIDConnectClientException: Curl error: (7) in /var/www/mediawiki-1.41.0/extensions/OpenIDConnect/vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php:1495

Configuration

MediaWiki 1.41.0

PHP 8.1.27

PHP curl and json modules installed

MariaDB 10.5.22

jumbojett/openid-connect-php 0.9.10

Latest PluggableAuth and OpenID Connect extensions (just did git pull)

Relevant portion of LocalSettings.php

wfLoadExtension( 'PluggableAuth' );

wfLoadExtension( 'OpenIDConnect' );

$wgPluggableAuth_Config[] = [

    'plugin' => 'OpenIDConnect',

    'buttonLabelMessage' => 'Login with Entra ID',

    'data' => [

        'providerURL' => 'https://login.microsoftonline.com/930d382e-dc17-46c9-a847-e0eb41cc16f7/v2.0/',

        'clientID' => ***************************,

        'clientsecret' => '***************'

    ]

];

$wgOpenIDConnect_UseEmailNameAsUserName = true;

$wgOpenIDConnect_MigrateUsersByEmail = true;

$wgPluggableAuth_EnableLocalLogin = true;
Cindy.cicalese (talkcontribs)

Curl error 7 is "could not connect to host". Why are there <nowiki> tags in your provider URL?

Libresauce (talkcontribs)

Sorry, didn't realize those tags were in there. They're not in the actual LocalSettings.php. I confirmed that provider URL matches the OpenID Connect metadata document URL from the Azure portal, minus /.well-known/openid-configuration

Cindy.cicalese (talkcontribs)
Libresauce (talkcontribs)
Cindy.cicalese (talkcontribs)
Libresauce (talkcontribs)

Discovered it was being blocked by SELinux. setsebool -P httpd_can_network_connect 1 fixed it.

switching usernames from 'RealName' to 'EmailName'

2
Dan-Dalpiaz (talkcontribs)

I had a couple questions regarding usernames:

First, I've been using $wgOpenIDConnect_UseRealNameAsUserName set to 'true' for a wiki and am wondering if the 'real name' that is provided by the issuer changes in the future, will the username in MediaWiki be updated to reflect that change?

And I'm considering changing to use the 'email name' for the username instead, but simply setting $wgOpenIDConnect_UseEmailNameAsUserName to 'true' instead of the 'real name' option doesn't seem to update the username on subsequent logins. Is there a way to do that? Thanks!

Cindy.cicalese (talkcontribs)

The username config variables are only used when the account is initially created. The username will not change automatically when the real name changes or if you switch to a different username source. You would have to use another extension (e.g. Extension:UserMerge) to manually rename the accounts.

Reply to "switching usernames from 'RealName' to 'EmailName'"
Return to "OpenID Connect" page.