Extension talk:PluggableAuth

I'm trying to map groups as sent from my SSO, with the OpenIDConnect extension. I'm having a lot of trouble following the single example I've found so far, as it doesn't seem to map onto our token format at all. I've got straight logins working fine, but I need to be able to limit by group. I have gotten straight apache without mediawiki limited by group on this box.

If my users arrive at the wiki, PluggableAuth redirects them to my SSO, which returns them to the wiki with a token; PluggableAuth is happy, and everything is great.

However, if the user arrives from the org's dashboard, they arrive *with* an SSO token, which PluggableAuth is not expecting. If the user is not logged in, it's fine, but if the user was previously logged in, they are sent to the error/login page referenced in my title.

   Unable to continue login. Your session most likely timed out.
   You are already logged in as [username]. Use the form below to log in as another user.

How can I prevent this error? (While I don't have direct control over the SSO, I can request (minor) changes, if that helps.)

Edit: I ended up adding a "isAnon()" check to the PluggableAuthLogin `execute` function; I cloned the repo and got a pull request ready, but it seems Phabricator is very different from what I'm used to, and I'm not sure whether I even have permission to put a PR in? I didn't want to fight Phabricator all day when I'm not even sure if PRs are welcome on PluggableAuth. I'd be happy to submit the code, just let me know.

Germy Parker (talk) 17:16, 22 February 2025 (UTC)Reply

Thank you for your offer of a PR. Yes, PRs are absolutely welcome, but they are submitted in Gerrit, not Phabricator. Ideally, your commit message would contain a reference to a task in Phabrictor describing the problem (e.g. the "Bug:" line at Gerrit/Tutorial#Commit_your_staged_changes). Cindy.cicalese (talk) 20:15, 9 March 2025 (UTC)Reply

Continuation of discussion started at User talk:Cindy.cicalese#h-PluggableAuth_unexpectedly_throws_if_no_$username_returned_from_authenticate()_b-20240413200800.

@MidnightLG It would help to have a bit more information to debug the remaining issue. The existing code should work in the situation you describe. Here is the expected flow:

1. PrimaryAuthenticationProvider begins primary authentication, redirecting to Special:PluggableAuthLogin (PrimaryAuthenticationProvider.php#139).
2. PluggableAuthLogin calls your plugin's authenticate() function (PluggableAuthLogin.php#103).
3. An existing user is logged in, and authenticate() returns a non-zero value for $id. The user is loaded from the database, and the $username is set (PluggableAuthLogin.php#133).
4. The username is stored in a session variable (PluggableAuthLogin.php#147).
5. PrimaryAuthenticationProvider continues primary authentication (PrimaryAuthenticationProvider.php#150).
6. The ContinueAuthenticationRequest gets the username from the session variable (ContinueAuthenticationRequest.php#46).
7. PrimaryAuthenticationProvider gets the username from the ContinueAuthenticationRequest (PrimaryAuthenticationProvider.php#160).
8. PrimaryAuthenticationProvider uses the username to construct a User object (PrimaryAuthenticationProvider.php#161).

From what you describe, the username is null at the last step. It would be helpful to know why it is not set. Cindy.cicalese (talk) 20:37, 9 March 2025 (UTC)Reply

Thank you for the detailed explanation. It helped me a lot to get how it works.

Unexpectedly but I cannot reproduce that again, it works perfectly! Sorry for the false report. MidnightLG (talk) 19:43, 12 March 2025 (UTC)Reply

After this translation unit, the text appears on the following line in the Czech translation: <span id="syncall_group_sync"... ENeRZet (talk) 06:16, 28 May 2025 (UTC)Reply

This message translates into "Fatal error in user authentication" or "Fatal user authentication error" and appears when trying to login a user with the Pluggable Auth / OpenID Connect extension combo.

One gets this message if the authentication provider rejects the login for whatever reason. I think it will be nice to rephrase this message to already hit the authentication provider as the source of rejection.

When looking at the i18n files of both extensions I am unable to find this error message. I have no clue where it comes from. [[kgh]] (talk) 07:42, 2 June 2025 (UTC)Reply

Ah, looks like it was changed in the commit breaking for MediaWiki 1.39. It is the "pluggableauth-fatal-error" message key which now reads "Error authenticating user. Please try again or contact your system administrator." Would it be better to rephrase to "Error from the authentication provider while authenticating user. Please try again or contact your system administrator." or something similar? [[kgh]] (talk) 07:48, 2 June 2025 (UTC)Reply