Topic on Extension talk:PluggableAuth

MediaWiki 1.41.0 (62e7aef)

OpenID Connect 7.0.2 (c515880)

PluggableAuth 7.0.0 (2d86d50)

PHP 8.2.17 (apache2handler)

ICU 72.1

PostgreSQL 16.0

I'm unclear on the correct way to reference field in the access_token from the OIDC payload and assign them to the default roles in mediaWiki using groupsyncs. I have the following defined in LocalSettings.php. below that I have the access_token example pulled from the jwt. Logging in works great. But auto-assigning users that have thefieldwithrole to a group doesn't seem to be working.

Any insight into what I might be doing wrong?

$wgPluggableAuth_Config[] = [

    'plugin' => 'OpenIDConnect',

    'data'   => [

.......

    ],

    'groupsyncs' => [

        [

          'type' => 'mapped',

          'map' => [

            'users' => [ 'thefieldwithrole' => 'roleA' ],

            'sysop' => [ 'thefieldwithrole' => 'roleB' ]

          ]

        ]

    ]

];

Example Access_Token pulled from jwt payload:

{

  "thefieldwithrole"     : "roleA",

  "aud"                  : "omitted",

  "authorization_details": [],

  "client_id"            : "theclientid",

  "client_key"           : "theclientkey",

  "Email"                : "someemailaddress",

  "exp"                  : 1234567890

  "first_name"           : "first",

  "iss"                  : "omitted",

  "jti"                  : "xf8i7vW",

  "last_name"            : "last",

  "login"                : "12345678",

  "Organization"         : "theorg",

  "samaccountname"       : "12345678",

  "scope"                : "openid profile",

  "sub"                  : "12345678",

  "subject"              : "12345678",

  "uid"                  : "12345678",

  "userid"               : "12345678",

  "userId"               : "12345678",

}

@RakingTheLeaves

hello, i'm in the process of trying to figure this out. i'm using azure ad and openid connect.

have you had any success figuring things out?

Apologies for the delay... I haven't been focused on this much this week. But, no... I haven't quite figured it out (yet). It "seems" like the code isn't seeing the "thefieldwithrole" from the access_token of the OIDC token payload.

Without any other guidance to go by, my current thinking is to try putting my authZ info into the authorization_details[] section of the payload in accordance with the intent of the RFC... maybe the extension author is expecting to find the information there... unsure. If that doesn't work, may slog through the extension code to see if I can figure it out.... just getting to the point where I can't delay the project much longer and may try something else.

https://datatracker.ietf.org/doc/html/rfc9396

"This specification introduces a new parameter authorization_details that allows clients to specify their fine-grained authorization requirements using the expressiveness of JSON [RFC8259] data structures.¶"

I will post here if I get it going.

@RakingTheLeaves

your response is greatly appreciated.

i have managed to get passed authentication. but i'm finding it difficult for my log in to pull group memberships from the local azure ad/entra. and likewise, if i find anything, i'll share it.

thanks

OK, i was able to get groupsync working between azure ad and wiki

i think something to consider is how azure ad is configured as well. on top of the claim for user info when the wiki app is registered in the azure portal, a groups claim needs to be added.

a rough instruction is :

Azure Active Directory > App registrations > the wiki app > Token configuration(might be under Manage) > is there a group claim?

if not, click Add optional claim > ID for id tokens > Group > ...hopefully you can follow from there. i think its better to use group id than samaccountname

then when configuring PluggableAuth_Confiig...

'groupsyncs' => [

[

'type' => 'mapped',

'map' => [

'information_technology' => ['groups' => 'azure ad group id'] ]

]

]

]

'groups' is needed, though i cannot remember why. I found this explanation using ChatGPT ", the groups claim in a token can contain the IDs of the Azure AD groups to which the user belongs"

hopefully that helps some? good luck

I tried following your solution, but it seems to still not be working for me.

"The only difference is I am using the SimpleSAMLphp plugin: The following does not work. Any suggestions on what I am doing wrong?

$wgPluggableAuth_Config["Log in without Password (SSO)"] = [

    "plugin" => "SimpleSAMLphp",

    "data" => [

        "authSourceId" => "default-sp",

        "usernameAttribute" => "email",

        "realNameAttribute" => "displayname",

        "emailAttribute" => "email",

        "groupAttributeName" => "....schemas.microsoft.com/ws/2008/06/identity/claims/role"  ],

    'groupsyncs' => [

      [

        'type' => 'mapped',

        'map' => [

          'sysops' => [ 'groups' => 'Admin' ],

          'bureaucrat' => [ 'groups' => 'User_draft_edit' ],

          'suppress' => [ 'groups' => 'User_draft_read' ]

        ]

      ]

    ]  

];"