MediaWiki

Cindy.cicalese

Joined 14 December 2012

About this board

Cindy.cicalese

Previous discussion was archived at User talk:Cindy.cicalese/Archive 1 on 2017-03-17.

Start a new topic
You are not logged in. To receive attribution with your name instead of your IP address, you can log in or create an account.

Permission error after login on MW with SSO

7 comments • 21:06, 19 April 2024 10 hours ago
7
Raoufgui (talkcontribs)

Hello

@Cindy.cicalese first i woulk like to thank you very much for your support, finally i can implement SSO with AD Azure using OpenIDConnect and PluggableAuth_Config.


Now after login i have permission error

You do not have permission to read this page, for the following reason:

The action you have requested is limited to users in one of the groups: Administrators, app_wiki_usr

Acutally i have the groupe "app_wiki_usr" on my MW and it has a "READ" permission

$wgGroupPermissions['app_wiki_usr']['read'] = true;

1- should I create the same groupe on Azure AD and add users to IT ?

2- for mapping group do you confirm that I should add on $wgPluggableAuth_Config ONYLY this lines bellow  ?

'groupsyncs' => [

     [

       'type' => 'mapped',

       'map' => [

         'app_wiki_usr' => [ 'groups' => 'app_wiki_usr' ],

       ]

     ]

   ];


Have a nice day

Reply Edited 10:19, 20 June 2023 9 months ago
Cindy.cicalese (talkcontribs)

I'm so glad you've gotten it working. If there was anything that you had to do that was accurately represented in the instructions on the extension wiki page, please update it.

The answer to your question depends on where you want you system administrator to manage the user permissions: in the wiki or in Azure AD. Either would work. If you want to administer the permissions in the wiki, a user with bureaucrat permissions would do so on page Special:UserRights. If you want to administer the permissions in Azure AD, you would add the code you indicate above or similar. What I do not know is what attribute name the group information will be provided in by Azure AD. 'groups' is a popular choice. You will need to make sure whatever attribute name is provided in Azure AD matches what is in the config snippet above.

Reply 12:38, 20 June 2023 9 months ago
Raoufgui (talkcontribs)

Hello @Cindy.cicalese

Yes i will update pages that need to be updated.

excuse me i have some confusion from what you said

for me permission will be administrated from Azure AD Side

the group created on Azure Ad by Ad administrator is named "DSI - Wiki - USER", it contains all user allowed to connect to MW

in MW we have a group named "app_wiki_usr"

$wgGroupPermissions['app_wiki_usr']['read'] = true;


1- what do you mean please by attribute name does it the Objecttype and how to get it  ?

2- should i have the same name of group in MW and Azure AD ?


3-second configure the mapping , here what should i put at this line  ?


' (which group AD or MW)' => [ 'attribute name of AD group "DSI - Wiki - USER"' => '(which group AD or MW)' ],


Thanks

Reply 13:44, 20 June 2023 9 months ago
Cindy.cicalese (talkcontribs)

1) When the groups are synchronized between Azure AD and MediaWiki, the MediaWiki code will request the attributes provided by Azure AD. What is in the response depends upon how Azure AD is configured. The group information will be in the structure that is returned as the response to that request. The attribute name that is used to index into the resulting data structure is what you will need. If you don't know what is in that structure, you could add some debugging to https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/PluggableAuth/+/refs/heads/master/includes/Group/GroupProcessorRunner.php#51 to show what is returned in pluginAttributes.

2) It does not matter whether those names are the same.

3) <name of MW group> => [ <name of AD attribute> => <name of AD group> ]

<name of MW group> is the name you want the group to have on the MW side

<name of AD attribute> is the attribute name referred to in 1) above

<name of AD group> is the name of the group in AD that you want to have mapped to the MW group

Reply 18:15, 20 June 2023 9 months ago
Raoufgui (talkcontribs)

Thanks a lot it work now

Reply 15:12, 22 June 2023 9 months ago
Cindy.cicalese (talkcontribs)

Great!

Reply 15:14, 22 June 2023 9 months ago
Wikiphpnoob (talkcontribs)

@RakingTheLeaves

perhaps i'm being premature in tagging you here without putting the above to the test.... but perhaps also, this is worth a read through?

Reply 21:06, 19 April 2024 10 hours ago
Reply to "Permission error after login on MW with SSO"

PluggableAuth unexpectedly throws if no $username returned from authenticate() but $id only

3 comments • 10:37, 14 April 2024 5 days ago
3
MidnightLG (talkcontribs)

Hi! I'm developing a new auth plugin (custom protocol) using PluggableAuth 7.1.0 on MediaWiki 1.41.1.

In method authenticate() if Wiki have no user in DB, the method returns $username, etc. It works. But for existing user I return the $id only which cause the plugin PluggableAuth to throw an Exception.

TypeError: MediaWiki\User\UserFactory::newFromName(): Argument #1 ($name) must be of type string, null given, called in /var/www/html/extensions/PluggableAuth/includes/PrimaryAuthenticationProvider.php on line 161

Why returning $username is mandatory for the existing user? I think there's no reason for it.

The root cause is in PluggableAuthLogin.php lines 124-126

$this->authManager->setAuthenticationSessionData( self::USERNAME_SESSION_KEY, $username );

$this->authManager->setAuthenticationSessionData( self::REALNAME_SESSION_KEY, $realname );

$this->authManager->setAuthenticationSessionData( self::EMAIL_SESSION_KEY, $email );

You're picking the wrong data here returned from authenticate() instead of already fetched by id $user.

The fix might be like this:

$this->authManager->setAuthenticationSessionData( self::USERNAME_SESSION_KEY, $user->getName() );

$this->authManager->setAuthenticationSessionData( self::REALNAME_SESSION_KEY, $user->getRealName() );

$this->authManager->setAuthenticationSessionData( self::EMAIL_SESSION_KEY, $user->getEmail() );

I tested, it fixes the above Exception. Thank you!

Reply 20:08, 13 April 2024 6 days ago
Cindy.cicalese (talkcontribs)

If you look at the code of User::getName(), User::getRealName(), and User::getEmail(), they all do quite a bit more than just return the relevant values. It looks like $user->mName, $user->mRealName, and $user->email could be used instead.

Reply 00:45, 14 April 2024 6 days ago
MidnightLG (talkcontribs)

Sure, that's up to you. Thanks!

Reply 10:37, 14 April 2024 5 days ago
Reply to "PluggableAuth unexpectedly throws if no $username returned from authenticate() but $id only"

LinkedIn link

2 comments • 13:32, 23 December 2023 3 months ago
2
Tommy Kronkvist (talkcontribs)
Reply 10:45, 23 December 2023 3 months ago
Cindy.cicalese (talkcontribs)

Thank you! Fixed!

Reply 13:32, 23 December 2023 3 months ago
Reply to "LinkedIn link"

OpenIDConnect Authentication Issue

2 comments 17:13, 15 December 2023 4 months ago
2
Summary by Cindy.cicalese

Not enough information was provided to debug. Feel free to reopen with more information.

49.43.224.61 (talkcontribs)

We are using Microsoft Azure Entra ID but getting Fatal Authentication  Error at mediawiki end.  We have followed the steps given at Extension:OpenID Connect documentation.

We have done following configuration at mediawiki LocalSettings.php  :-

wfLoadExtension( 'PluggableAuth' );

wfLoadExtension( 'OpenIDConnect' );

$wgPluggableAuth_Config[] = [

    'plugin' => 'OpenIDConnect',

    'data' => [

        'providerURL' => 'https://login.microsoftonline.com/XXXXXXXXXX

        'clientID' => 'XXXXXXXXXXXXXXXXX',

        'clientsecret' => 'XXXXXXXXXXXXXXXXXXX'

    ]

];

$wgOpenIDConnect_UseRealNameAsUserName = true;


Please help us to solve this issue as it is very urgent.


Thanks

Extension:OpenID Connect - MediaWiki

15:23, 12 December 2023 4 months ago
Cindy.cicalese (talkcontribs)

When reporting an error, please be sure to include version information for MediaWiki and all relevant extensions as well as configuration information. Also, please turn on debug logging as described at Manual:How to debug#Logging and include the relevant portions of the debug log.

15:26, 12 December 2023 4 months ago

Changing to another OIDC provider

One comment 18:52, 8 November 2023 5 months ago
1
Summary by Cindy.cicalese

Fixed in OpenID Connect version 7.0.2.

Vajdaz (talkcontribs)

Hi Cindy,

I just posted a queston on the MediaWiki Support Desk, but then realized, that this maybe is a better place for the question. Could you please have a look?

Regards, Zoltan

Edited 19:24, 11 October 2023 6 months ago

Mediawiki ShortUrl

2 comments 18:51, 8 November 2023 5 months ago
2
Summary by Cindy.cicalese

Fixed configuration settings.

FrankKufer (talkcontribs)

Hi Cindy, I have an issue setting up ShortUrl using $wgArticlePath. Following the documentation I was able to create the short url but I get 404 error. Please let me know if there is a fix for this.

Below are my configurations:


My Folder name and Url is set to "mediawikinew"

In my LocalSettings.php File I have set

$wgScriptPath = "/mediawikinew";

$wgArticlePath = "/mediawikinew/$1";

$wgUsePathInfo = true;

My Nginx for mediawiki conf is set to this

server{

listen 80;

listen [::]:80;

server_name mediwikinew;

root /var/www/mediawikinew;

index index.php;

error_log /var/log/nginx/mediawikinew.error;

access_log /var/log/nginx/mediawikinew.access;

location / {

        try_files $uri $uri/ /index.php;

        #try_files $uri $uri/ @mediawikinew;

}

location ~ /.well-known {

       allow all;

}

location ~ /\.ht {

      deny all;

}


location /mediawikinew/ {

                #rewrite ^/mediawikinew/(?<pagename>.*)$ /mediawikinew/index.php;

                rewrite ^/mediawikinew/([^\?]*) /mediawikinew/index.php?title=$1&$args last;

       }

location = / {

                return 301 /mediawikinew/Main_Page;

        }

location ~ ^/mediawikinew/(index|load|api|thumb|opensearch_desc|rest|img_auth)\.php$ {

                include /etc/nginx/fastcgi_params;

                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

                #fastcgi_param SCRIPT_FILENAME $document_root/index.php;

                fastcgi_pass unix:/run/php/php8.1-fpm.sock;

                include snippets/fastcgi-php.conf;

        }

location /mediawikinew/images/deleted {

                # Deny access to deleted images folder

                deny all;

        }

location /mediawikinew/images {

                # Separate location for images/ so .php execution won't apply

        }

location ~ ^/mediawikinew/resources/(assets|lib|src) {

                try_files $uri =404;

                add_header Cache-Control "public";

                expires 7d;

        }

location ~ ^/mediawikinew/(skins|extensions)/.+\.(css|js|gif|jpg|jpeg|png|svg|wasm|ttf|woff|woff2)$ {

                try_files $uri =404;

                add_header Cache-Control "public";

                expires 7d;

        }

location = /favicon.ico {

                alias /mediawikinew/images/6/64/Favicon.ico;

                add_header Cache-Control "public";

                expires 7d;

        }

location ~ ^/mediawikinew/(COPYING|CREDITS)$ {

                default_type text/plain;

        }

location /mediawikinew/rest.php/ {

                try_files $uri $uri/ /mediawikinew/rest.php?$query_string;

        }

}

15:30, 3 November 2023 5 months ago
FrankKufer (talkcontribs)

This topic is resolved.

14:45, 7 November 2023 5 months ago

Mediawiki not Directing to AzureAD

9 comments 18:51, 8 November 2023 5 months ago
9
Summary by Cindy.cicalese

Fixed configuration settings.

FrankKufer (talkcontribs)

Hi Cindy,

I hope you are doing well. I am trying to set up OpenIDConnect with PluggableAuth to use Azure AD. However, I'm facing an issue where, upon attempting to log in to Mediawiki, I am not directed to Azure for authentication. Instead, I receive the message "The supplied credentials could not be authenticated." I'm not sure what I am missing in this setup. I have already ensured that the tenant ID, Client Secret, and Client ID are all correctly set and Files that I configured:

  • composer.local.json-sample In root directory of MediawikiNEW added this line "extensions/OpenIDConnect/composer.json"
  • composer.json In root directory of MediawikiNEW added/got added this line

"jumbojett/openid-connect-php": "^0.9.10"

  • Below is my LocalSettings.php:
18:57, 25 August 2023 7 months ago
FrankKufer (talkcontribs)

<?php

error_reporting( E_ALL );

ini_set( 'display_errors', 1 );

# Protect against web entry

if ( !defined( 'MEDIAWIKI' ) ) {

exit;

}

$wgSitename = "My Website Name";

$wgMetaNamespace = "My_Website_Name";

$wgScriptPath = "/mediawikiNEW";

$wgServer = "";

$wgResourceBasePath = $wgScriptPath;

$wgLogos = [

'1x' => "$wgResourceBasePath/resources/assets/change-your-logo.svg",

'icon' => "$wgResourceBasePath/resources/assets/change-your-logo-icon.svg",

];

$wgEnableEmail = true;

$wgEnableUserEmail = true; # UPO

$wgEmergencyContact = "";

$wgPasswordSender = "";

$wgEnotifUserTalk = false; # UPO

$wgEnotifWatchlist = false; # UPO

$wgEmailAuthentication = true;

## Database settings

$wgDBtype = "mysql";

$wgDBserver = "localhost";

$wgDBname = "myDatabse";

$wgDBuser = "mediaUser";

$wgDBpassword = "Password";

# MySQL specific settings

$wgDBprefix = "";

# MySQL table options to use during installation or update

$wgDBTableOptions = "ENGINE=InnoDB, DEFAULT CHARSET=binary";

# Shared database table

# This has no effect unless $wgSharedDB is also set.

$wgSharedTables[] = "actor";

## Shared memory settings

$wgMainCacheType = CACHE_NONE;

/* $wgMainCacheType = CACHE_ACCEL;

$wgSessionCacheType = CACHE_DB; */

$wgMemCachedServers = [];

$wgEnableUploads = true;

$wgUseImageMagick = true;

$wgImageMagickConvertCommand = "/usr/bin/convert";

$wgUseInstantCommons = false;

$wgPingback = true;

$wgLanguageCode = "en";

# Time zone

$wgLocaltimezone = "America/New_York";

$wgSecretKey = "SercretKey";

# Changing this will log out all existing sessions.

$wgAuthenticationTokenVersion = "1";

# Site upgrade key. Must be set to a string (default provided) to turn on the

# web installer while LocalSettings.php is in place

$wgUpgradeKey = "UpgradeKey";

$wgRightsPage = ""; # Set to the title of a wiki page that describes your license/copyright

$wgRightsUrl = "";

$wgRightsText = "";

$wgRightsIcon = "";

# Path to the GNU diff3 utility. Used for conflict resolution.

$wgDiff3 = "/usr/bin/diff3";

# The following permissions were set based on your choice in the installer

$wgGroupPermissions['*']['edit'] = false;

$wgGroupPermissions['*']['read'] = false;

## Default skin: you can change the default skin. Use the internal symbolic

## names, e.g. 'vector' or 'monobook':

$wgDefaultSkin = "vector";

# Enabled skins.

# The following skins were automatically enabled:

wfLoadSkin( 'MinervaNeue' );

wfLoadSkin( 'MonoBook' );

wfLoadSkin( 'Timeless' );

wfLoadSkin( 'Vector' );

# visual editor

wfLoadExtension( 'VisualEditor' );

$wgDefaultUserOptions['visualeditor-editor'] = "visualeditor";

$wgHiddenPrefs[] = 'visualeditor-enable';

# create page

wfLoadExtension( 'CreatePageUw' );

$wgCreatePageUwUseVE = true;

### Azure directory extensions or config

$wgGroupPermissions['*']['createaccount'] = true;

$wgGroupPermissions['*']['autocreateaccount'] = true;

#PluggableAuth

wfLoadExtension( 'PluggableAuth' );

$wgPluggableAuth_EnableAutoLogin = false;

$wgPluggableAuth_EnableLocalLogin = false;           # if this set to true allows local login without azure auth

$wgPluggableAuth_EnableLocalProperties = false;

$wgPluggableAuth_EnableFastLogout =true;       

$wgPluggableAuth_ButtonLabelMessage = 'Login';

$wgPluggableAuth_Class = 'OpenIDConnect';

# OpenIDConnect config

wfLoadExtension( 'OpenIDConnect' );

$wgPluggableAuth_Config[] = [

"My Login" => [

'plugin' => 'OpenIDConnect',

'data' => [

'providerURL' => '',

'clientID' => 'ID',

'clientsecret' => 'secret'

],

'scope' => [ 'openid', 'profile', 'email' ]

]

];

$wgOpenIDConnect_UseRealNameAsUserName = true;

# ShortURL Config

wfLoadExtension( 'ShortUrl' );

/* $wgShortUrlTemplate = '/mediawikiNEW/wiki/$1'; */

$wgArticlePath = "/mediawikiNEW/$1";

18:59, 25 August 2023 7 months ago
Cindy.cicalese (talkcontribs)
  • composer.local.json-sample In root directory of MediawikiNEW added this line "extensions/OpenIDConnect/composer.json"

You should rename this file to composer.local.json

  • composer.json In root directory of MediawikiNEW added/got added this line

You should not edit this file. Adding the line above to composer.local.json shoudl be sufficient. Then, you would need to run "composer update" or "composer install" from the root MediaWiki directory.

Please turn on debug logging as described at Manual:How to debug#Logging and include the relevant portions of the debug log.

19:49, 25 August 2023 7 months ago
FrankKufer (talkcontribs)

Hello Cindy,

I followed your instructions and ran composer. However, I am still not able to use Azure AD.

When I add below block I get this error Fatal exception of type "TypeErro" when clicking on log in button

$wgPluggableAuth_Config[] = [

   'plugin' => 'OpenIDConnect',

   'data' => [

        'providerURL' => 'https://login.microsoftonline.com/id/v2.0/',

        'clientID' => 'id',

        'clientsecret' => 'secret'

    ]

];

The debug on browser shows these exceptions:

  • [rdbms] MWExceptionHandler::rollbackPrimaryChanges [0s] localhost: ROLLBACK
  • [rdbms] MWExceptionHandler::rollbackPrimaryChanges: acknowledged server-side transaction loss on localhost
  • [exception] [1d11fafe16b669e17bba17df] /mediawikinew/index.php?title=Special:UserLogin&returnto=Main+Page TypeError: method_exists(): Argument #1 ($object_or_class) must be of type object|string, array given
  • [MessageCache] MessageCache using store SqlBagOStuff


NOTES:

1- In maintenance folder I ran php update.php

2- Ran composer update after changing the composer.local.json-sample to composer.local.json 

then added "extensions/OpenIDConnect/composer.json"


3- Added to MediaWiki\Extension\PluggableAuth\PluggableAuth path the below line

"PluggableAuth": {

    "OpenIDConnect": {

        "class": "MediaWiki\\Extension\\OpenIDConnect\\OpenIDConnect",

        "services": [

           "MainConfig",

           "AuthManager",

           "OpenIDConnectStore"

        ]

    }

 }

4- Rest of LocalSettings.php config :

#PluggableAuth

wfLoadExtension( 'PluggableAuth' );

$wgPluggableAuth_EnableAutoLogin = false;

$wgPluggableAuth_EnableLocalLogin = false;

$wgPluggableAuth_EnableLocalProperties = false;

$wgPluggableAuth_EnableFastLogout =false;

$wgPluggableAuth_ButtonLabelMessage = 'Login';

$wgPluggableAuth_Class = 'OpenIDConnect';

#AAD

wfLoadExtension( 'OpenIDConnect' );

$wgPluggableAuth_Config[].......................................

$wgOpenIDConnect_UseRealNameAsUserName = true;


5- Short URL is configured as well.


Please help/let me know if I am missing anything.

Thanks!

18:55, 7 November 2023 5 months ago
Cindy.cicalese (talkcontribs)

Which versions of the PluggableAuth and OpenIDConnect extensions are you using?

In 2), hopefully you added the line before you ran composer update.

I'm not sure what 3) refers to above, but it should not be necessary.

I need more information about where the exception is happening, including at least the start of the stack trace. Please refer to How to debug to see how to enable more debugging information.

You should be able to remove the following config lines:

$wgPluggableAuth_ButtonLabelMessage = 'Login';

$wgPluggableAuth_Class = 'OpenIDConnect';

19:13, 7 November 2023 5 months ago
FrankKufer (talkcontribs)

1) OpenIDConnect 7.0.1 and PluggableAuth is 7.0.0 and mediawiki is 1.40.0.

2) yes I added the line then ran composer.


Sure here is the stack trace when I added $wgShowExceptionDetails = true;

[4a9b3e88ee46f7baf2a4dbfb] /mediawikinew/index.php?title=Special:UserLogin&returnto=Main+Page TypeError: method_exists(): Argument #1 ($object_or_class) must be of type object|string, array given

Backtrace:

from /var/www/mediawikinew/extensions/PluggableAuth/includes/PrimaryAuthenticationProvider.php(88)

#0 /var/www/mediawikinew/extensions/PluggableAuth/includes/PrimaryAuthenticationProvider.php(88): method_exists()

#1 /var/www/mediawikinew/includes/auth/AuthManager.php(2272): MediaWiki\Extension\PluggableAuth\PrimaryAuthenticationProvider->getAuthenticationRequests()

#2 /var/www/mediawikinew/includes/auth/AuthManager.php(2250): MediaWiki\Auth\AuthManager->getAuthenticationRequestsInternal()

#3 /var/www/mediawikinew/includes/specialpage/AuthManagerSpecialPage.php(277): MediaWiki\Auth\AuthManager->getAuthenticationRequests()

#4 /var/www/mediawikinew/includes/specialpage/LoginSignupSpecialPage.php(147): AuthManagerSpecialPage->loadAuth()

#5 /var/www/mediawikinew/includes/specialpage/LoginSignupSpecialPage.php(238): LoginSignupSpecialPage->load()

#6 /var/www/mediawikinew/includes/specialpage/SpecialPage.php(701): LoginSignupSpecialPage->execute()

#7 /var/www/mediawikinew/includes/specialpage/SpecialPageFactory.php(1475): SpecialPage->run()

#8 /var/www/mediawikinew/includes/MediaWiki.php(327): MediaWiki\SpecialPage\SpecialPageFactory->executePath()

#9 /var/www/mediawikinew/includes/MediaWiki.php(923): MediaWiki->performRequest()

#10 /var/www/mediawikinew/includes/MediaWiki.php(576): MediaWiki->main()

#11 /var/www/mediawikinew/index.php(50): MediaWiki->run()

#12 /var/www/mediawikinew/index.php(46): wfIndexMain()

#13 {main}

19:51, 7 November 2023 5 months ago
Cindy.cicalese (talkcontribs)

What is item 3) above? That sounds like it could be interfering. It isn't clear to me where you have made that change or why. It should not be necessary.

20:59, 7 November 2023 5 months ago
FrankKufer (talkcontribs)

Great news! The issue has been resolved.

Item 3 was the problem. I reverted the changes to their default settings, and that resolved the issue.

Thank you so much for your help. I appreciate it.

18:46, 8 November 2023 5 months ago
Cindy.cicalese (talkcontribs)

Great!

18:51, 8 November 2023 5 months ago

Add a local user to mapped groupsync with identiy provider

2 comments • 05:59, 5 September 2023 7 months ago
2
Raoufgui (talkcontribs)

Hello

I implement SSO on my MW using PluggableAuth en OpenID connect and i configure the group mapping with Azure AD


Now i would like to create a Local user accout on my MW and add it to this mapped group (the accout dont exist on Azure side it will be created only on MW side)


Does it feasible plesae ? Does this user will be able to connect localy using login/pwd and have the same rights of mapped group  ?


Thanks

Reply 11:29, 31 August 2023 7 months ago
Osnard (talkcontribs)

Yes, this should be working. If you "enable local login" in PluggableAuth, such a user can authenticate directly against the wiki, rather than against Azure AD. In case of a local authentication no group sync will be applied at all, so the manually assigned groups will not be lost.

Reply 05:59, 5 September 2023 7 months ago
Reply to "Add a local user to mapped groupsync with identiy provider"

Time out in curl command using OpenIDConnect against Azur AD

3 comments • 16:48, 19 June 2023 10 months ago
3
Raoufgui (talkcontribs)

Hello

Both OpenID Connect and PluggableAuth are well configured on MW

I also correctly configure the Redirect URI and i don't have the problem of No reply address provided"


after i click on microsoft interface to login with my email i get message indicate "Erreur fatale durant l’authentification de l’utilisateur"


when i chek a log message i found a time out in curl commande


[OpenIDConnect] Jumbojett\OpenIDConnectClientException: Curl error: (28) Connection timed out after 60000 milliseconds in /MW-path-install/extensions/OpenIDConnect/vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php:1495


what is the probleme exactly ? does it a problem of network flow between My server and azure AD ?


Thanks

Reply 16:26, 19 June 2023 10 months ago
Cindy.cicalese (talkcontribs)

Yes, it appears to be a network configuration error.

Reply 16:37, 19 June 2023 10 months ago
Raoufgui (talkcontribs)

Thank you very much

Reply 16:48, 19 June 2023 10 months ago
Reply to "Time out in curl command using OpenIDConnect against Azur AD"

issue whene using SSO against Azure AD with PluggableAuth and OpenIDconnect

3 comments • 14:17, 16 June 2023 10 months ago
3
Raoufgui (talkcontribs)

Hello Cindy.cicalese

I need your help please !

i implement a SSO in my MW 1.39 against Azure AD

all thing work fine whene i click the login button i am redirect to microsoft interface to use email to authentificate, But whene i click on mail i get this message :


"Désolé, nous rencontrons des problèmes pour vous connecter.

AADSTS900971: No reply address provided."


i configure my redirect URI in Azure AD like this :

https://myserever/index.php/Special:PluggableAuthLogin

NB : NO SSL certificate installed on my MW server


the log show no error and it indicate that OpenIDConnect use Redirect URL


http://myserever/index.php?title=Sp%C3%A9cial:PluggableAuthLogin


[OpenIDConnect] Redirect URL: http://myserver/index.php?title=Sp%C3%A9cial:PluggableAuthLogin

[DBQuery] JobQueueDB::doGetSiblingQueuesWithJobs [0.001s] localhost: SELECT  DISTINCT job_cmd  FROM .....


which the right Redirect URI should i put  ? does i miss configuration of a plugin in my MW OR in AZURE AD side ?


I need your help please thanks

Reply Edited 21:45, 15 June 2023 10 months ago
Cindy.cicalese (talkcontribs)

I'm wondering whether the form of the redirect URL might be the problem. If you check the Known Issues, you can see:

  • Wikis that use URLs of the form https://example.org/w/index.php?title=Page_title (i.e. having the page title provided as a query parameter) will not be redirected correctly to complete the authentication flow. Instead, URLs must be of the form https://example.org/w/index.php/Page_title, which can be accomplished by using short URLs or by setting $wgArticlePath appropriately.
Reply 22:02, 15 June 2023 10 months ago
Raoufgui (talkcontribs)

HI @Cindy.cicalese

Thank you very much for reply

i tried to configure shot URL on MW but not succeed

i put this configuration in my virtualhost  :


DocumentRoot /app/httpd/www/wiki-test/current

DirectoryIndex index.php

AllowOverride ALL

RewriteEngine On

RewriteRule ^/?wiki(/.*)?$ %{DOCUMENT_ROOT}/index.php [L]

RewriteRule ^/*$ %{DOCUMENT_ROOT}/index.php [L]

i put this configuration in LocalSettings.php

$wgScriptPath = "";

$wgScriptExtension = ".php";

$wgArticlePath = "/wiki/$1";

$wgUsePathInfo = true;


I see any change, my MW still show page in this format "http://myserer/ndex.php?title=Page_tile" on the navigator

but the log show that OpenIDConnect use ,now, Redirect URL

http://signxpapp006.srv.sigma.host/wiki/Sp%C3%A9cial:PluggableAuthLogin"

[OpenIDConnect] Redirect URL: http://signxpapp006.srv.sigma.host/wiki/Sp%C3%A9cial:PluggableAuthLogin

[session] SessionBackend.......


before (in my previous comment )it was

http://myserever/index.php?title=Sp%C3%A9cial:PluggableAuthLogin


but i still have the problème AADSTS900971: No reply address provided."

i update the the reply URl on Azure AD side by the new one but i have the same problem


whereis the problem please ?


Thanks very much

Reply 14:17, 16 June 2023 10 months ago
Reply to "issue whene using SSO against Azure AD with PluggableAuth and OpenIDconnect"
Load more
Retrieved from "https://www.mediawiki.org/wiki/User_talk:Cindy.cicalese"