About this board


Previous discussion was archived at User talk:Cindy.cicalese/Archive 1 on 2017-03-17.

Tommy Kronkvist (talkcontribs)
Cindy.cicalese (talkcontribs)

Thank you! Fixed!

Reply to "LinkedIn link"

OpenIDConnect Authentication Issue

Summary by Cindy.cicalese

Not enough information was provided to debug. Feel free to reopen with more information. (talkcontribs)

We are using Microsoft Azure Entra ID but getting Fatal Authentication  Error at mediawiki end.  We have followed the steps given at Extension:OpenID Connect documentation.

We have done following configuration at mediawiki LocalSettings.php  :-

wfLoadExtension( 'PluggableAuth' );

wfLoadExtension( 'OpenIDConnect' );

$wgPluggableAuth_Config[] = [

    'plugin' => 'OpenIDConnect',

    'data' => [

        'providerURL' => 'https://login.microsoftonline.com/XXXXXXXXXX

        'clientID' => 'XXXXXXXXXXXXXXXXX',

        'clientsecret' => 'XXXXXXXXXXXXXXXXXXX'



$wgOpenIDConnect_UseRealNameAsUserName = true;

Please help us to solve this issue as it is very urgent.


Extension:OpenID Connect - MediaWiki

Cindy.cicalese (talkcontribs)

When reporting an error, please be sure to include version information for MediaWiki and all relevant extensions as well as configuration information. Also, please turn on debug logging as described at Manual:How to debug#Logging and include the relevant portions of the debug log.

Changing to another OIDC provider

Summary by Cindy.cicalese

Fixed in OpenID Connect version 7.0.2.

Vajdaz (talkcontribs)

Hi Cindy,

I just posted a queston on the MediaWiki Support Desk, but then realized, that this maybe is a better place for the question. Could you please have a look?

Regards, Zoltan

Summary by Cindy.cicalese

Fixed configuration settings.

FrankKufer (talkcontribs)

Hi Cindy, I have an issue setting up ShortUrl using $wgArticlePath. Following the documentation I was able to create the short url but I get 404 error. Please let me know if there is a fix for this.

Below are my configurations:

My Folder name and Url is set to "mediawikinew"

In my LocalSettings.php File I have set

$wgScriptPath = "/mediawikinew";

$wgArticlePath = "/mediawikinew/$1";

$wgUsePathInfo = true;

My Nginx for mediawiki conf is set to this


listen 80;

listen [::]:80;

server_name mediwikinew;

root /var/www/mediawikinew;

index index.php;

error_log /var/log/nginx/mediawikinew.error;

access_log /var/log/nginx/mediawikinew.access;

location / {

        try_files $uri $uri/ /index.php;

        #try_files $uri $uri/ @mediawikinew;


location ~ /.well-known {

       allow all;


location ~ /\.ht {

      deny all;


location /mediawikinew/ {

                #rewrite ^/mediawikinew/(?<pagename>.*)$ /mediawikinew/index.php;

                rewrite ^/mediawikinew/([^\?]*) /mediawikinew/index.php?title=$1&$args last;


location = / {

                return 301 /mediawikinew/Main_Page;


location ~ ^/mediawikinew/(index|load|api|thumb|opensearch_desc|rest|img_auth)\.php$ {

                include /etc/nginx/fastcgi_params;

                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

                #fastcgi_param SCRIPT_FILENAME $document_root/index.php;

                fastcgi_pass unix:/run/php/php8.1-fpm.sock;

                include snippets/fastcgi-php.conf;


location /mediawikinew/images/deleted {

                # Deny access to deleted images folder

                deny all;


location /mediawikinew/images {

                # Separate location for images/ so .php execution won't apply


location ~ ^/mediawikinew/resources/(assets|lib|src) {

                try_files $uri =404;

                add_header Cache-Control "public";

                expires 7d;


location ~ ^/mediawikinew/(skins|extensions)/.+\.(css|js|gif|jpg|jpeg|png|svg|wasm|ttf|woff|woff2)$ {

                try_files $uri =404;

                add_header Cache-Control "public";

                expires 7d;


location = /favicon.ico {

                alias /mediawikinew/images/6/64/Favicon.ico;

                add_header Cache-Control "public";

                expires 7d;


location ~ ^/mediawikinew/(COPYING|CREDITS)$ {

                default_type text/plain;


location /mediawikinew/rest.php/ {

                try_files $uri $uri/ /mediawikinew/rest.php?$query_string;



FrankKufer (talkcontribs)

This topic is resolved.

Mediawiki not Directing to AzureAD

Summary by Cindy.cicalese

Fixed configuration settings.

FrankKufer (talkcontribs)

Hi Cindy,

I hope you are doing well. I am trying to set up OpenIDConnect with PluggableAuth to use Azure AD. However, I'm facing an issue where, upon attempting to log in to Mediawiki, I am not directed to Azure for authentication. Instead, I receive the message "The supplied credentials could not be authenticated." I'm not sure what I am missing in this setup. I have already ensured that the tenant ID, Client Secret, and Client ID are all correctly set and Files that I configured:

  • composer.local.json-sample In root directory of MediawikiNEW added this line "extensions/OpenIDConnect/composer.json"
  • composer.json In root directory of MediawikiNEW added/got added this line

"jumbojett/openid-connect-php": "^0.9.10"

  • Below is my LocalSettings.php:
FrankKufer (talkcontribs)


error_reporting( E_ALL );

ini_set( 'display_errors', 1 );

# Protect against web entry

if ( !defined( 'MEDIAWIKI' ) ) {



$wgSitename = "My Website Name";

$wgMetaNamespace = "My_Website_Name";

$wgScriptPath = "/mediawikiNEW";

$wgServer = "";

$wgResourceBasePath = $wgScriptPath;

$wgLogos = [

'1x' => "$wgResourceBasePath/resources/assets/change-your-logo.svg",

'icon' => "$wgResourceBasePath/resources/assets/change-your-logo-icon.svg",


$wgEnableEmail = true;

$wgEnableUserEmail = true; # UPO

$wgEmergencyContact = "";

$wgPasswordSender = "";

$wgEnotifUserTalk = false; # UPO

$wgEnotifWatchlist = false; # UPO

$wgEmailAuthentication = true;

## Database settings

$wgDBtype = "mysql";

$wgDBserver = "localhost";

$wgDBname = "myDatabse";

$wgDBuser = "mediaUser";

$wgDBpassword = "Password";

# MySQL specific settings

$wgDBprefix = "";

# MySQL table options to use during installation or update

$wgDBTableOptions = "ENGINE=InnoDB, DEFAULT CHARSET=binary";

# Shared database table

# This has no effect unless $wgSharedDB is also set.

$wgSharedTables[] = "actor";

## Shared memory settings

$wgMainCacheType = CACHE_NONE;

/* $wgMainCacheType = CACHE_ACCEL;

$wgSessionCacheType = CACHE_DB; */

$wgMemCachedServers = [];

$wgEnableUploads = true;

$wgUseImageMagick = true;

$wgImageMagickConvertCommand = "/usr/bin/convert";

$wgUseInstantCommons = false;

$wgPingback = true;

$wgLanguageCode = "en";

# Time zone

$wgLocaltimezone = "America/New_York";

$wgSecretKey = "SercretKey";

# Changing this will log out all existing sessions.

$wgAuthenticationTokenVersion = "1";

# Site upgrade key. Must be set to a string (default provided) to turn on the

# web installer while LocalSettings.php is in place

$wgUpgradeKey = "UpgradeKey";

$wgRightsPage = ""; # Set to the title of a wiki page that describes your license/copyright

$wgRightsUrl = "";

$wgRightsText = "";

$wgRightsIcon = "";

# Path to the GNU diff3 utility. Used for conflict resolution.

$wgDiff3 = "/usr/bin/diff3";

# The following permissions were set based on your choice in the installer

$wgGroupPermissions['*']['edit'] = false;

$wgGroupPermissions['*']['read'] = false;

## Default skin: you can change the default skin. Use the internal symbolic

## names, e.g. 'vector' or 'monobook':

$wgDefaultSkin = "vector";

# Enabled skins.

# The following skins were automatically enabled:

wfLoadSkin( 'MinervaNeue' );

wfLoadSkin( 'MonoBook' );

wfLoadSkin( 'Timeless' );

wfLoadSkin( 'Vector' );

# visual editor

wfLoadExtension( 'VisualEditor' );

$wgDefaultUserOptions['visualeditor-editor'] = "visualeditor";

$wgHiddenPrefs[] = 'visualeditor-enable';

# create page

wfLoadExtension( 'CreatePageUw' );

$wgCreatePageUwUseVE = true;

### Azure directory extensions or config

$wgGroupPermissions['*']['createaccount'] = true;

$wgGroupPermissions['*']['autocreateaccount'] = true;


wfLoadExtension( 'PluggableAuth' );

$wgPluggableAuth_EnableAutoLogin = false;

$wgPluggableAuth_EnableLocalLogin = false;           # if this set to true allows local login without azure auth

$wgPluggableAuth_EnableLocalProperties = false;

$wgPluggableAuth_EnableFastLogout =true;       

$wgPluggableAuth_ButtonLabelMessage = 'Login';

$wgPluggableAuth_Class = 'OpenIDConnect';

# OpenIDConnect config

wfLoadExtension( 'OpenIDConnect' );

$wgPluggableAuth_Config[] = [

"My Login" => [

'plugin' => 'OpenIDConnect',

'data' => [

'providerURL' => '',

'clientID' => 'ID',

'clientsecret' => 'secret'


'scope' => [ 'openid', 'profile', 'email' ]



$wgOpenIDConnect_UseRealNameAsUserName = true;

# ShortURL Config

wfLoadExtension( 'ShortUrl' );

/* $wgShortUrlTemplate = '/mediawikiNEW/wiki/$1'; */

$wgArticlePath = "/mediawikiNEW/$1";

Cindy.cicalese (talkcontribs)
  • composer.local.json-sample In root directory of MediawikiNEW added this line "extensions/OpenIDConnect/composer.json"

You should rename this file to composer.local.json

  • composer.json In root directory of MediawikiNEW added/got added this line

You should not edit this file. Adding the line above to composer.local.json shoudl be sufficient. Then, you would need to run "composer update" or "composer install" from the root MediaWiki directory.

Please turn on debug logging as described at Manual:How to debug#Logging and include the relevant portions of the debug log.

FrankKufer (talkcontribs)

Hello Cindy,

I followed your instructions and ran composer. However, I am still not able to use Azure AD.

When I add below block I get this error Fatal exception of type "TypeErro" when clicking on log in button

$wgPluggableAuth_Config[] = [

   'plugin' => 'OpenIDConnect',

   'data' => [

        'providerURL' => 'https://login.microsoftonline.com/id/v2.0/',

        'clientID' => 'id',

        'clientsecret' => 'secret'



The debug on browser shows these exceptions:

  • [rdbms] MWExceptionHandler::rollbackPrimaryChanges [0s] localhost: ROLLBACK
  • [rdbms] MWExceptionHandler::rollbackPrimaryChanges: acknowledged server-side transaction loss on localhost
  • [exception] [1d11fafe16b669e17bba17df] /mediawikinew/index.php?title=Special:UserLogin&returnto=Main+Page TypeError: method_exists(): Argument #1 ($object_or_class) must be of type object|string, array given
  • [MessageCache] MessageCache using store SqlBagOStuff


1- In maintenance folder I ran php update.php

2- Ran composer update after changing the composer.local.json-sample to composer.local.json

then added "extensions/OpenIDConnect/composer.json"

3- Added to MediaWiki\Extension\PluggableAuth\PluggableAuth path the below line

"PluggableAuth": {

    "OpenIDConnect": {

        "class": "MediaWiki\\Extension\\OpenIDConnect\\OpenIDConnect",

        "services": [







4- Rest of LocalSettings.php config :


wfLoadExtension( 'PluggableAuth' );

$wgPluggableAuth_EnableAutoLogin = false;

$wgPluggableAuth_EnableLocalLogin = false;

$wgPluggableAuth_EnableLocalProperties = false;

$wgPluggableAuth_EnableFastLogout =false;

$wgPluggableAuth_ButtonLabelMessage = 'Login';

$wgPluggableAuth_Class = 'OpenIDConnect';


wfLoadExtension( 'OpenIDConnect' );


$wgOpenIDConnect_UseRealNameAsUserName = true;

5- Short URL is configured as well.

Please help/let me know if I am missing anything.


Cindy.cicalese (talkcontribs)

Which versions of the PluggableAuth and OpenIDConnect extensions are you using?

In 2), hopefully you added the line before you ran composer update.

I'm not sure what 3) refers to above, but it should not be necessary.

I need more information about where the exception is happening, including at least the start of the stack trace. Please refer to How to debug to see how to enable more debugging information.

You should be able to remove the following config lines:

$wgPluggableAuth_ButtonLabelMessage = 'Login';

$wgPluggableAuth_Class = 'OpenIDConnect';

FrankKufer (talkcontribs)

1) OpenIDConnect 7.0.1 and PluggableAuth is 7.0.0 and mediawiki is 1.40.0.

2) yes I added the line then ran composer.

Sure here is the stack trace when I added $wgShowExceptionDetails = true;

[4a9b3e88ee46f7baf2a4dbfb] /mediawikinew/index.php?title=Special:UserLogin&returnto=Main+Page TypeError: method_exists(): Argument #1 ($object_or_class) must be of type object|string, array given


from /var/www/mediawikinew/extensions/PluggableAuth/includes/PrimaryAuthenticationProvider.php(88)

#0 /var/www/mediawikinew/extensions/PluggableAuth/includes/PrimaryAuthenticationProvider.php(88): method_exists()

#1 /var/www/mediawikinew/includes/auth/AuthManager.php(2272): MediaWiki\Extension\PluggableAuth\PrimaryAuthenticationProvider->getAuthenticationRequests()

#2 /var/www/mediawikinew/includes/auth/AuthManager.php(2250): MediaWiki\Auth\AuthManager->getAuthenticationRequestsInternal()

#3 /var/www/mediawikinew/includes/specialpage/AuthManagerSpecialPage.php(277): MediaWiki\Auth\AuthManager->getAuthenticationRequests()

#4 /var/www/mediawikinew/includes/specialpage/LoginSignupSpecialPage.php(147): AuthManagerSpecialPage->loadAuth()

#5 /var/www/mediawikinew/includes/specialpage/LoginSignupSpecialPage.php(238): LoginSignupSpecialPage->load()

#6 /var/www/mediawikinew/includes/specialpage/SpecialPage.php(701): LoginSignupSpecialPage->execute()

#7 /var/www/mediawikinew/includes/specialpage/SpecialPageFactory.php(1475): SpecialPage->run()

#8 /var/www/mediawikinew/includes/MediaWiki.php(327): MediaWiki\SpecialPage\SpecialPageFactory->executePath()

#9 /var/www/mediawikinew/includes/MediaWiki.php(923): MediaWiki->performRequest()

#10 /var/www/mediawikinew/includes/MediaWiki.php(576): MediaWiki->main()

#11 /var/www/mediawikinew/index.php(50): MediaWiki->run()

#12 /var/www/mediawikinew/index.php(46): wfIndexMain()

#13 {main}

Cindy.cicalese (talkcontribs)

What is item 3) above? That sounds like it could be interfering. It isn't clear to me where you have made that change or why. It should not be necessary.

FrankKufer (talkcontribs)

Great news! The issue has been resolved.

Item 3 was the problem. I reverted the changes to their default settings, and that resolved the issue.

Thank you so much for your help. I appreciate it.

Cindy.cicalese (talkcontribs)


Add a local user to mapped groupsync with identiy provider

Raoufgui (talkcontribs)


I implement SSO on my MW using PluggableAuth en OpenID connect and i configure the group mapping with Azure AD

Now i would like to create a Local user accout on my MW and add it to this mapped group (the accout dont exist on Azure side it will be created only on MW side)

Does it feasible plesae ? Does this user will be able to connect localy using login/pwd and have the same rights of mapped group  ?


Osnard (talkcontribs)

Yes, this should be working. If you "enable local login" in PluggableAuth, such a user can authenticate directly against the wiki, rather than against Azure AD. In case of a local authentication no group sync will be applied at all, so the manually assigned groups will not be lost.

Reply to "Add a local user to mapped groupsync with identiy provider"

Permission error after login on MW with SSO

Raoufgui (talkcontribs)


@Cindy.cicalese first i woulk like to thank you very much for your support, finally i can implement SSO with AD Azure using OpenIDConnect and PluggableAuth_Config.

Now after login i have permission error

You do not have permission to read this page, for the following reason:

The action you have requested is limited to users in one of the groups: Administrators, app_wiki_usr

Acutally i have the groupe "app_wiki_usr" on my MW and it has a "READ" permission

$wgGroupPermissions['app_wiki_usr']['read'] = true;

1- should I create the same groupe on Azure AD and add users to IT ?

2- for mapping group do you confirm that I should add on $wgPluggableAuth_Config ONYLY this lines bellow  ?

'groupsyncs' => [


       'type' => 'mapped',

       'map' => [

         'app_wiki_usr' => [ 'groups' => 'app_wiki_usr' ],




Have a nice day

Cindy.cicalese (talkcontribs)

I'm so glad you've gotten it working. If there was anything that you had to do that was accurately represented in the instructions on the extension wiki page, please update it.

The answer to your question depends on where you want you system administrator to manage the user permissions: in the wiki or in Azure AD. Either would work. If you want to administer the permissions in the wiki, a user with bureaucrat permissions would do so on page Special:UserRights. If you want to administer the permissions in Azure AD, you would add the code you indicate above or similar. What I do not know is what attribute name the group information will be provided in by Azure AD. 'groups' is a popular choice. You will need to make sure whatever attribute name is provided in Azure AD matches what is in the config snippet above.

Raoufgui (talkcontribs)

Hello @Cindy.cicalese

Yes i will update pages that need to be updated.

excuse me i have some confusion from what you said

for me permission will be administrated from Azure AD Side

the group created on Azure Ad by Ad administrator is named "DSI - Wiki - USER", it contains all user allowed to connect to MW

in MW we have a group named "app_wiki_usr"

$wgGroupPermissions['app_wiki_usr']['read'] = true;

1- what do you mean please by attribute name does it the Objecttype and how to get it  ?

2- should i have the same name of group in MW and Azure AD ?

3-second configure the mapping , here what should i put at this line  ?

' (which group AD or MW)' => [ 'attribute name of AD group "DSI - Wiki - USER"' => '(which group AD or MW)' ],


Cindy.cicalese (talkcontribs)

1) When the groups are synchronized between Azure AD and MediaWiki, the MediaWiki code will request the attributes provided by Azure AD. What is in the response depends upon how Azure AD is configured. The group information will be in the structure that is returned as the response to that request. The attribute name that is used to index into the resulting data structure is what you will need. If you don't know what is in that structure, you could add some debugging to https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/PluggableAuth/+/refs/heads/master/includes/Group/GroupProcessorRunner.php#51 to show what is returned in pluginAttributes.

2) It does not matter whether those names are the same.

3) <name of MW group> => [ <name of AD attribute> => <name of AD group> ]

<name of MW group> is the name you want the group to have on the MW side

<name of AD attribute> is the attribute name referred to in 1) above

<name of AD group> is the name of the group in AD that you want to have mapped to the MW group

Raoufgui (talkcontribs)

Thanks a lot it work now

Cindy.cicalese (talkcontribs)


Reply to "Permission error after login on MW with SSO"

Time out in curl command using OpenIDConnect against Azur AD

Raoufgui (talkcontribs)


Both OpenID Connect and PluggableAuth are well configured on MW

I also correctly configure the Redirect URI and i don't have the problem of No reply address provided"

after i click on microsoft interface to login with my email i get message indicate "Erreur fatale durant l’authentification de l’utilisateur"

when i chek a log message i found a time out in curl commande

[OpenIDConnect] Jumbojett\OpenIDConnectClientException: Curl error: (28) Connection timed out after 60000 milliseconds in /MW-path-install/extensions/OpenIDConnect/vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php:1495

what is the probleme exactly ? does it a problem of network flow between My server and azure AD ?


Cindy.cicalese (talkcontribs)

Yes, it appears to be a network configuration error.

Raoufgui (talkcontribs)

Thank you very much

Reply to "Time out in curl command using OpenIDConnect against Azur AD"

issue whene using SSO against Azure AD with PluggableAuth and OpenIDconnect

Raoufgui (talkcontribs)

Hello Cindy.cicalese

I need your help please !

i implement a SSO in my MW 1.39 against Azure AD

all thing work fine whene i click the login button i am redirect to microsoft interface to use email to authentificate, But whene i click on mail i get this message :

"Désolé, nous rencontrons des problèmes pour vous connecter.

AADSTS900971: No reply address provided."

i configure my redirect URI in Azure AD like this :


NB : NO SSL certificate installed on my MW server

the log show no error and it indicate that OpenIDConnect use Redirect URL


[OpenIDConnect] Redirect URL: http://myserver/index.php?title=Sp%C3%A9cial:PluggableAuthLogin

[DBQuery] JobQueueDB::doGetSiblingQueuesWithJobs [0.001s] localhost: SELECT  DISTINCT job_cmd  FROM .....

which the right Redirect URI should i put  ? does i miss configuration of a plugin in my MW OR in AZURE AD side ?

I need your help please thanks

Cindy.cicalese (talkcontribs)

I'm wondering whether the form of the redirect URL might be the problem. If you check the Known Issues, you can see:

  • Wikis that use URLs of the form https://example.org/w/index.php?title=Page_title (i.e. having the page title provided as a query parameter) will not be redirected correctly to complete the authentication flow. Instead, URLs must be of the form https://example.org/w/index.php/Page_title, which can be accomplished by using short URLs or by setting $wgArticlePath appropriately.
Raoufgui (talkcontribs)

HI @Cindy.cicalese

Thank you very much for reply

i tried to configure shot URL on MW but not succeed

i put this configuration in my virtualhost  :

DocumentRoot /app/httpd/www/wiki-test/current

DirectoryIndex index.php

AllowOverride ALL

RewriteEngine On

RewriteRule ^/?wiki(/.*)?$ %{DOCUMENT_ROOT}/index.php [L]

RewriteRule ^/*$ %{DOCUMENT_ROOT}/index.php [L]

i put this configuration in LocalSettings.php

$wgScriptPath = "";

$wgScriptExtension = ".php";

$wgArticlePath = "/wiki/$1";

$wgUsePathInfo = true;

I see any change, my MW still show page in this format "http://myserer/ndex.php?title=Page_tile" on the navigator

but the log show that OpenIDConnect use ,now, Redirect URL


[OpenIDConnect] Redirect URL: http://signxpapp006.srv.sigma.host/wiki/Sp%C3%A9cial:PluggableAuthLogin

[session] SessionBackend.......

before (in my previous comment )it was


but i still have the problème AADSTS900971: No reply address provided."

i update the the reply URl on Azure AD side by the new one but i have the same problem

whereis the problem please ?

Thanks very much

Reply to "issue whene using SSO against Azure AD with PluggableAuth and OpenIDconnect"

your last commit to mediawiki-extensions-PluggableAuth

2003:CF:3F45:F800:B7B5:5EDD:ABA6:1EEF (talkcontribs)

Hi Cindy,

I have a question about your code in PluggableAuth. I do not understand why you make the concatenation 'PluggableAuth' . $plugin in initConfig() in PluggableAuthFactory.php. Because if I add the name of the plugin with $wgPluggableAuth_Config, e.g. LDAPAuthentication2, then I would expect to search for LDAPAuthentication2 and not for PluggableAuthLDAPAuthentication2 in the config. What is the reason behind that? I stumbled about that because my setting where not working.



Cindy.cicalese (talkcontribs) (talkcontribs)

Thank you for the fast reply. Your answer helped me a lot but I have now the problem to figure out which version of LDAPAuthentication2 fits to which version of PluggableAuth. In LDAPAuthentication2, extension.json says that the extension PluggableAuth is required in version * which seems to be wrong and not helpful. Do you have a suggestion which versions work together?

Cindy.cicalese (talkcontribs)
Reply to "your last commit to mediawiki-extensions-PluggableAuth"