Topic on Extension talk:PluggableAuth

Im having issues with an OpenIDConnect setup. After signing it (doesn't matter if its first time) I am getting redirected to a page with 'Fatal error authenticating user.', at that time the site shows me as 'Anonymous'. If I then open the homepage of the wiki on Edge it shows me as signed in with the correct name, etc. and everything works as expected.

This doesnt happen if the existing cookie/token is reused and im not prompted to login.

On Chrome or Firefox it still does not show me as logged in after going to the homepage but I do a session cookie.

PluggableAuth debug log: Getting PluggableAuth instance Plugin name: OpenIDConnect In execute() Getting PluggableAuth instance Plugin name: OpenIDConnect In execute() Getting PluggableAuth instance Could not get authentication plugin instance. ERROR: return to URL is null or empty

I don't know if this will help you in this instance, but I too was having the same issue. I'm going to explain what I went through in case it helps in the right direction or helps others in future.

At first I was trying to use OpenID Connect to authorise with my self hosted Authentik. I couldn't even get redirected to the authentik log in screen, just got a 'Fatal error authenticating user.'

Today I tried using MS Entra ID, same issue.

I found in /var/log/messages that SELinux was preventing the http request. So I ran setsebool -P httpd_can_network_connect 1

Now when I try to login I actually get to the MS login screen, and then get redirected back after successful auth. I can see the successful auths in the Entra portal too.

However, I still got 'Fatal error authenticating user.'

I disabled SELinux as a test to see if maybe it was blocking more things, but same issue remains, re-enabled SELinux.

At this point I was out of ideas but found SELinux was also preventing me from writing a debug.log using $wgDebugLogFile = "$IP/debug.log";

Sorted that out and could then grep the log for PluggableAuth|OpenIDConnect and I see the same logline as OP.

[PluggableAuth] ERROR: return to URL is null or empty

but slightly earlier in the log I also saw my Layer8 issue.

[OpenIDConnect] Jumbojett\OpenIDConnectClientException: bla: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app 'my-app-id-redacted'.

I was indeed using the wrong value here. Once I entered the right value, everything is working as expected.