Jump to content

User talk:Cindy.cicalese/Flow

About this board

Cindy.cicalese

Previous discussion was archived at User talk:Cindy.cicalese/Archive 1 on 2017-03-17.

OpenID Connect Extension - Infinite Redirects

2
HadleySo (talkcontribs)

Hi Cindy - before I dive in I wanted to thank you for writing the OpenID Connect (and PluggableAuth) extension.

I'm looking for some help debugging an issue with OIDC. Like the title, I'm experiencing a redirect loop after my SSO provider redirects to Special:PluggableAuthLogin. My SSO provider and Special:PluggableAuthLogin redirect back and forth to each other infinitely.

It looks like my SSO provider (Keycloak) is sending the correct query parameters back to PluggableAuthLogin.

I'm running: MW 1.39.10; PluggableAuth 7.1.0 (db07c04); OpenID Connect 8.0.3 (0cd85ca)


Here is a debug log too: Topic:Yg0wtew7lklqijwy

HadleySo (talkcontribs)

Solved it - there was a issue in the web server config for Manual:Short_URL. A few other Special pages were not working either.

Reply to "OpenID Connect Extension - Infinite Redirects"

problem with AzureAD and OpenID Connect plugin for MediaWiki.

1
202.27.76.251 (talkcontribs)
Reply to "problem with AzureAD and OpenID Connect plugin for MediaWiki."

PluggableAuth unexpectedly throws if no $username returned from authenticate() but $id only

6
MidnightLG (talkcontribs)

Hi! I'm developing a new auth plugin (custom protocol) using PluggableAuth 7.1.0 on MediaWiki 1.41.1.

In method authenticate() if Wiki have no user in DB, the method returns $username, etc. It works. But for existing user I return the $id only which cause the plugin PluggableAuth to throw an Exception.

TypeError: MediaWiki\User\UserFactory::newFromName(): Argument #1 ($name) must be of type string, null given, called in /var/www/html/extensions/PluggableAuth/includes/PrimaryAuthenticationProvider.php on line 161

Why returning $username is mandatory for the existing user? I think there's no reason for it.

The root cause is in PluggableAuthLogin.php lines 124-126

$this->authManager->setAuthenticationSessionData( self::USERNAME_SESSION_KEY, $username );

$this->authManager->setAuthenticationSessionData( self::REALNAME_SESSION_KEY, $realname );

$this->authManager->setAuthenticationSessionData( self::EMAIL_SESSION_KEY, $email );

You're picking the wrong data here returned from authenticate() instead of already fetched by id $user.

The fix might be like this:

$this->authManager->setAuthenticationSessionData( self::USERNAME_SESSION_KEY, $user->getName() );

$this->authManager->setAuthenticationSessionData( self::REALNAME_SESSION_KEY, $user->getRealName() );

$this->authManager->setAuthenticationSessionData( self::EMAIL_SESSION_KEY, $user->getEmail() );

I tested, it fixes the above Exception. Thank you!

Cindy.cicalese (talkcontribs)

If you look at the code of User::getName(), User::getRealName(), and User::getEmail(), they all do quite a bit more than just return the relevant values. It looks like $user->mName, $user->mRealName, and $user->email could be used instead.

MidnightLG (talkcontribs)

Sure, that's up to you. Thanks!

MidnightLG (talkcontribs)

Any chance to get it fixed with some future version?

Cindy.cicalese (talkcontribs)
MidnightLG (talkcontribs)

Sorry, I neither have a plan to join the Development Community nor study how Phabricator works. I hope that you agree with the above report and fix that sooner or later. For now I applied a workaround to avoid the issue.

Reply to "PluggableAuth unexpectedly throws if no $username returned from authenticate() but $id only"

Permission error after login on MW with SSO

7
Raoufgui (talkcontribs)

Hello

@Cindy.cicalese first i woulk like to thank you very much for your support, finally i can implement SSO with AD Azure using OpenIDConnect and PluggableAuth_Config.


Now after login i have permission error

You do not have permission to read this page, for the following reason:

The action you have requested is limited to users in one of the groups: Administrators, app_wiki_usr

Acutally i have the groupe "app_wiki_usr" on my MW and it has a "READ" permission

$wgGroupPermissions['app_wiki_usr']['read'] = true;

1- should I create the same groupe on Azure AD and add users to IT ?

2- for mapping group do you confirm that I should add on $wgPluggableAuth_Config ONYLY this lines bellow  ?

'groupsyncs' => [

     [

       'type' => 'mapped',

       'map' => [

         'app_wiki_usr' => [ 'groups' => 'app_wiki_usr' ],

       ]

     ]

   ];


Have a nice day

Cindy.cicalese (talkcontribs)

I'm so glad you've gotten it working. If there was anything that you had to do that was accurately represented in the instructions on the extension wiki page, please update it.

The answer to your question depends on where you want you system administrator to manage the user permissions: in the wiki or in Azure AD. Either would work. If you want to administer the permissions in the wiki, a user with bureaucrat permissions would do so on page Special:UserRights. If you want to administer the permissions in Azure AD, you would add the code you indicate above or similar. What I do not know is what attribute name the group information will be provided in by Azure AD. 'groups' is a popular choice. You will need to make sure whatever attribute name is provided in Azure AD matches what is in the config snippet above.

Raoufgui (talkcontribs)

Hello @Cindy.cicalese

Yes i will update pages that need to be updated.

excuse me i have some confusion from what you said

for me permission will be administrated from Azure AD Side

the group created on Azure Ad by Ad administrator is named "DSI - Wiki - USER", it contains all user allowed to connect to MW

in MW we have a group named "app_wiki_usr"

$wgGroupPermissions['app_wiki_usr']['read'] = true;


1- what do you mean please by attribute name does it the Objecttype and how to get it  ?

2- should i have the same name of group in MW and Azure AD ?


3-second configure the mapping , here what should i put at this line  ?


' (which group AD or MW)' => [ 'attribute name of AD group "DSI - Wiki - USER"' => '(which group AD or MW)' ],


Thanks

Cindy.cicalese (talkcontribs)

1) When the groups are synchronized between Azure AD and MediaWiki, the MediaWiki code will request the attributes provided by Azure AD. What is in the response depends upon how Azure AD is configured. The group information will be in the structure that is returned as the response to that request. The attribute name that is used to index into the resulting data structure is what you will need. If you don't know what is in that structure, you could add some debugging to https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/PluggableAuth/+/refs/heads/master/includes/Group/GroupProcessorRunner.php#51 to show what is returned in pluginAttributes.

2) It does not matter whether those names are the same.

3) <name of MW group> => [ <name of AD attribute> => <name of AD group> ]

<name of MW group> is the name you want the group to have on the MW side

<name of AD attribute> is the attribute name referred to in 1) above

<name of AD group> is the name of the group in AD that you want to have mapped to the MW group

Raoufgui (talkcontribs)

Thanks a lot it work now

Cindy.cicalese (talkcontribs)

Great!

Wikiphpnoob (talkcontribs)

@RakingTheLeaves

perhaps i'm being premature in tagging you here without putting the above to the test.... but perhaps also, this is worth a read through?

Reply to "Permission error after login on MW with SSO"
Tommy Kronkvist (talkcontribs)
Cindy.cicalese (talkcontribs)

Thank you! Fixed!

Reply to "LinkedIn link"

OpenIDConnect Authentication Issue

2
Summary by Cindy.cicalese

Not enough information was provided to debug. Feel free to reopen with more information.

49.43.224.61 (talkcontribs)

We are using Microsoft Azure Entra ID but getting Fatal Authentication  Error at mediawiki end.  We have followed the steps given at Extension:OpenID Connect documentation.

We have done following configuration at mediawiki LocalSettings.php  :-

wfLoadExtension( 'PluggableAuth' );

wfLoadExtension( 'OpenIDConnect' );

$wgPluggableAuth_Config[] = [

    'plugin' => 'OpenIDConnect',

    'data' => [

        'providerURL' => 'https://login.microsoftonline.com/XXXXXXXXXX

        'clientID' => 'XXXXXXXXXXXXXXXXX',

        'clientsecret' => 'XXXXXXXXXXXXXXXXXXX'

    ]

];

$wgOpenIDConnect_UseRealNameAsUserName = true;


Please help us to solve this issue as it is very urgent.


Thanks

Extension:OpenID Connect - MediaWiki

Cindy.cicalese (talkcontribs)

When reporting an error, please be sure to include version information for MediaWiki and all relevant extensions as well as configuration information. Also, please turn on debug logging as described at Manual:How to debug#Logging and include the relevant portions of the debug log.

Changing to another OIDC provider

1
Summary by Cindy.cicalese

Fixed in OpenID Connect version 7.0.2.

Vajdaz (talkcontribs)

Hi Cindy,

I just posted a queston on the MediaWiki Support Desk, but then realized, that this maybe is a better place for the question. Could you please have a look?

Regards, Zoltan

Summary by Cindy.cicalese

Fixed configuration settings.

FrankKufer (talkcontribs)

Hi Cindy, I have an issue setting up ShortUrl using $wgArticlePath. Following the documentation I was able to create the short url but I get 404 error. Please let me know if there is a fix for this.

Below are my configurations:


My Folder name and Url is set to "mediawikinew"

In my LocalSettings.php File I have set

$wgScriptPath = "/mediawikinew";

$wgArticlePath = "/mediawikinew/$1";

$wgUsePathInfo = true;

My Nginx for mediawiki conf is set to this

server{

listen 80;

listen [::]:80;

server_name mediwikinew;

root /var/www/mediawikinew;

index index.php;

error_log /var/log/nginx/mediawikinew.error;

access_log /var/log/nginx/mediawikinew.access;

location / {

        try_files $uri $uri/ /index.php;

        #try_files $uri $uri/ @mediawikinew;

}

location ~ /.well-known {

       allow all;

}

location ~ /\.ht {

      deny all;

}


location /mediawikinew/ {

                #rewrite ^/mediawikinew/(?<pagename>.*)$ /mediawikinew/index.php;

                rewrite ^/mediawikinew/([^\?]*) /mediawikinew/index.php?title=$1&$args last;

       }

location = / {

                return 301 /mediawikinew/Main_Page;

        }

location ~ ^/mediawikinew/(index|load|api|thumb|opensearch_desc|rest|img_auth)\.php$ {

                include /etc/nginx/fastcgi_params;

                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

                #fastcgi_param SCRIPT_FILENAME $document_root/index.php;

                fastcgi_pass unix:/run/php/php8.1-fpm.sock;

                include snippets/fastcgi-php.conf;

        }

location /mediawikinew/images/deleted {

                # Deny access to deleted images folder

                deny all;

        }

location /mediawikinew/images {

                # Separate location for images/ so .php execution won't apply

        }

location ~ ^/mediawikinew/resources/(assets|lib|src) {

                try_files $uri =404;

                add_header Cache-Control "public";

                expires 7d;

        }

location ~ ^/mediawikinew/(skins|extensions)/.+\.(css|js|gif|jpg|jpeg|png|svg|wasm|ttf|woff|woff2)$ {

                try_files $uri =404;

                add_header Cache-Control "public";

                expires 7d;

        }

location = /favicon.ico {

                alias /mediawikinew/images/6/64/Favicon.ico;

                add_header Cache-Control "public";

                expires 7d;

        }

location ~ ^/mediawikinew/(COPYING|CREDITS)$ {

                default_type text/plain;

        }

location /mediawikinew/rest.php/ {

                try_files $uri $uri/ /mediawikinew/rest.php?$query_string;

        }

}

FrankKufer (talkcontribs)

This topic is resolved.

Mediawiki not Directing to AzureAD

9
Summary by Cindy.cicalese

Fixed configuration settings.

FrankKufer (talkcontribs)

Hi Cindy,

I hope you are doing well. I am trying to set up OpenIDConnect with PluggableAuth to use Azure AD. However, I'm facing an issue where, upon attempting to log in to Mediawiki, I am not directed to Azure for authentication. Instead, I receive the message "The supplied credentials could not be authenticated." I'm not sure what I am missing in this setup. I have already ensured that the tenant ID, Client Secret, and Client ID are all correctly set and Files that I configured:

  • composer.local.json-sample In root directory of MediawikiNEW added this line "extensions/OpenIDConnect/composer.json"
  • composer.json In root directory of MediawikiNEW added/got added this line

"jumbojett/openid-connect-php": "^0.9.10"

  • Below is my LocalSettings.php:
FrankKufer (talkcontribs)

<?php

error_reporting( E_ALL );

ini_set( 'display_errors', 1 );

# Protect against web entry

if ( !defined( 'MEDIAWIKI' ) ) {

exit;

}

$wgSitename = "My Website Name";

$wgMetaNamespace = "My_Website_Name";

$wgScriptPath = "/mediawikiNEW";

$wgServer = "";

$wgResourceBasePath = $wgScriptPath;

$wgLogos = [

'1x' => "$wgResourceBasePath/resources/assets/change-your-logo.svg",

'icon' => "$wgResourceBasePath/resources/assets/change-your-logo-icon.svg",

];

$wgEnableEmail = true;

$wgEnableUserEmail = true; # UPO

$wgEmergencyContact = "";

$wgPasswordSender = "";

$wgEnotifUserTalk = false; # UPO

$wgEnotifWatchlist = false; # UPO

$wgEmailAuthentication = true;

## Database settings

$wgDBtype = "mysql";

$wgDBserver = "localhost";

$wgDBname = "myDatabse";

$wgDBuser = "mediaUser";

$wgDBpassword = "Password";

# MySQL specific settings

$wgDBprefix = "";

# MySQL table options to use during installation or update

$wgDBTableOptions = "ENGINE=InnoDB, DEFAULT CHARSET=binary";

# Shared database table

# This has no effect unless $wgSharedDB is also set.

$wgSharedTables[] = "actor";

## Shared memory settings

$wgMainCacheType = CACHE_NONE;

/* $wgMainCacheType = CACHE_ACCEL;

$wgSessionCacheType = CACHE_DB; */

$wgMemCachedServers = [];

$wgEnableUploads = true;

$wgUseImageMagick = true;

$wgImageMagickConvertCommand = "/usr/bin/convert";

$wgUseInstantCommons = false;

$wgPingback = true;

$wgLanguageCode = "en";

# Time zone

$wgLocaltimezone = "America/New_York";

$wgSecretKey = "SercretKey";

# Changing this will log out all existing sessions.

$wgAuthenticationTokenVersion = "1";

# Site upgrade key. Must be set to a string (default provided) to turn on the

# web installer while LocalSettings.php is in place

$wgUpgradeKey = "UpgradeKey";

$wgRightsPage = ""; # Set to the title of a wiki page that describes your license/copyright

$wgRightsUrl = "";

$wgRightsText = "";

$wgRightsIcon = "";

# Path to the GNU diff3 utility. Used for conflict resolution.

$wgDiff3 = "/usr/bin/diff3";

# The following permissions were set based on your choice in the installer

$wgGroupPermissions['*']['edit'] = false;

$wgGroupPermissions['*']['read'] = false;

## Default skin: you can change the default skin. Use the internal symbolic

## names, e.g. 'vector' or 'monobook':

$wgDefaultSkin = "vector";

# Enabled skins.

# The following skins were automatically enabled:

wfLoadSkin( 'MinervaNeue' );

wfLoadSkin( 'MonoBook' );

wfLoadSkin( 'Timeless' );

wfLoadSkin( 'Vector' );

# visual editor

wfLoadExtension( 'VisualEditor' );

$wgDefaultUserOptions['visualeditor-editor'] = "visualeditor";

$wgHiddenPrefs[] = 'visualeditor-enable';

# create page

wfLoadExtension( 'CreatePageUw' );

$wgCreatePageUwUseVE = true;

### Azure directory extensions or config

$wgGroupPermissions['*']['createaccount'] = true;

$wgGroupPermissions['*']['autocreateaccount'] = true;

#PluggableAuth

wfLoadExtension( 'PluggableAuth' );

$wgPluggableAuth_EnableAutoLogin = false;

$wgPluggableAuth_EnableLocalLogin = false;           # if this set to true allows local login without azure auth

$wgPluggableAuth_EnableLocalProperties = false;

$wgPluggableAuth_EnableFastLogout =true;       

$wgPluggableAuth_ButtonLabelMessage = 'Login';

$wgPluggableAuth_Class = 'OpenIDConnect';

# OpenIDConnect config

wfLoadExtension( 'OpenIDConnect' );

$wgPluggableAuth_Config[] = [

"My Login" => [

'plugin' => 'OpenIDConnect',

'data' => [

'providerURL' => '',

'clientID' => 'ID',

'clientsecret' => 'secret'

],

'scope' => [ 'openid', 'profile', 'email' ]

]

];

$wgOpenIDConnect_UseRealNameAsUserName = true;

# ShortURL Config

wfLoadExtension( 'ShortUrl' );

/* $wgShortUrlTemplate = '/mediawikiNEW/wiki/$1'; */

$wgArticlePath = "/mediawikiNEW/$1";

Cindy.cicalese (talkcontribs)
  • composer.local.json-sample In root directory of MediawikiNEW added this line "extensions/OpenIDConnect/composer.json"

You should rename this file to composer.local.json

  • composer.json In root directory of MediawikiNEW added/got added this line

You should not edit this file. Adding the line above to composer.local.json shoudl be sufficient. Then, you would need to run "composer update" or "composer install" from the root MediaWiki directory.

Please turn on debug logging as described at Manual:How to debug#Logging and include the relevant portions of the debug log.

FrankKufer (talkcontribs)

Hello Cindy,

I followed your instructions and ran composer. However, I am still not able to use Azure AD.

When I add below block I get this error Fatal exception of type "TypeErro" when clicking on log in button

$wgPluggableAuth_Config[] = [

   'plugin' => 'OpenIDConnect',

   'data' => [

        'providerURL' => 'https://login.microsoftonline.com/id/v2.0/',

        'clientID' => 'id',

        'clientsecret' => 'secret'

    ]

];

The debug on browser shows these exceptions:

  • [rdbms] MWExceptionHandler::rollbackPrimaryChanges [0s] localhost: ROLLBACK
  • [rdbms] MWExceptionHandler::rollbackPrimaryChanges: acknowledged server-side transaction loss on localhost
  • [exception] [1d11fafe16b669e17bba17df] /mediawikinew/index.php?title=Special:UserLogin&returnto=Main+Page TypeError: method_exists(): Argument #1 ($object_or_class) must be of type object|string, array given
  • [MessageCache] MessageCache using store SqlBagOStuff


NOTES:

1- In maintenance folder I ran php update.php

2- Ran composer update after changing the composer.local.json-sample to composer.local.json

then added "extensions/OpenIDConnect/composer.json"


3- Added to MediaWiki\Extension\PluggableAuth\PluggableAuth path the below line

"PluggableAuth": {

    "OpenIDConnect": {

        "class": "MediaWiki\\Extension\\OpenIDConnect\\OpenIDConnect",

        "services": [

           "MainConfig",

           "AuthManager",

           "OpenIDConnectStore"

        ]

    }

 }

4- Rest of LocalSettings.php config :

#PluggableAuth

wfLoadExtension( 'PluggableAuth' );

$wgPluggableAuth_EnableAutoLogin = false;

$wgPluggableAuth_EnableLocalLogin = false;

$wgPluggableAuth_EnableLocalProperties = false;

$wgPluggableAuth_EnableFastLogout =false;

$wgPluggableAuth_ButtonLabelMessage = 'Login';

$wgPluggableAuth_Class = 'OpenIDConnect';

#AAD

wfLoadExtension( 'OpenIDConnect' );

$wgPluggableAuth_Config[].......................................

$wgOpenIDConnect_UseRealNameAsUserName = true;


5- Short URL is configured as well.


Please help/let me know if I am missing anything.

Thanks!

Cindy.cicalese (talkcontribs)

Which versions of the PluggableAuth and OpenIDConnect extensions are you using?

In 2), hopefully you added the line before you ran composer update.

I'm not sure what 3) refers to above, but it should not be necessary.

I need more information about where the exception is happening, including at least the start of the stack trace. Please refer to How to debug to see how to enable more debugging information.

You should be able to remove the following config lines:

$wgPluggableAuth_ButtonLabelMessage = 'Login';

$wgPluggableAuth_Class = 'OpenIDConnect';

FrankKufer (talkcontribs)

1) OpenIDConnect 7.0.1 and PluggableAuth is 7.0.0 and mediawiki is 1.40.0.

2) yes I added the line then ran composer.


Sure here is the stack trace when I added $wgShowExceptionDetails = true;

[4a9b3e88ee46f7baf2a4dbfb] /mediawikinew/index.php?title=Special:UserLogin&returnto=Main+Page TypeError: method_exists(): Argument #1 ($object_or_class) must be of type object|string, array given

Backtrace:

from /var/www/mediawikinew/extensions/PluggableAuth/includes/PrimaryAuthenticationProvider.php(88)

#0 /var/www/mediawikinew/extensions/PluggableAuth/includes/PrimaryAuthenticationProvider.php(88): method_exists()

#1 /var/www/mediawikinew/includes/auth/AuthManager.php(2272): MediaWiki\Extension\PluggableAuth\PrimaryAuthenticationProvider->getAuthenticationRequests()

#2 /var/www/mediawikinew/includes/auth/AuthManager.php(2250): MediaWiki\Auth\AuthManager->getAuthenticationRequestsInternal()

#3 /var/www/mediawikinew/includes/specialpage/AuthManagerSpecialPage.php(277): MediaWiki\Auth\AuthManager->getAuthenticationRequests()

#4 /var/www/mediawikinew/includes/specialpage/LoginSignupSpecialPage.php(147): AuthManagerSpecialPage->loadAuth()

#5 /var/www/mediawikinew/includes/specialpage/LoginSignupSpecialPage.php(238): LoginSignupSpecialPage->load()

#6 /var/www/mediawikinew/includes/specialpage/SpecialPage.php(701): LoginSignupSpecialPage->execute()

#7 /var/www/mediawikinew/includes/specialpage/SpecialPageFactory.php(1475): SpecialPage->run()

#8 /var/www/mediawikinew/includes/MediaWiki.php(327): MediaWiki\SpecialPage\SpecialPageFactory->executePath()

#9 /var/www/mediawikinew/includes/MediaWiki.php(923): MediaWiki->performRequest()

#10 /var/www/mediawikinew/includes/MediaWiki.php(576): MediaWiki->main()

#11 /var/www/mediawikinew/index.php(50): MediaWiki->run()

#12 /var/www/mediawikinew/index.php(46): wfIndexMain()

#13 {main}

Cindy.cicalese (talkcontribs)

What is item 3) above? That sounds like it could be interfering. It isn't clear to me where you have made that change or why. It should not be necessary.

FrankKufer (talkcontribs)

Great news! The issue has been resolved.

Item 3 was the problem. I reverted the changes to their default settings, and that resolved the issue.

Thank you so much for your help. I appreciate it.

Cindy.cicalese (talkcontribs)

Great!

Add a local user to mapped groupsync with identiy provider

2
Raoufgui (talkcontribs)

Hello

I implement SSO on my MW using PluggableAuth en OpenID connect and i configure the group mapping with Azure AD


Now i would like to create a Local user accout on my MW and add it to this mapped group (the accout dont exist on Azure side it will be created only on MW side)


Does it feasible plesae ? Does this user will be able to connect localy using login/pwd and have the same rights of mapped group  ?


Thanks

Osnard (talkcontribs)

Yes, this should be working. If you "enable local login" in PluggableAuth, such a user can authenticate directly against the wiki, rather than against Azure AD. In case of a local authentication no group sync will be applied at all, so the manually assigned groups will not be lost.

Reply to "Add a local user to mapped groupsync with identiy provider"