The settings in 10-WSOAuth.php end as follows:
$wgOAuthAuthProvider = "mediawiki";
$wgOAuthClientId = "[token]";
$wgOAuthClientSecret = "[secret]";
$wgOAuthRedirectUri = " http://annotation.wmcloud.org/w/index.php?title=Special:PluggableAuthLogin";
$wgOAuthUri = "https://meta.wikimedia.org/w/index.php?title=Special:OAuth";
and the OAuth settings on meta are as follows:
OAuth "callback URL" https://annotation.wmcloud.org/w/index.php?title=Special:PluggableAuthLoginA... consumer to specify a callback in requests and use "callback" URL above as a required prefix.NoApplicable grantsUser identity verification only, no ability to read pages or act on a user's behalf. I can see that meta states the callback URL with https and the settings without. Changing it in the settings doesn't seem to make a difference. I don't know if I can change it on Meta, or if I need to make a new application, but it doesn't look like the right solution anyway.
A bit unsure. Thanks! Denny
On Fri, Apr 23, 2021 at 2:50 PM Denny Vrandečić dvrandecic@wikimedia.org wrote:
Hi Bryan,
thank you for your patient explanations! They are very appreciated. Thank you also for approving my request for an OAuth application!
I still get an error message "Unable to initiate communication with OAuth provider", and I am trying different things, but so far a bit out of ideas.
The relevant log lines seem to be this, but I don't see anything useful here:
[session] SessionBackend "6s7gpol141hugu9g6q7m7ddi2r0vi51o" data dirty due to dirty(): PluggableAuthPrimaryAuthenticationProvider->continuePrimaryAuthentication/MediaWiki\Auth\AuthManager->removeAuthenticationSessionData/MediaWiki\Session\Session->setSecret/MediaWiki\Session\Session->set/MediaWiki\Session\SessionBackend->dirty
[authentication] Login failed in primary authentication by PluggableAuthPrimaryAuthenticationProvider
[session] SessionBackend "6s7gpol141hugu9g6q7m7ddi2r0vi51o" data dirty due to dirty(): AuthManagerSpecialPage->handleFormSubmit/AuthManagerSpecialPage->performAuthenticationStep/MediaWiki\Auth\AuthManager->continueAuthentication/MediaWiki\Session\Session->remove/MediaWiki\Session\SessionBackend->dirty
[session] SessionBackend "6s7gpol141hugu9g6q7m7ddi2r0vi51o" save: dataDirty=1 metaDirty=0 forcePersist=0
[authevents] Login attempt
My guess is that somewhere one of the URLs for callbacks are wrong, I'll try that next, but in case I am barking up the wrong tree, I would appreciate hints! Thanks,
Denny
On Fri, Apr 23, 2021 at 9:03 AM Bryan Davis bd808@wikimedia.org wrote:
On Thu, Apr 22, 2021 at 3:46 PM Alex Monk krenair@gmail.com wrote:
The Wikimania wiki is part of the production cluster so gets privileged
access to the production CentralAuth database. I'm not sure if the prod wikis can act as an identity provider for other sites to consume
On Thu, 22 Apr 2021 at 19:27, Denny Vrandečić dvrandecic@wikimedia.org
wrote:
I would love to do the same! Can you point me to your configuration?
On Wed, Apr 21, 2021 at 9:03 PM billinghurst <
billinghurstwiki@gmail.com> wrote:
Hi Denny,
As a spam defence for Wikimania, we disallowed local account
generation, and just leverage WMF's SULs, similarly did the same for wikidata-test to great effect. The one thing that we did was to change the login link to point to somewhere they could create an account. [1] Great success, though not 100% effective against manual spammers, or those that trawl.
I believe that the `wsoauth` role in MediaWiki-Vagrant can do what Denny is looking for. That role provisions https://www.mediawiki.org/wiki/Extension:WSOAuth and configures it to use a shared OAuth grant which works for local testing at a "http://dev.wiki.local.wmftest.net" host (< https://meta.wikimedia.org/wiki/Special:OAuthManageConsumers/20c96d141c4ac5b...
).
Beyond using `vagrant roles enable wsoauth`, a Cloud VPS hosted MediaWiki-Vagrant wiki would need to apply for a new OAuth grant that contains the callback URL of the hosted wiki (<https://<something>.wmcloud.org/...>) and then add the OAuth key and secret values for the new grant to the local MediaWiki-Vagrant's hiera configuration. This might look something like:
$ vagrant role enable wsoauth $ vagrant hiera role::wsoauth::oauth_key "the key for the new grant" $ vagrant hiera role::wsoauth::oauth_secret "the secret for the new grant" $ vagrant provision
Bryan
Bryan Davis Technical Engagement Wikimedia Foundation Principal Software Engineer Boise, ID USA [[m:User:BDavis_(WMF)]] irc: bd808
Wikimedia Cloud Services mailing list Cloud@lists.wikimedia.org (formerly labs-l@lists.wikimedia.org) https://lists.wikimedia.org/mailman/listinfo/cloud