The settings in 10-WSOAuth.php end as follows:

$wgOAuthAuthProvider = "mediawiki";

$wgOAuthClientId = "[token]";

$wgOAuthClientSecret = "[secret]";

$wgOAuthRedirectUri = "http://annotation.wmcloud.org/w/index.php?title=Special:PluggableAuthLogin";

$wgOAuthUri = "https://meta.wikimedia.org/w/index.php?title=Special:OAuth";



and the OAuth settings on meta are as follows:

OAuth "callback URL"
https://annotation.wmcloud.org/w/index.php?title=Special:PluggableAuthLogin
Allow consumer to specify a callback in requests and use "callback" URL above as a required prefix.
No
Applicable grants
User identity verification only, no ability to read pages or act on a user's behalf.

I can see that meta states the callback URL with https and the settings without. Changing it in the settings doesn't seem to make a difference. I don't know if I can change it on Meta, or if I need to make a new application, but it doesn't look like the right solution anyway.

A bit unsure. Thanks!
Denny


On Fri, Apr 23, 2021 at 2:50 PM Denny Vrandečić <dvrandecic@wikimedia.org> wrote:
Hi Bryan,

thank you for your patient explanations! They are very appreciated. Thank you also for approving my request for an OAuth application!

I still get an error message "Unable to initiate communication with OAuth provider", and I am trying different things, but so far a bit out of ideas. 

The relevant log lines seem to be this, but I don't see anything useful here:

[session] SessionBackend "6s7gpol141hugu9g6q7m7ddi2r0vi51o" data dirty due to dirty(): PluggableAuthPrimaryAuthenticationProvider->continuePrimaryAuthentication/MediaWiki\Auth\AuthManager->removeAuthenticationSessionData/MediaWiki\Session\Session->setSecret/MediaWiki\Session\Session->set/MediaWiki\Session\SessionBackend->dirty

[authentication] Login failed in primary authentication by PluggableAuthPrimaryAuthenticationProvider

[session] SessionBackend "6s7gpol141hugu9g6q7m7ddi2r0vi51o" data dirty due to dirty(): AuthManagerSpecialPage->handleFormSubmit/AuthManagerSpecialPage->performAuthenticationStep/MediaWiki\Auth\AuthManager->continueAuthentication/MediaWiki\Session\Session->remove/MediaWiki\Session\SessionBackend->dirty

[session] SessionBackend "6s7gpol141hugu9g6q7m7ddi2r0vi51o" save: dataDirty=1 metaDirty=0 forcePersist=0

[authevents] Login attempt


My guess is that somewhere one of the URLs for callbacks are wrong, I'll try that next, but in case I am barking up the wrong tree, I would appreciate hints! Thanks,

Denny

On Fri, Apr 23, 2021 at 9:03 AM Bryan Davis <bd808@wikimedia.org> wrote:
On Thu, Apr 22, 2021 at 3:46 PM Alex Monk <krenair@gmail.com> wrote:
>
> The Wikimania wiki is part of the production cluster so gets privileged access to the production CentralAuth database. I'm not sure if the prod wikis can act as an identity provider for other sites to consume
>
> On Thu, 22 Apr 2021 at 19:27, Denny Vrandečić <dvrandecic@wikimedia.org> wrote:
>>
>> I would love to do the same! Can you point me to your configuration?
>>
>> On Wed, Apr 21, 2021 at 9:03 PM billinghurst <billinghurstwiki@gmail.com> wrote:
>>>
>>> Hi Denny,
>>>
>>> As a spam defence for Wikimania, we disallowed local account generation, and just leverage WMF's SULs, similarly did the same for wikidata-test to great effect. The one thing that we did was to change the login link to point to somewhere they could create an account. [1] Great success, though not 100% effective against manual spammers, or those that trawl.

I believe that the `wsoauth` role in MediaWiki-Vagrant can do what
Denny is looking for. That role provisions
<https://www.mediawiki.org/wiki/Extension:WSOAuth> and configures it
to use a shared OAuth grant which works for local testing at a
"http://dev.wiki.local.wmftest.net" host
(<https://meta.wikimedia.org/wiki/Special:OAuthManageConsumers/20c96d141c4ac5bea4fadd6824f6ebda>).
Beyond using `vagrant roles enable wsoauth`, a Cloud VPS hosted
MediaWiki-Vagrant wiki would need to apply for a new OAuth grant that
contains the callback URL of the hosted wiki
(<https://<something>.wmcloud.org/...>) and then add the OAuth key and
secret values for the new grant to the local MediaWiki-Vagrant's hiera
configuration. This might look something like:

  $ vagrant role enable wsoauth
  $ vagrant hiera role::wsoauth::oauth_key "the key for the new grant"
  $ vagrant hiera role::wsoauth::oauth_secret "the secret for the new grant"
  $ vagrant provision

Bryan
--
Bryan Davis              Technical Engagement      Wikimedia Foundation
Principal Software Engineer                               Boise, ID USA
[[m:User:BDavis_(WMF)]]                                      irc: bd808

_______________________________________________
Wikimedia Cloud Services mailing list
Cloud@lists.wikimedia.org (formerly labs-l@lists.wikimedia.org)
https://lists.wikimedia.org/mailman/listinfo/cloud