Hi Bryan,

thank you for your patient explanations! They are very appreciated. Thank you also for approving my request for an OAuth application!

I still get an error message "Unable to initiate communication with OAuth provider", and I am trying different things, but so far a bit out of ideas.

The relevant log lines seem to be this, but I don't see anything useful here:

[session] SessionBackend "6s7gpol141hugu9g6q7m7ddi2r0vi51o" data dirty due to dirty(): PluggableAuthPrimaryAuthenticationProvider->continuePrimaryAuthentication/MediaWiki\Auth\AuthManager->removeAuthenticationSessionData/MediaWiki\Session\Session->setSecret/MediaWiki\Session\Session->set/MediaWiki\Session\SessionBackend->dirty

[authentication] Login failed in primary authentication by PluggableAuthPrimaryAuthenticationProvider

[session] SessionBackend "6s7gpol141hugu9g6q7m7ddi2r0vi51o" data dirty due to dirty(): AuthManagerSpecialPage->handleFormSubmit/AuthManagerSpecialPage->performAuthenticationStep/MediaWiki\Auth\AuthManager->continueAuthentication/MediaWiki\Session\Session->remove/MediaWiki\Session\SessionBackend->dirty

[session] SessionBackend "6s7gpol141hugu9g6q7m7ddi2r0vi51o" save: dataDirty=1 metaDirty=0 forcePersist=0

[authevents] Login attempt

My guess is that somewhere one of the URLs for callbacks are wrong, I'll try that next, but in case I am barking up the wrong tree, I would appreciate hints! Thanks,

Denny

On Fri, Apr 23, 2021 at 9:03 AM Bryan Davis <bd808@wikimedia.org> wrote:

On Thu, Apr 22, 2021 at 3:46 PM Alex Monk <krenair@gmail.com> wrote:
>
> The Wikimania wiki is part of the production cluster so gets privileged access to the production CentralAuth database. I'm not sure if the prod wikis can act as an identity provider for other sites to consume
>
> On Thu, 22 Apr 2021 at 19:27, Denny Vrandečić <dvrandecic@wikimedia.org> wrote:
>>
>> I would love to do the same! Can you point me to your configuration?
>>
>> On Wed, Apr 21, 2021 at 9:03 PM billinghurst <billinghurstwiki@gmail.com> wrote:
>>>
>>> Hi Denny,
>>>
>>> As a spam defence for Wikimania, we disallowed local account generation, and just leverage WMF's SULs, similarly did the same for wikidata-test to great effect. The one thing that we did was to change the login link to point to somewhere they could create an account. [1] Great success, though not 100% effective against manual spammers, or those that trawl.

I believe that the `wsoauth` role in MediaWiki-Vagrant can do what
Denny is looking for. That role provisions
<https://www.mediawiki.org/wiki/Extension:WSOAuth> and configures it
to use a shared OAuth grant which works for local testing at a
"http://dev.wiki.local.wmftest.net" host
(<https://meta.wikimedia.org/wiki/Special:OAuthManageConsumers/20c96d141c4ac5bea4fadd6824f6ebda>).
Beyond using `vagrant roles enable wsoauth`, a Cloud VPS hosted
MediaWiki-Vagrant wiki would need to apply for a new OAuth grant that
contains the callback URL of the hosted wiki
(<https://<something>.wmcloud.org/...>) and then add the OAuth key and
secret values for the new grant to the local MediaWiki-Vagrant's hiera
configuration. This might look something like:

$ vagrant role enable wsoauth
$ vagrant hiera role::wsoauth::oauth_key "the key for the new grant"
$ vagrant hiera role::wsoauth::oauth_secret "the secret for the new grant"
$ vagrant provision

Bryan
--
Bryan Davis Technical Engagement Wikimedia Foundation
Principal Software Engineer Boise, ID USA
[[m:User:BDavis_(WMF)]] irc: bd808

_______________________________________________
Wikimedia Cloud Services mailing list
Cloud@lists.wikimedia.org (formerly labs-l@lists.wikimedia.org)
https://lists.wikimedia.org/mailman/listinfo/cloud