You are correct: the redirect_uri parameter should be pointing back to Special:PluggableAuthLogin. From your example below, it should look something like:
redirect_uri=https%3A%2F%2Fmyserver.org%2Fw%2Findex.php %2FSpecial%3APluggableAuthLogin
The redirect_url is computed by the code at [0], which discards all query parameters. As long as you are being redirected to OIDC from https://myserver.org/w/index.php/Special:PluggableAuthLogin, you should be fine. If you are being redirected from https://myserver.org/w/index.php?title=Special:PluggableAuthLogin, however, the title would be stripped off.
PluggableAuth is redirected from Special:UserLogin to Special:PluggableAuthLogin by creating the URL at [1] using
Title::newFromText( 'Special:PluggableAuthLogin' )->getFullURL()
and then being redirected to it. Could getFullURL() be generating the URL in "?title=..." form on your server? Perhaps because of [2]? If so, please let me know. There would have to be a fix to prevent the title query parameter from being stripped.
Cindy
[0] https://github.com/jumbojett/OpenID-Connect-PHP/blob/master/OpenIDConnectCli... [1] https://phabricator.wikimedia.org/diffusion/EPLG/browse/master/PluggableAuth... [2] https://www.mediawiki.org/wiki/Manual:$wgUsePathInfo
Hello,
I am using MediaWiki version 1.27.1 with the OpenID Connect extension detailed at
https://www.mediawiki.org/wiki/Extension:OpenID_Connect
I have configured the extension and when I click on "Log in" I am taken to
https://myserver.org/w/index.php?title=Special:UserLogin& returnto=My+Test%3AMain+Page
There I click on "Log in with PluggableAuth" and I am redirected to the OIDC OP as I expect.
I noticed, however, that when the extension computes the redirect_uri parameter that it includes when it redirects the browser to the OP it is
redirect_url=https%3A%2F%2Fmyserver.org%2Fw%2Findex.php
That surprises me. I would have thought that the redirect_uri would be to a page where MediaWiki can consume the authorization code that is returned by the OP.
After I authenticate with the OP it redirects the browser back to the redirect_uri with an authorization code and the correct state but then MediaWiki just returns a '200 OK' and the main page of the wiki.
It naively appears to me that the redirect_uri being sent to the OP is not correct, but I do not see a way to configure the extension to override it, and I would not know what value to use.
I appreciate any input people have on what I might be doing wrong, or how I can further troubleshoot.
Thanks,
Scott K