You are correct: the redirect_uri parameter should be pointing back to Special:PluggableAuthLogin. From your example below, it should look something like:
redirect_uri=https%3A%2F%2Fmyserver.org%2Fw%2Findex.php %2FSpecial%3APluggableAuthLogin
The redirect_url is computed by the code at [0], which discards all query parameters. As long as you are being redirected to OIDC from https://myserver.org/w/index.php/Special:PluggableAuthLogin, you should be fine. If you are being redirected from https://myserver.org/w/index.php?title=Special:PluggableAuthLogin, however, the title would be stripped off.
PluggableAuth is redirected from Special:UserLogin to Special:PluggableAuthLogin by creating the URL at [1] using
Title::newFromText( 'Special:PluggableAuthLogin' )->getFullURL()
and then being redirected to it. Could getFullURL() be generating the URL in "?title=..." form on your server? Perhaps because of [2]? If so, please let me know. There would have to be a fix to prevent the title query parameter from being stripped.
Cindy
[0] https://github.com/jumbojett/OpenID-Connect-PHP/blob/master/OpenIDConnectCli... [1] https://phabricator.wikimedia.org/diffusion/EPLG/browse/master/PluggableAuth... [2] https://www.mediawiki.org/wiki/Manual:$wgUsePathInfo
Hello,
I am using MediaWiki version 1.27.1 with the OpenID Connect extension detailed at
https://www.mediawiki.org/wiki/Extension:OpenID_Connect
I have configured the extension and when I click on "Log in" I am taken to
https://myserver.org/w/index.php?title=Special:UserLogin& returnto=My+Test%3AMain+Page
There I click on "Log in with PluggableAuth" and I am redirected to the OIDC OP as I expect.
I noticed, however, that when the extension computes the redirect_uri parameter that it includes when it redirects the browser to the OP it is
redirect_url=https%3A%2F%2Fmyserver.org%2Fw%2Findex.php
That surprises me. I would have thought that the redirect_uri would be to a page where MediaWiki can consume the authorization code that is returned by the OP.
After I authenticate with the OP it redirects the browser back to the redirect_uri with an authorization code and the correct state but then MediaWiki just returns a '200 OK' and the main page of the wiki.
It naively appears to me that the redirect_uri being sent to the OP is not correct, but I do not see a way to configure the extension to override it, and I would not know what value to use.
I appreciate any input people have on what I might be doing wrong, or how I can further troubleshoot.
Thanks,
Scott K
You are correct: the redirect_uri parameter should be pointing back to Special:PluggableAuthLogin. From your example below, it should look something like:
redirect_uri=https%3A%2F%2Fmyserver.org%2Fw%2Findex.php %2FSpecial%3APluggableAuthLogin
The redirect_url is computed by the code at [0], which discards all query parameters. As long as you are being redirected to OIDC from https://myserver.org/w/index.php/Special:PluggableAuthLogin, you should be fine. If you are being redirected from https://myserver.org/w/index.php?title=Special:PluggableAuthLogin, however, the title would be stripped off.
PluggableAuth is redirected from Special:UserLogin to Special:PluggableAuthLogin by creating the URL at [1] using
Title::newFromText( 'Special:PluggableAuthLogin' )->getFullURL()
and then being redirected to it. Could getFullURL() be generating the URL in "?title=..." form on your server? Perhaps because of [2]? If so, please let me know. There would have to be a fix to prevent the title query parameter from being stripped.
Thank you Cindy. That was the hint I needed.
Although I have experience with OIDC I am new to MediaWiki and I had not yet configured "short URLs". After making the necessary changes in my Apache HTTP Server and MediaWiki configurations to support short URLs the extension then began to generate a correct redirect_uri value.
Should the use of short URLs be mentioned as a requirement for the OpenID Connect extension, or is it the case that not using short URLs is so rare as to not warrant mentioning it explicitly?
I now have the extension interoperating with my desired OP (not Google FWIW). I did, however, find a small bug.
The OP returns an authorization code value that is a URI. As such it is URL-encoded in the POST body being sent back to the extension. The extension, however, does not URL-decode the value so when it later attempts to exchange the code for the ID token it correctly URL-encodes the code but now it is "double encoded" and rejected by the OP.
It appears that this is really an issue in the OpenID Connect PHP library that the OpenID Connect extension includes. Should I open an issue directly with that project or as the extension author would you prefer to do that? Or should I just open an issue for the OpenID Connect extension?
Thanks,
Scott K
mediawiki-l@lists.wikimedia.org