Its not CGI support so much as if MW detects it can properly use
$_SERVER['PATH_INFO']. Generally speaking, this is true provided your
PHP sapi is not cgi, apache2filter, or isapi. Of course, if you have
set $wgArticlePath yourself, then this auto-detection stuff is
On Mon, Dec 19, 2016 at 7:04 PM, Cindy Cicalese <cindom(a)gmail.com> wrote:
I double checked the Short URL manual page , because you mentioned that
you planned to switch to short URLs due to this issue. We do not use short
URLs, so there must be something else going on. What struck me on the
manual page, was the following:
MediaWiki's default page addresses looks like these examples:
*(recent versions of MediaWiki,
*(recent versions of
MediaWiki, with CGI support)*
Our URLs are consistent with the first case and yours are consistent with
the second. However, we do have CGI enabled. Maybe somebody on the list can
elaborate on why the format of the URLs might be different?
Regardless, the best fix for this situation would be for the OpenID Connect
library used by the extension not to strip off the URL parameters. Yes, please
report the second bug you found in the OpenID Connect library directly on
the GitHub page for that library. While you are at it, you could also
report the bug/feature that strips the URL parameters off the redirect URL. In
the meantime, I will add some text to the OpenID Connect extension page
indicating the known bug.
Date: Fri, 9 Dec 2016 14:48:01 -0600
From: Scott Koranda <skoranda(a)gmail.com>
Subject: Re: [MediaWiki-l] OpenID Connect extension and redirect_uri
Content-Type: text/plain; charset=us-ascii
You are correct: the redirect_uri parameter
should be pointing back to
Special:PluggableAuthLogin. From your example below, it should look
The redirect_url is computed by the code at , which discards all query
parameters. As long as you are being redirected to OIDC from
, you should
the title would be stripped off.
PluggableAuth is redirected from Special:UserLogin to
Special:PluggableAuthLogin by creating the URL at  using
Title::newFromText( 'Special:PluggableAuthLogin' )->getFullURL()
and then being redirected to it. Could getFullURL() be generating the URL
in "?title=..." form on your server? Perhaps because of ? If so,
let me know. There would have to be a fix to
prevent the title query
parameter from being stripped.
Thank you Cindy. That was the hint I needed.
Although I have experience with OIDC I am new to MediaWiki and
I had not yet configured "short URLs". After making the
necessary changes in my Apache HTTP Server and MediaWiki
configurations to support short URLs the extension then began
to generate a correct redirect_uri value.
Should the use of short URLs be mentioned as a requirement for
the OpenID Connect extension, or is it the case that not using
short URLs is so rare as to not warrant mentioning it
I now have the extension interoperating with my desired OP
(not Google FWIW). I did, however, find a small bug.
The OP returns an authorization code value that is a URI. As
such it is URL-encoded in the POST body being sent back to the
extension. The extension, however, does not URL-decode the
value so when it later attempts to exchange the code for the
ID token it correctly URL-encodes the code but now it is
"double encoded" and rejected by the OP.
It appears that this is really an issue in the OpenID Connect
PHP library that the OpenID Connect extension includes. Should
I open an issue directly with that project or as the extension
author would you prefer to do that? Or should I just open an
issue for the OpenID Connect extension?
Subject: Digest Footer
MediaWiki-l mailing list
End of MediaWiki-l Digest, Vol 159, Issue 7
MediaWiki-l mailing list
To unsubscribe, go to: