Single Sign On from WordPress to media wiki

Asked 1/4, 2019 at 13:10 Answered 11/7, 2019 at 19:59

Solved php wordpress oauth-2.0 single-sign-on mediawiki-extensions

I am trying to create Single sign-on from Wordpress to MediaWiki. I have WPOauthServer running on my WordPress (Wordpress plugin). And on my wiki I have Extension:OAuth2 Client installed. I want that my users only log in to WordPress and from there they can go to the wiki without logging to wiki again. The WPOauthServer is working fine, I am using the Grant type Authorization Code. I have tested by using curl and I am able to get the authorization code and using the authorization code I can acquire authentication token.

I have a button on my wordpress page with client id:

<a href="https://xxxxxx.de/oauth/authorize?response_type=code&client_id=XXXXXXXXX&state=123">Connect Your Account</a>

When I open the authorization link, I am redirected to the following redirect-URI that was set in client settings at server side:

https://wiki.XXXXXXXXXXXXX.de/wiki/Special:OAuth2Client/callback?code=farkmm4ttuwxnne8a9firwtdikmite788hwpyhzg&state=123

and here I get an internal error:

Fatal exception of type "GuzzleHttp\Exception\RequestException

upon digging i found out that this exception is caused in the extension file AbstractProvider.php in the sendRequest function:

/**
 * Sends a request instance and returns a response instance.
 *
 * @param  RequestInterface $request
 * @return ResponseInterface
 */
protected function sendRequest(RequestInterface $request)
{
    try {
        var_dump($request);
        $response = $this->getHttpClient()->send($request);
        var_dump($response);
    } catch (BadResponseException $e) {
        $response = $e->getResponse();
    }
    return $response;
}

the exception is caused in $response = $this->getHttpClient()->send($request);

I think maybe there is something wrong with my request, doing a var_dump on request reveals the following:

/var/www/mediawiki/w/extensions/MW-OAuth2Client/vendors/oauth2-client/src/Provider/AbstractProvider.php:629:
object(GuzzleHttp\Psr7\Request)[278]
  private 'method' => string 'POST' (length=4)
  private 'requestTarget' => null
  private 'uri' => 
    object(GuzzleHttp\Psr7\Uri)[279]
      private 'scheme' => string 'https' (length=5)
      private 'userInfo' => string '' (length=0)
      private 'host' => string 'xxxxxxx.de' (length=13)
      private 'port' => null
      private 'path' => string '/oauth/token/' (length=13)
      private 'query' => string '' (length=0)
      private 'fragment' => string '' (length=0)
  private 'headers' => 
    array (size=2)
      'Host' => 
        array (size=1)
          0 => string 'xxxxxx.de' (length=13)
      'content-type' => 
        array (size=1)
          0 => string 'application/x-www-form-urlencoded' (length=33)
  private 'headerNames' => 
    array (size=2)
      'content-type' => string 'content-type' (length=12)
      'host' => string 'Host' (length=4)
  private 'protocol' => string '1.1' (length=3)
  private 'stream' => 
    object(GuzzleHttp\Psr7\Stream)[287]
      private 'stream' => resource(18, stream)
      private 'size' => null
      private 'seekable' => boolean true
      private 'readable' => boolean true
      private 'writable' => boolean true
      private 'uri' => string 'php://temp' (length=10)
      private 'customMetadata' => 
        array (size=0)
          empty

The stack trace from apache logs:

 Notice:  Undefined index: scopes in /var/www/mediawiki/w/extensions/MW-OAuth2Client/SpecialOAuth2Client.php on line 54, referer: https://XXXXXXerv.de/sso-test/
 Stack trace:, referer: https://XXXXXXerv.de/sso-test/
   1. {main}() /var/www/mediawiki/w/index.php:0, referer: https://XXXXXXerv.de/sso-test/
   2. MediaWiki->run() /var/www/mediawiki/w/index.php:42, referer: https://XXXXXXerv.de/sso-test/
   3. MediaWiki->main() /var/www/mediawiki/w/includes/MediaWiki.php:524, referer: https://XXXXXXerv.de/sso-test/
   4. MediaWiki->performRequest() /var/www/mediawiki/w/includes/MediaWiki.php:861, referer: https://XXXXXXerv.de/sso-test/
   5. SpecialPageFactory::getPage() /var/www/mediawiki/w/includes/MediaWiki.php:255, referer: https://XXXXXXerv.de/sso-test/
   6. SpecialOAuth2Client->__construct() /var/www/mediawiki/w/includes/specialpage/SpecialPageFactory.php:382, referer: https://XXXXXXerv.de/sso-test/
 Notice:  Undefined index: scopes in /var/www/mediawiki/w/extensions/MW-OAuth2Client/SpecialOAuth2Client.php on line 54, referer: https://XXXXXXerv.de/sso-test/
 Stack trace:, referer: https://XXXXXXerv.de/sso-test/
   1. {main}() /var/www/mediawiki/w/index.php:0, referer: https://XXXXXXerv.de/sso-test/
   2. MediaWiki->run() /var/www/mediawiki/w/index.php:42, referer: https://XXXXXXerv.de/sso-test/
   3. MediaWiki->main() /var/www/mediawiki/w/includes/MediaWiki.php:524, referer: https://XXXXXXerv.de/sso-test/
   4. MediaWiki->performRequest() /var/www/mediawiki/w/includes/MediaWiki.php:861, referer: https://XXXXXXerv.de/sso-test/
   5. SpecialPageFactory::executePath() /var/www/mediawiki/w/includes/MediaWiki.php:288, referer: https://XXXXXXerv.de/sso-test/
   6. SpecialPageFactory::getPage() /var/www/mediawiki/w/includes/specialpage/SpecialPageFactory.php:513, referer: https://XXXXXXerv.de/sso-test/
   7. SpecialOAuth2Client->__construct() /var/www/mediawiki/w/includes/specialpage/SpecialPageFactory.php:382, referer: https://XXXXXXerv.de/sso-test/

EDIT: From the stack trace, I realized that scope is not defined in the media wiki client settings in localsettings.php, so after setting the scope I don't get any errors in the apache logs but media wiki still shows internal error Fatal exception of type "GuzzleHttp\Exception\RequestException

Upon more digging, I found out that I was getting a curl: (60) SSL certificate: unable to get local issuer certificate error which I solved by adding the CA Root to my trusted CA for more information see this post

After solving this issue I just needed to correct the following:

$wgOAuth2Client['configuration']['username'] = 'user_login'; // JSON path to username
$wgOAuth2Client['configuration']['email'] = 'user_email'; // JSON path to email

see the answer for implenting SSO from WordPress

Asternal answered 1/4, 2019 at 13:10 Comment(3)

MediaWiki has recently switched from php-curl to Guzzle as a request client library, maybe that broke the OAuth2 Client extension. You'll have to get more useful error information before anything can be done about that, though. I'd recommend filing a bug on phabricator.wikimedia.org with version information for the wiki and with a stack trace at least. – Birdcage 2/4, 2019 at 8:14

Added the stack trace from apache logs as well, but the extension is using guzzlehttp namespace League\OAuth2\Client\Provider; use GuzzleHttp\Client as HttpClient; – Asternal 2/4, 2019 at 9:3

Apache logs are not super reliable, you should configure MediaWiki's own logging. – Birdcage 2/4, 2019 at 17:11

I was able to setup SSO (Single sign-on) from WordPress to media wiki, by following these steps:

First you need an OAuth 2.0 server, you could implement it your self see details here Run your own OAuth 2.0 Server or the easiest way is to use the WordPress plugin WP Oauth 2.0 server you don't have to buy the pro, you can also implement SSO by using the Grant type Authorization codes which comes free.
You need OAuth 2.0 client extension installed on your media wiki, the extension can be found here, follow the installation instructions there.
Go to WordPress plugin page and activate OAuth server, then navigate to OAuth Server and add a new client, give your client a name and in Redirect URI add the link mention on the media wiki extension page i.e http://your.wiki.domain/path/to/wiki/Special:OAuth2Client/callback, then go to OAuth>clients page where you can see your newly created client, click edit and here you can see clientID and Client secret add this ID and secret in the localSettings.php of your media wiki.
Create a page on WordPress and put the following button with your client id in it

< a href="https://your-Domain-Where-OAuth-server-is-running.de/oauth/authorize?response_type=code&client_id=YOURCLIENTID&state=RANDOM-STRING&scope=basic"> go to wiki</a> don't forget to put scope otherwise you will get a media wiki internal error.
If everything worked fine then you should automatically go to the media wiki main page after clicking this button from your WordPress. media wiki will show you as logged in. It took me some time to figure it out I hope this helps anyone who comes here.

Asternal answered 3/4, 2019 at 11:40 Comment(2)

Where is the OAuth>clients page? I clicked on "OAuth2 login" at the top right of the wiki's homepage, and got a 500 error. – Wales 16/7, 2020 at 20:39

The Oauth > client page on your WordPress. – Asternal 17/7, 2020 at 11:44

I followed Ahmad's answer above and got part way there. However I had to make a one line source code change and additionally configure the LocalSettings for media wiki as originally posted here: https://www.mediawiki.org/wiki/Topic:Ux1crr4vosyw0tjl

Repeated for convenience: I finally got it working with these additional steps - editing my LocalSettings.php; xxxx is my website starting with https://

In addition to setting the secret and ID I had to fill in the the configuration parameters with these settings - these are from my site.

$wgOAuth2Client['configuration']['authorize_endpoint'] = 'xxxx/oauth/authorize'; // Authorization URL

$wgOAuth2Client['configuration']['access_token_endpoint'] = 'xxxx/oauth/token'; // Token URL

$wgOAuth2Client['configuration']['api_endpoint'] = 'xxxx/oauth/me?access_token='; // URL to fetch user JSON

$wgOAuth2Client['configuration']['redirect_uri'] = 'xxxx/mediawiki/index.php?title=Special:OAuth2Client/redirect&returnto=Special%3AUserLogin';

$wgOAuth2Client['configuration']['username'] = 'user_login'; // JSON path to username

$wgOAuth2Client['configuration']['email'] = 'user_email'; // JSON path to email

$wgOAuth2Client['configuration']['scopes'] = 'openid email profile'; //Permissions

$wgWhitelistRead = array("Special:OAuth2Client");

Then I also had to make one code change in .../mediawiki/extensions/MW-OAuth2Client/vendors/oauth2-client/src/Provider/AbstractProvider.php

protected function fetchResourceOwnerDetails(AccessToken $token)

{

    $url = $this->getResourceOwnerDetailsUrl($token);

    // Added this line so we can build the url request properly otherwise it didn't append the token to the api_endpoint

    $url = $url . $token;

    $request = $this->getAuthenticatedRequest(self::METHOD_GET, $url, $token);

    return $this->getResponse($request);

}

After that the plugin worked as expected.

Note on installation of the mediawiki extension I got these composer warnings - I believe they can be safely ignored...

Package guzzle/guzzle is abandoned, you should avoid using it. Use guzzlehttp/guzzle instead.

Package phpunit/phpunit-mock-objects is abandoned, you should avoid using it. No replacement was suggested.

Package satooshi/php-coveralls is abandoned, you should avoid using it. Use php-coveralls/php-coveralls instead.

Also I found this link useful in understanding how to use the wordpress plugin: https://wp-oauth.com/docs/how-to/setup-wp-oauth-server-for-single-sign-on-with-wordpress/

And I found you can just add the OAUTH plugin to wordpress from your site's WP admin page - just click the Add Plugins button - or search for "oath" by WP Oauth Server There is no need to get it from their WP OATH website where you can only find the paid version.

Pecten answered 11/7, 2019 at 19:59 Comment(0)

Recommended topics

Hot tags