You are correct: the redirect_uri parameter should be pointing back to Special:PluggableAuthLogin. From your example below, it should look something like:
redirect_uri=https%3A%2F%2Fmyserver.org%2Fw%2Findex.php %2FSpecial%3APluggableAuthLogin The redirect_url is computed by the code at [0], which discards all query parameters. As long as you are being redirected to OIDC from https://myserver.org/w/index.php/Special:PluggableAuthLogin, you should be fine. If you are being redirected from https://myserver.org/w/index.php?title=Special:PluggableAuthLogin, however, the title would be stripped off. PluggableAuth is redirected from Special:UserLogin to Special:PluggableAuthLogin by creating the URL at [1] using Title::newFromText( 'Special:PluggableAuthLogin' )->getFullURL() and then being redirected to it. Could getFullURL() be generating the URL in "?title=..." form on your server? Perhaps because of [2]? If so, please let me know. There would have to be a fix to prevent the title query parameter from being stripped. Cindy [0] https://github.com/jumbojett/OpenID-Connect-PHP/blob/master/OpenIDConnectClient.php#L345 [1] https://phabricator.wikimedia.org/diffusion/EPLG/browse/master/PluggableAuthPrimaryAuthenticationProvider.php;a09b3169ec0d9dbe29001bbdedee67e4229ef4bb$40 [2] https://www.mediawiki.org/wiki/Manual:$wgUsePathInfo Hello, > > I am using MediaWiki version 1.27.1 with the OpenID Connect > extension detailed at > > https://www.mediawiki.org/wiki/Extension:OpenID_Connect > > I have configured the extension and when I click on "Log in" I > am taken to > > https://myserver.org/w/index.php?title=Special:UserLogin&; > returnto=My+Test%3AMain+Page > > There I click on "Log in with PluggableAuth" and I am > redirected to the OIDC OP as I expect. > > I noticed, however, that when the extension computes the > redirect_uri parameter that it includes when it redirects the > browser to the OP it is > > redirect_url=https%3A%2F%2Fmyserver.org%2Fw%2Findex.php > > That surprises me. I would have thought that the redirect_uri > would be to a page where MediaWiki can consume the > authorization code that is returned by the OP. > > After I authenticate with the OP it redirects the browser back > to the redirect_uri with an authorization code and the correct > state but then MediaWiki just returns a '200 OK' and the main > page of the wiki. > > It naively appears to me that the redirect_uri being sent to > the OP is not correct, but I do not see a way to configure the > extension to override it, and I would not know what value to > use. > > I appreciate any input people have on what I might be doing > wrong, or how I can further troubleshoot. > > Thanks, > > Scott K > _______________________________________________ MediaWiki-l mailing list To unsubscribe, go to: https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
