Scott, I double checked the Short URL manual page [0], because you mentioned that you planned to switch to short URLs due to this issue. We do not use short URLs, so there must be something else going on. What struck me on the manual page, was the following:
MediaWiki's default page addresses looks like these examples: http://example.org/w/index.php/Page_title *(recent versions of MediaWiki, without CGI <https://en.wikipedia.org/wiki/Common_Gateway_Interface> support)* http://example.org/w/index.php?title=Page_title *(recent versions of MediaWiki, with CGI support)* Our URLs are consistent with the first case and yours are consistent with the second. However, we do have CGI enabled. Maybe somebody on the list can elaborate on why the format of the URLs might be different? Regardless, the best fix for this situation would be for the OpenID Connect library used by the extension not to strip off the URL parameters. Yes, please report the second bug you found in the OpenID Connect library directly on the GitHub page for that library. While you are at it, you could also report the bug/feature that strips the URL parameters off the redirect URL. In the meantime, I will add some text to the OpenID Connect extension page indicating the known bug. [0] https://www.mediawiki.org/wiki/Manual:Short_URL Cindy Date: Fri, 9 Dec 2016 14:48:01 -0600 > From: Scott Koranda <[email protected]> > To: [email protected] > Subject: Re: [MediaWiki-l] OpenID Connect extension and redirect_uri > Message-ID: <[email protected]> > Content-Type: text/plain; charset=us-ascii > > > You are correct: the redirect_uri parameter should be pointing back to > > Special:PluggableAuthLogin. From your example below, it should look > > something like: > > > > redirect_uri=https%3A%2F%2Fmyserver.org%2Fw%2Findex.php > > %2FSpecial%3APluggableAuthLogin > > > > The redirect_url is computed by the code at [0], which discards all query > > parameters. As long as you are being redirected to OIDC from > > https://myserver.org/w/index.php/Special:PluggableAuthLogin, you should > be > > fine. If you are being redirected from > > https://myserver.org/w/index.php?title=Special:PluggableAuthLogin, > however, > > the title would be stripped off. > > > > PluggableAuth is redirected from Special:UserLogin to > > Special:PluggableAuthLogin by creating the URL at [1] using > > > > Title::newFromText( 'Special:PluggableAuthLogin' )->getFullURL() > > > > and then being redirected to it. Could getFullURL() be generating the URL > > in "?title=..." form on your server? Perhaps because of [2]? If so, > please > > let me know. There would have to be a fix to prevent the title query > > parameter from being stripped. > > Thank you Cindy. That was the hint I needed. > > Although I have experience with OIDC I am new to MediaWiki and > I had not yet configured "short URLs". After making the > necessary changes in my Apache HTTP Server and MediaWiki > configurations to support short URLs the extension then began > to generate a correct redirect_uri value. > > Should the use of short URLs be mentioned as a requirement for > the OpenID Connect extension, or is it the case that not using > short URLs is so rare as to not warrant mentioning it > explicitly? > > I now have the extension interoperating with my desired OP > (not Google FWIW). I did, however, find a small bug. > > The OP returns an authorization code value that is a URI. As > such it is URL-encoded in the POST body being sent back to the > extension. The extension, however, does not URL-decode the > value so when it later attempts to exchange the code for the > ID token it correctly URL-encodes the code but now it is > "double encoded" and rejected by the OP. > > It appears that this is really an issue in the OpenID Connect > PHP library that the OpenID Connect extension includes. Should > I open an issue directly with that project or as the extension > author would you prefer to do that? Or should I just open an > issue for the OpenID Connect extension? > > Thanks, > > Scott K > > > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > MediaWiki-l mailing list > [email protected] > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l > > > ------------------------------ > > End of MediaWiki-l Digest, Vol 159, Issue 7 > ******************************************* > _______________________________________________ MediaWiki-l mailing list To unsubscribe, go to: https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
