Authenticating Mediawiki with OAuth2

 



It's the year 2023 and there must be a way to authenticate Mediawiki (MW) with OAuth2. Currently the LTS version of Mediawiki is 1.39.1. My OAuth2 and OpenID provider is Keycloak. 

It can be accomplished with the extension OpenID Connect. It's simple, once you have the dependencies in place. I spent more time providing "composer" as a dependence than configuring the SSO part.

Hera are the relevant parts of  theDockerfile:

FROM registry.procempa.com.br/mediawiki:1.39.1

COPY composer.local.json composer.local.json

RUN  wget https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_39-e7de886.tar.gz &&\
wget https://extdist.wmflabs.org/dist/extensions/OpenIDConnect-REL1_39-0fefe8b.tar.gz &&\
tar -zxvf PluggableAuth-REL1_39-e7de886.tar.gz -C extensions &&\
tar -zxvf OpenIDConnect-REL1_39-0fefe8b.tar.gz -C extensions &&\
chown -R www-data:www-data extensions

#Composer as dependency for OpendIDConnect    
#https://tecadmin.net/how-to-install-and-use-php-composer-on-debian-11/
RUN php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" &&\
    php composer-setup.php --install-dir=/usr/local/bin --filename=composer &&\
    chmod +x /usr/local/bin/composer &&\
    composer update

This isn't the complete Dockerfile, but you get the picture: download and unzip the extensions PluggableAuth and OpenIDConnect and install composer. I did this because the simple "apt install -y composer" wasn't working in Debian 11 (the SO of the image) and I didn't have time to debug.

Notice that the Dockerfile copies a file named composer.local.json. It adds the extension as a dependency. The content of composer.local.json:

{
"extra": {
"merge-plugin": {
"include": [
"extensions/OpenIDConnect/composer.json"
]
}
}
}


Finally, just create the client in your Keycloak instance and add the relevant part of LocalSettings.php (replace providerURL, clientID and clientsecret, accordingly):

wfLoadExtension( 'PluggableAuth' );
wfLoadExtension( 'OpenIDConnect' );

$wgPluggableAuth_Config["Login using SSO"] = [
    'plugin' => 'OpenIDConnect',
    'data' => [
        'providerURL' => 'https://your-keycloak-url/auth/realms/your-healm',
        'clientID' => 'client_name',
        'clientsecret' => 'SECRET'
    ]
]

It worked for me.

Comments

Post a Comment

Popular posts from this blog

Ubuntu 17.10 - CIFS Mount Error Code -5

Image
All of a sudden a CIFS mount point stopped working. Probably after a kernel update, according to sources. Syslog got this: $ grep cifs /var/log/syslog Dec 28 09:56:12 hostname kernel: [141586.846065] CIFS VFS: cifs_mount failed w/return code = -5 Not really helpful, could be few different things. Turns out Samba now defaults to version 3 of protocol but the old server I connect to doesn't support it. Just add  vers=2.1 to the options and it is back working. On the command line: sudo mount -v -t cifs //server/mount$ /dir/dir -o credentials=/etc/samba/credentials ,vers=2.1 In fstab: //server/mount$  /dir/dir  cifs uid=user,gid=user,credentials=/etc/samba/credentials ,vers=2.1    0  0 Reference .
Read more

Integrating Drupal 8 Webforms Submissions and Rocket Chat

Image
Use Case Wanted form submissions to be posted to a Rocket Chat channel. Drupal 8 Webform has Remote Post Handlers  ( Email & Remote Post Handlers section). First learned Rocket Chat API , specially the authentication part, and practiced with PostMan . Once got it working, started the integration. Got stuck on a point where Rocket Chat needed custom headers   ( Example Call section) to be sent but Webforms module would require the development of a custom module to address it. Gladly the main developer of Drupal 8 Webforms,  Jacob Rockowitz , was kind enough to add custom header capabilities to the module ( this is the issue ). The patch has just been committed and the feature is expected to be available in the next release of Webforms. I had to get the git version to get the patch. It easily worked! Then it was just a matter of:  figuring out how to submit a YAML array (Webforms) to a JSON array (RocketChat) for the attachments field of  chat.postMessage  API call
Read more

Instalação eToken Pro no Ubuntu 18.04 para acesso ao eCAC da RFB

Image
É muito fácil fazer o eToken Pro (no meu caso, fornecido pela Certisign) no Ubuntu 18.04 (Bionic Beaver) para acesso ao eCAC da RFB (Receita Federal do Brasil). No Debian deve ser semelhante. Utilizei alguns tutorias antigos, mas ainda funcionam e permitram a configuração do eToken em 15 min. Meu eToken é identificado desta maneira: dmesg [176128.683323] usb 3-8: new full-speed USB device number 4 using xhci_hcd [176128.832836] usb 3-8: New USB device found, idVendor= 0529 , idProduct= 0620 [176128.832839] usb 3-8: New USB device strings: Mfr=1, Product=2, SerialNumber=0 [176128.832841] usb 3-8: Product: Token JC [176128.832842] usb 3-8: Manufacturer: SafeNet lsusb Bus 003 Device 004: ID 0529:0620 Aladdin Knowledge Systems Token JC Etapas Instalar pcscd Instalar SafeNet eToken Pro v9.1 Configurar eToken no Firefox Instalar cadeia de certificados ICP-Basil v2 no Firefox Acessar o eCAC da RFB Detalhamento 1. Instalar pcscd sudo apt install pcscd
Read more