This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision | |
| en:2.0:single_sign_on:oidc_mediawiki [2025/05/06 23:38] – [Setup completed, test Single-Sign-On] kainhofer | en:2.0:single_sign_on:oidc_mediawiki [2025/05/06 23:44] (current) – kainhofer |
|---|
| ==== Caveats and Things to Consider ==== | ==== Caveats and Things to Consider ==== |
| |
| * MediaWiki allows **admin login** through OpenID by assigning the **group 'admin'** in the group mapping. | * MediaWiki allows **admin login** through OpenID by assigning the **group 'sysop'** in the group mapping. The 'groups' scope must be included in both Admidio's as well as MediaWiki's config, and Admidio's role must be included as an OIDC claim. |
| * MediaWiki will convert all group names to lowercase. This is a general restriction in MediaWiki and not specific to OpenID. | * By default, MediaWiki will use basic http authentication for its calls to the authorization and token endpoints, which means that no special characters (in particular colons) are allowed. Unfortunately, the client ID will be used as username, which typically contains a colon in 'https://...'. The OpenID specification states that the colon is the separator between username and passphrase (client secret), so Admidio will incorrectly assume 'https' to be the username and everything else is the client secret... The two possible solutions are to (1) either not use the full URL, but any other unique identifier without a colon as clientID, or (2) switch MediaWiki to the 'client_secret_post' authMethod in the MediaWiki's ''LocalSettings.php'' configuration file (see the example above, which already contains this fix). |
| * MediaWiki will match its accounts using the email provided in the OpenID token, even when a different user id field is selected. E.g. if a local user 'dale' with email 'dale@example.com' already exists, and a new OpenID login from user 'dale' with email 'dale.baade@example.com' occurs, MediaWiki will treat these as two separate users (and modify the username of the newly created user to 'dale1')! | |
| * MediaWiki controls **login permissions for OpenID** with a **group 'generic' assigned to a user**. If local accounts already exist, one needs to add them to the 'generic' group, otherwise login with OpenID is not possible and the following error message will be shown:{{ :en:2.0:sso:sso_oidc_04-10_dw_error_group.png?direct |}} To fix this, add the user to the 'generic' group: {{ :en:2.0:sso:sso_oidc_04-11_dw_generic_group.png?direct&600 |}} | |
