A partial archive of https://discourse-mediawiki.wmflabs.org as of Saturday May 21, 2022.

GoogleLogin Account Creation via Special:UserLogin

abeason

Per Tgr’s instructions, creating an issue here.

We’re attempting to use the MediaWiki extension GoogleLogin, version 0.4.0 (latest).

We’d like to use existing Gsuite identity for our organization to login to our company wiki. We’d ideally like to make this self-serve, with accounts automatically being created for users with emails in our domain on login. All other means of authentication would be disabled except for pre-created local accounts such as sysops.

Anomie describes here a method to achieve this, but when it’s used we always get “The supplied credentials are not associated with any user on this wiki.” There’s something we must be missing.

Additionally, the project maintainer Florian says that 0.4.0 no longer allows account creation via Special:UserLogin, so it’s unclear if the above approach is possible with the current version.

Would greatly appreciate help with a method to use Google Identity to login to our wiki and automatically create user accounts if they don’t already exist.

Thanks!

Tgr

GoogleLogin was updated to work with recent versions of MediaWiki which don’t support that workflow (yet). You can go to the registration page and create an account using an existing Google login, so you are not missing out on the functionality, but the workflow is slightly less intuitive.

Anomie described how to disable password-based login/registration. That is orthogonal to how GoogleLogin works.

abeason

What would be required to get this working as described above?

If I understand correctly, Anomie described how to disable password based auth for GoogleLogin but left the standard login method functional for local accounts only.

If I then pre-created Google account logins for users from within MediaWiki, once they clicked Sign in with Google and selected the appropriate account (assuming it’s in the whitelisted domain) they’d be logged in without having to provide a password?

What function does preauth serve in $wgAuthManagerConfig?

I would normally puzzle through this kind of stuff myself but I haven’t been able to find any documentation that spells things out for someone like me with zero familiarity.

Tgr

Preauth providers can deny authentication early on (e.g. captcha, throttling). Secondary auth providers can deny authentication (or do other things) after the main authentication provider has identified the user (e.g. 2FA). Using $wgAuthManagerAutoConfig is probably easier (although less robust - it’s “auto” because extensions add to it, while $wgAuthManagerConfig is a fully manual override):

unset ( $wgAuthManagerAutoConfig['primary'][MediaWiki\Auth\LocalPasswordPrimaryAuthenticationProvider::class] );

to disable password-based authentication completely or

$wgAuthManagerAutoConfig['primary'][MediaWiki\Auth\LocalPasswordPrimaryAuthenticationProvider::class]['args'][0]['localOnly'] = true;

to prevent new users from registering with a local username and password. (Didn’t test the snippets.) Manual:SessionManager_and_AuthManager has some docs but they are meant for developers.

Yeah. I think that works without precreation too, except they would have to go to the registration page, not the login page. I haven’t really followed GoogleLogin development though.

abeason

Okay, I think I’m beginning to understand. Thanks for your help.

In that case is it possible to create a separate register/signup link on the login page using this workflow?

Special:CreateAccount -> authenticate (with external source) -> account created

It’s not the seamless account creation workflow I’d like, but it’s something.

abeason

I see that “Create with Google” is already present on Special:CreateAccount. So that’s a start!

Is it possible to remove the standard blue Wikimedia “Create Account” button and fields from the page?

If I whitelist Special:CreateAccount for all users, can I modify Special:UserLogin to include a link to Special:CreateAccount?

Tgr

If you want to work on making it more seamless, I’m happy to advise how :slight_smile:

Yeah, that’s what the code snippets above are for.

It should already include a link (the big "Join " button at the bottom).

abeason

Thanks, I’d definitely be interested if you have suggestions.

We have $wgGroupPermissions['*']['createaccount'] = false; set, is that possibly why the Join button isn’t present?

FlorianSW

Yes, the link is only visible, if the user is allowed to signup. If you remove all other authentication providers, except GoogleLogin, GoogleLogin will be the only option to create an account, so you can set this permission to true.

You should then, probably, enable a list of allowed domains in GoogleLogin, so only allowed persons are allowed to create an account (with the correct domain).

FlorianSW

Just quoting some questions from the phabricator task:

The latest from Florian seems to indicate that the current release of Google Login (0.4.0, which I’m using) no longer supports account creation via Google.

It absolutely does. Just go to “Special:CreateAccount” and click the “create with Google” button at the bottom. It “just” isn’t an automatic process anymore when logging in and not having a user account on that wiki already. (that’s the reason why the above mentioned phabricator task exists, to create that functionality again)

Florian - is it possible to use the extension to authenticate with other forms of Google Identity not tied to Google+?

Using GoogleLogin does not require an account on Google+ anymore. You just need a Google account, and it should not matter, if it’s a “normal” Google account (which you would use for GMail, e.g.) or if it is, e.g., a G-Suite account (however, I haven’t tested that one).

abeason

Awesome, thanks for the clarification guys. Think I have an idea of how I need to configure this now.

Tgr

https://phabricator.wikimedia.org/T138678#3910857 describes the issue as far as I remember. (So basically you can enable it, but it’s experimental and probably not that user-friendly.)

abeason

This is done in /includes/DefaultSettings.php?

Is it enough of a problem that you’d recommend sticking with manual account creation via GoogleLogin instead?

FlorianSW

This is done in /includes/DefaultSettings.php?

Yes, and no :slight_smile: While it’s ok to do that on a test instance or during development, I don’t think, that it’s ever a good idea changing code, which is delivered with MediaWiki. This makes upgrading hard and may or may not work in furture versions. So, if you want to do that on a production server (see my comment below), I would recommend doing the configuration in LocalSettings.php.

Is it enough of a problem that you’d recommend sticking with manual account creation via GoogleLogin instead?

So, generally spoken, I would not enable a feature, which was disabled by default by purpose. In this case, it may not resul tin any technical problem, though, but think about, that this may be an untested UX and that it could be confusing to the user. From what I understand so far, there’s not a big “thing”, which would result me, personally, to not enable it, if I really want/need to :slight_smile:

abeason

Hey guys,

It looks like the code snippet from anomie doesn’t actually limit account creation to Google only. Could you give me an example of how that would be achieved? I want Special:CreateAccount to only provide the option to register with Google.

Thanks!

Tgr

The correct paramter name is loginOnly, not localOnly.

abeason

@FlorianSW I just tested this out a little more and it seems that even with GLAllowedDomains set to our Gsuite domain non-company Google accounts are being allowed to link to existing accounts from Special:LinkAccounts. Any idea how to disable this behavior?

@Tgr I saw your post on the Phabricator thread regarding automated account creation, specifically this section:

“the external identity provider can just decide to treat everyone with a valid remote identity as an existing user and autocreate an account for them. This requires the provider to be able to map remote identities to local usernames; you then just return that username in a PASS response and it will be autocreated if it does not exist. This would work nicely with email addresses as usernames (might involve changing [[https://www.mediawiki.org/wiki/Manual:$wgInvalidUsernameCharacters|$wgInvalidUsernameCharacters]]) or realnames as usernames (if that’s a thing returned by the external identity provider). This is not really account linking as far as AuthManager is concerned, and should be well-supported. This is how most other web applications work I think, howewer those tend to rely on the displayed username being easy to change (so they can use the email as the fundamental user identifier, generate a username from the email prefix or the realname or whatever, use a very streamline registration process where registration is not any different from login, and leave it to the user to change their nick later if they want). MediaWiki uses the username as a primary identifier which makes this awkward. Also this will use account autocreation and not account creation and so bypass anything that is set up in the registration workflow (such as account creation throttling, or a form to get extra data) - that might or might not be a problem, depending on what the site owner wants.”

This sounds ideal to me as a user - especially as far as using the Google identity information to create the username is concerned. @FlorianSW how difficult would this be to implement? Possible from my end by modifying some php configs?

FlorianSW

Can you post the actual settings from your LocalSettings.php (please do not post any keys or secret credentials, though :)). That should work pretty fine.

So, this is not possible by just configuring. This would need to be implemented into GoogleLogin (perhaps behind a feature flag). You also would need to disable any other account creation mechanism to avoid that someone could take over another account in specific cases. If you want, you can open a phabricator task for it, so it’s on the list of features, that needs to be implemented :slight_smile:

abeason

This morning I decided to switch over to the internal DB management method. I’m now running into the following issue: I can get to the account selection screen when clicking “Login with Google,” but once I select an account I’m returned to Special:GoogleLoginReturn, which just says “Login required” because I seemingly don’t have access despite it being whitelisted.

I’m not getting an out-and-out error, so I’m not sure how to figure out what I’ve misconfigured. Is there a place where I can view logs for the extension?

This is the URL that’s being returned:

https://www.example.com/index.php/Special:GoogleLoginReturn?state=46c158d73d141e016fc28e2c65017a075a6a0d25%2B%5C&code=4/QA4u483OchupKL2MDuV8KEiW3czNqwdV1-qkuiOf9Sc#

This is my LocalSettings.php config:

require_once "$IP/extensions/GoogleLogin/GoogleLogin.php";
$wgGLSecret = "redacted";
$wgGLAppId = "redacted";
$wgGLAllowedDomainsDB = true;
$wgGroupPermissions['sysop']['managegooglelogindomains'] = true;
$wgWhitelistRead = array( 'Special:GoogleLoginReturn' );
$wgWhitelistRead = array( 'Special:CreateAccount' );

Is this happening because we’ve failed to authenticate and thus don’t have the permission to see Special:GoogleLoginReturn (the wiki is configured to be private)?

Thanks again for the help.

Edit: another interesting detail is that Special:CreateAccount is accessible when not logged in as expected, as is Special:UserLogin, so even if I failed to authenticate because my API key was wrong or something like that, I should have access to Special:GoogleLoginReturn when I’m redirected because it is whitelisted and all the other whitelisted pages are accessible.

Tgr

That will just overwrite the first value with the second value. Try $wgWhitelistRead = array( 'Special:GoogleLoginReturn', 'Special:CreateAccount' );.