Upgrade to SIWE (Single Sign on with Ethereum)

[FantasticoFox]

Requirement: Upgrade the Mediawiki container built process to include a working SIWE (https://github.com/spruceid/siwe) Outcome: alpha-1.0.4 release with the SIWE and OIDC plugin implemented in the container.

• This is the current commit https://github.com/inblockio/aqua-PKC/tree/siwe to debug / continue on
• when trying to log in, @rht found this error: Fatal error authenticating user. wgDebugLogFile output has nothing suspicious, nor does docker compose logs.
• proof that siwe works is to go to localhost:9353 (clicking on the login button doesn't work out of the box because no client secret is specified, but this is separate issue)

Context:

• important information: https://www.mediawiki.org/wiki/Extension:OpenID_Connect#Dependencies
• This extension requires PluggableAuth to be installed first. It also requires the CURL PHP extension and the OpenID Connect PHP library, which may be installed using composer. If you are updating from version 4.x or below to version 6.x or above, you will need to update to version 5.x first.
• @rht says: i already installed using composer update and php maintenance/update.php as instructed, but still same error

[it-spiderman]

With these commits, MW side is good

Load OIDC dependencies https://github.com/inblockio/aqua-docker-mediawiki/pull/5

Fix connection https://github.com/inblockio/aqua-PKC/commit/3276f063fb15f95c7755582ecadce7cb43976ab7

This will make sure that OIDC extension has all dependencies and is configured correctly.

This requires siwe-oidc domain to be added to /etc/hosts on the local machine. Its not nice, i know, ill try to work around this requirement, but for now, as we need to make call to SIWE from both the browser and inside the container, its needed

Im having trouble with getting the IdP to work. I only get white screen, with no errors in docker logs.

I can confirm that it receives the request from wiki, which looks good to me

/authorize?response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A9352%2Findex.php%2FSpecial%3APluggableAuthLogin&client_id=siwe&nonce=360ada8e44cb7d5adde7d2ac99035e28&state=d615a4e62e3fbf7097473c60d7bd08fb&scope=openid+profile+openid

I found very little of the non-library docu on SIWE, so not sure how to proceed there. Maybe with these changes, you guys can get further in getting SIWE itself working

[FantasticoFox]

We are running into two issues:

• Resolve container name resolution problem: hack use localhost --> then it works -- it should work by exposing the container to the host with the DNS configured by the docker DNS service

• User not recognised by mediawiki (OIDC) does not recognise the user to be the same between the mediawiki DB and the OIDC while the string is idendical. We assume its creating a new user again with a '1' in the end because username was already taken and there is conflicting. With the upgrade from EAUTH to SIWE we are now case-sensitive. As this is an error correction code with in the wallet address, this is desired.

[FantasticoFox]

@rht raised an issue https://github.com/spruceid/siwe-oidc/issues/86

[it-spiderman]

I was able to look into the domain resolution issue. Problem is that OIDC will make calls to SIWE container both inside the container and outside (browser redirects). Issue with this working with localhost is that localhost is not available inside the pkc container.

Thing that fails is this: https://github.com/jumbojett/OpenID-Connect-PHP/blob/master/src/OpenIDConnectClient.php#L621 It tries to contact it on localhost insdie the container, which wont work. I dont see a good solution to this, but some ideas are:

• patch the openid-connect-php lib so that it uses different domains for in and out calls (i can probably do that), but its a hack, and subject to breaking if library code changes
• configure SIWE to return localhost in certain endpoint on http://localhost:9353/.well-known/openid-configuration, even if domain is set to siwe-oidc (dont know how to do that)
• configure docker network in a way that allows routing localhost:9353 to siwe service (definitelly now know how to do)

As for the other issue, how do you even get to users being created? Even if i hack siwe-oidc in the hosts file, i still get a white page when arriving to siwe. What do i need to do?

[rht]

patch the openid-connect-php lib so that it uses different domains for in and out calls (i can probably do that), but its a hack, and subject to breaking if library code changes

I prefer this option, because forking the SIWE requires us to maintain a Docker image, and seems to require more maintenance than maintaining a fork which requires occasional rebase of 2-3 lines of change to OpenID-Connect-PHP and the https://github.com/wikimedia/mediawiki-extensions-OpenIDConnect.

[FantasticoFox]

I agree with @rht and in addition to this, this is in your realm of expertise which makes it actionable.

[FantasticoFox]

@rht opened https://github.com/spruceid/siwe-oidc/issues/88 to resolve the whitepage issue caused by the SIWE docker container upgrade

[it-spiderman]

@rht are the issues with usernames also happening to you?

• 1 is added at the end of the username
• username gets lowercased

[rht]

I haven't tested, but I have observed that the first one happened to @FantasticoFox 's laptop, but not the second one.

[it-spiderman]

First one is more important. Please test when you get a chance

[it-spiderman]

No entry in etc/hosts will be requried with these patches https://github.com/inblockio/aqua-PKC/pull/130 https://github.com/inblockio/aqua-docker-mediawiki/pull/6

[FantasticoFox]

Done and working