[10:25:09] anyone here who knows AuthManager? [10:25:57] I've spent past few days with my own PrimaryAuthenticationProvider. [12:55:38] Tuju: what is the problem? [15:12:02] tgr_: i today managed to get $request working, now wiring things up. I've two issues that haven't yet figured out. How to build UI that I want and how to hook it into Apache httpd.conf [15:14:20] Looks like the url is always index.php and QUERY_STRING doesn't change much either, I wonder how I could distinquish operations with Apache tag, apparently I can't. [15:35:46] I quess only way to solve this is to use js at specialpage, but not sure where i should put it. [16:02:19] Tuju: the UI can be done via the AuthChangeFormFields hook and MediaWiki's HtmlForm framework. [16:02:47] not sure what you are looking for wrt Apache. [16:21:14] tgr_: i need to bind login button to make one request other than index.php which I can treat specially at httpd end and if that works, I let user in. [16:21:42] why do you need that? [16:25:27] I need apache ssl-requirements that are normally not active [16:31:58] you can use $wgSecureLogin to make the entire login happen over SSL [16:32:28] although these days it's an antipattern, it's easy to serve the entire site via SSL [16:33:10] yes, i've ssl on all the time. [16:33:44] actually, it didn't used to be and one person declined to edit pages because of that. Didn't understand why. [16:35:00] but i can't put my apache settings to index.php that is used all the time as then every page load will become very slow. [16:35:28] As I see it, only option is to move login page to other url or use javascript. [16:35:43] and do that authentication with javascript+other url [16:49:38] Looks like AuthenticationRequest fieldInfo is very picky of it's element types. [16:50:24] I'd like to have login page with different countries (eventually flag images) and clicking one would load right url. [16:50:54] I tried to create elements type='button' but it fails. [16:51:08] making the same field as 'string' works. [17:46:57] I managed to get it working so much that in ->beginPrimaryAuthentication() I get the country selection and could finish it, but I don't have those Apache environment variables set because I cannot hook it [17:46:58] Tuju: Istill don't quite understand what you are after, but you can use the AuthChangeFormFields hook to display buttons or whatever. [17:47:38] AuthenticationReuqest is a representation of the login data, it doesn't really deal with display [17:48:08] yes [17:48:18] but I got the buttons working there. [17:49:07] And for that moment I press that button, I would need httpd.conf "SSLVerifyClient require" be active. [17:49:45] then I get $_SERVER['SSL_CLIENT_S_DN_CN'] and I'm happy camper. [17:49:53] oh, you are doing client-side certificates? [17:49:59] sure [17:50:35] I can't have gazillion Pen1sEnglargement pages. Been there, seen that. [17:50:55] O [17:51:05] I'm very close to get it working already. [17:52:06] I tried in Apache config, but it gets messy because urls are translated as well. [17:52:11] but could be doable. [17:52:31] I would need to translate every language to apache config thou. [17:52:35] make beginAuthentication return a redirect response, send the user to the verify URL, have apache rewrite the URL so that it replaces the path with the value of the returnto (I think) query parameter [17:53:13] hmmm.... REDIRECT parts crossed my mind at some point when I was reading docs [17:53:58] " have apache rewrite the URL so that it replaces the path with the value of the returnto (I think) query parameter" - you think that might work? [17:54:18] I suppose the verify URL would have to be a special page implemented by you, since you need to process environment variables in that requets. [17:54:25] maybe it could, it would be very simple solution. [17:54:53] you can use AuthManager::setAuthenticationSessionData to pass them back to the auth handler [17:55:09] and then you can do the redirect from the PHP side [17:56:04] you mean that "send the user to the verify URL" - that would not be mediawiki page? [17:56:44] not the /wiki/index.php, but something like /auth/fineid/ [17:56:51] I suppose it has to be, since you can't access the result of the client cert check from MediaWiki otherwise [17:57:19] so, make a PrimaryAuthenticationProvider and a special page [17:57:54] But if I would load that /auth/ page, that $_SERVER['SSL_CLIENT_S_DN_CN'] will not be visible once I return to mediawiki. [17:59:02] the provider returns a REDIRECT to the special page, the special page is enabled in Apache for verification, it puts the data into the authmanager session and redirects back (the return URL is provided somehow, I forgot the details but probably a query parameter) [17:59:20] login procedure pages would be: special:Login -> /auth/ --redirect--> special:Login [17:59:45] the auth provider's continueAuthentication method would then get the data from the authmanager session and log the user in [18:00:18] hmmm [18:00:46] if you need to make it country-specific then it is mildly more complicated, you'd have to generate a bunch of buttons first [18:01:05] or a dropdown or whatever [18:01:31] before i was thinking making a special page with js and make a another httpd GET at /auth url at background [18:02:00] tgr_: did you see my page proto, I made three buttons already and they woek [18:02:01] work [18:02:10] I didn't [18:02:18] irc private message [18:02:27] you can make the redirect with JS in the background [18:02:37] if you prefer [18:02:55] I need to create some 15-20 buttons but that's okay. [18:02:59] there is a clientlogin API which is basically equivalent to the login UI steps [18:03:10] ack [18:03:30] do they share session if I give the same cookie? [18:03:39] you can also define the field as a string type, and then use the changeform hook to turn it into something pretty [18:03:54] as long as the name of the input is the same, the form can be anything [18:04:08] tgr_: haa, I tried to use SVG flags already and failed, that hook might work. [18:04:49] Can I make modal windows? [18:05:00] yeah, an authentication session is created when you visit the login page. It lives for a few minutes, during that you can access it with AuthManager::get/setAuthenticationData. [18:05:17] ...SessionData [18:05:49] so I could authenticate with js for that given session and set it authenticated. That would be pretty sleek. [18:06:34] you mean a modal dialog? [18:06:43] yes [18:06:48] or an actual browser window? [18:07:05] modal dialog, child of browser window [18:07:33] maybe i can inject that js with those hooks too [18:08:11] But if that redirect thing would work, I would like that too because it's so simple. [18:08:16] MediaWiki uses OOUI which does have modals. Or you could includ any other JS framework of course. It will be way more effort than a redirect-based login though. [18:08:31] yes [18:08:38] you'd have to create a ResourceLoader module, and add it via the hook [18:09:17] okay, I copy these to my notes. A lot to chew later when I try to implement. [18:10:18] dog's food is overdue, I need to go. But will hack that later. Thanks tgr_ - a lot. [18:10:35] I'll come back later to tell how it went.