Page MenuHomePhabricator

Enable Wikimedia Phabricator login in discourse-mediawiki.wmflabs.org
Closed, ResolvedPublic

Description

As per https://discourse-mediawiki.wmflabs.org/t/enabling-social-login/71

What about using Phabricator OAuth server as a temporary workaround. It may be a bit of fiddle to authenticate via Phabricator via MediaWiki , but most people on the target mailing lists will have a Phab account by now.

I created a Discourse Phabricator connector (https://github.com/bekicot/discourse-phabricator-connect) that probably useful for this migration. It utilises Phabricator's OAuth service to connect Phabricator users into Discourse.


The connected user will have a link to their Phabricator profile url

Event Timeline

Qgil triaged this task as Normal priority.Jan 16 2018, 11:30 AM
Qgil created this task.

The Discourse plugin is now installed. Now we need this from Wikimedia Phabricator:

Phabricator Client Id
phabricator client secret

@Aklapper, can you help please?

Qgil claimed this task.Jan 17 2018, 10:03 AM
Qgil moved this task from Backlog to January on the Developer-Advocacy (Jan-Mar-2018) board.
Qgil reassigned this task from Qgil to Aklapper.EditedJan 17 2018, 10:13 AM

Actually, being @Aklapper the only admin of these Phabricator AND Discourse instances, he is in the best position to make the most secure transfer of information for this task. Reassigning. :D

Andre, in Discourse these fields can be found at /admin/site_settings/category/discourse_phabricator_connect

We have/had an OAuth server already ( @mmodell set it up in https://phabricator.wikimedia.org/T98954#1287238 ).
But nowadays https://phabricator.wikimedia.org/oauthserver/ says "No clients found".
I do not know what to enter as "Redirect URI" etc at https://phabricator.wikimedia.org/oauthserver/edit/form/default/ . Help welcome.

Tgr added a comment.Jan 17 2018, 4:53 PM

https://discourse-mediawiki.wmflabs.org/auth/discourse_phabricator/callback would be my guess.

I'll try setting it up.

(It should be editable by either @Aklapper or @Qgil and the page linked above ^ should provide the secrets which need to be entered into discourse)

Qgil added a comment.EditedJan 18 2018, 10:25 AM

Thank you @mmodell !

I have added Phabricator's ID, secret and URL to Discourse and now users signing up can see a "With Phabricator" button.

I have tested it but very lazily (trying to connect my Phabricator username when I have already a Discourse username using the same email address) and got an error message.

It would be great if someone with either less accounts or more time ;) could test the basic use case of someone with a Phabricator account creating their first new Discourse account.

The error message I got:

https://discourse-mediawiki.wmflabs.org/auth/discourse_phabricator/callback?code=...

The software powering this discussion forum encountered an unexpected problem. We apologize for the inconvenience.
Detailed information about the error was logged, and an automatic notification generated. We'll take a look at it.
No further action is necessary. However, if the error condition persists, you can provide additional detail, including steps to reproduce the error, by posting a discussion topic in the site's feedback category.

I'm not sure where the notification went. I haven't seen it. However, there are errors logged indeed.

(!) OAuth2 Debugging: user_json: {"result"=>{"phid"=>"PHID-USER-(edited)", "userName"=>"Qgil", "realName"=>"Quim Gil — Wikimedia Foundation", "image"=>"https://phab.wmfusercontent.org/(edited)
(x) NoMethodError (undefined method `phabricator_email_verified?' for #<Class:(edited)> Did you mean? phabricator_client_id?) /var/www/discourse/vendor/bundle/ruby/2.4.0/gems/activerecord-5.1.4

I got an error when I tried to sign up "With Phabricator" :

Oops

The software powering this discussion forum encountered an unexpected problem. We apologize for the inconvenience.

Detailed information about the error was logged, and an automatic notification generated. We'll take a look at it.

No further action is necessary. However, if the error condition persists, you can provide additional detail, including steps to reproduce the error, by posting a discussion topic in the site's feedback category.
Qgil added a comment.Jan 18 2018, 10:39 AM

OK, I have disabled the plugin in order to avoid having other users hitting this wall. @yana_agun, do these error messages tell you anything?

I think maybe the redirect url isn't supposed to be set to the callback in phabricator.

Qgil added a comment.Jan 18 2018, 10:43 AM

For what is worth, in Discourse I have followed the example at F12236553, with the PHID and secret found in https://phabricator.wikimedia.org/oauthserver/client/view/3/. The URL I have defined is https://phabricator.wikimedia.org

@Qgil: Maybe that's the problem: I think you need to define the phabricator url to be https://phabricator.wikimedia.org/oauthserver/auth/

Qgil added a comment.Jan 18 2018, 10:54 AM

Nope, if I do this then the signup button sends the user to a 404 Not Found page in Phabricator.

Tgr added a comment.Jan 18 2018, 8:37 PM

@Qgil: Maybe that's the problem: I think you need to define the phabricator url to be https://phabricator.wikimedia.org/oauthserver/auth/

No, that should be https://phabricator.wikimedia.org.

(!) OAuth2 Debugging: user_json: {"result"=>{"phid"=>"PHID-USER-(edited)", "userName"=>"Qgil", "realName"=>"Quim Gil — Wikimedia Foundation", "image"=>"https://phab.wmfusercontent.org/(edited)
(x) NoMethodError (undefined method `phabricator_email_verified?' for #<Class:(edited)> Did you mean? phabricator_client_id?) /var/www/discourse/vendor/bundle/ruby/2.4.0/gems/activerecord-5.1.4

So that seems like a bug in the plugin: it tries to use the phabricator_email_verified site setting but as far as I can see doesn't actually declare such a site setting.

Qgil reassigned this task from Aklapper to yana_agun.Jan 19 2018, 9:50 AM

@yana_agun wanted to help, and now he has a chance to. ;)

To be clear, this is not urgent.

mmodell moved this task from To Triage to Misc on the Phabricator board.Jan 31 2018, 10:42 PM
Tgr added a comment.EditedMar 25 2018, 6:18 AM

Might be fixed on master branch of the Discourse plugin.

yana_agun added a comment.EditedMar 25 2018, 6:48 AM

@Tgr Thanks, sorry, I've been busy with my Uni. Now I have more time. If you don't mind, I would like to add you to the project as collaborator. or even better if I May pass this repo to official wikimedia org so that more people can contribute, just in case I'm not available to update.

Tgr added a comment.Mar 29 2018, 5:34 PM

@yana_agun no worries, as Quim said this is not urgent.

If you don't mind, I would like to add you to the project as collaborator. or even better if I May pass this repo to official wikimedia org so that more people can contribute, just in case I'm not available to update.

Thanks! Whichever works better for you is fine. If you want to transfer the repo, the docs are here.

Tgr added a comment.Mar 29 2018, 5:35 PM

I've added the repo to phabricator: rDISCPHAB discourse-phabricator-connect

That is a mirror, not a fork, right?

I've added the repo to phabricator: rDISCPHAB discourse-phabricator-connect

That is a mirror, not a fork, right?

Yes it's mirrored from github for now. We can easily turn off mirroring if we want to move development to our infrastructure.

@Tgr I don't think I do have any access to Wikimedia org related to this project.

Anyway, I added you as a collaborator.

Qgil added a comment.Apr 30 2018, 7:16 PM

I enabled the updated version, I logged out, I logged in using the "with Phabricator" button and... It works!

More testing is needed of course, but it looks like this task is RESOLVED, and if there is anything we can file separate bug reports.

@yana_agun you have done the hard work and you have the honor to resolve this task. :)

Doesn't work for me :( I just get this ever time:

Sorry, there was an error authorizing your account. Perhaps you did not approve authorization?

Even though it's listed in my authorized Phabricator oauth applications.

The 'scope' there is blank, is that a problem? Shouldn't it say what it's granting access to?

@Samwilson: I works for me even though I also have a blank 'scope' field. Odd.

Do you have two-factor authentication enabled on Phabricator?

Tgr added a comment.May 1 2018, 8:52 AM

I have 2FA and it seems to work. Couldn't fully test as I use a different email address in Phabricator but Discourse says my email has been verified and offers new account creation with information it could only have gotten from Phabricator.

Ah, it works fine for me in Chrome, but still fails in Firefox. Can't see why.

Qgil added a comment.May 3 2018, 9:02 AM

I created https://discourse-mediawiki.wmflabs.org/u/quimgil1/summary with Firefox right now.

Neat, it shows a link from your Discourse profile to your Phabricator profile.

bd808 added a comment.May 3 2018, 10:19 PM

I had my Discourse account setup with a different email address than my Phabricator account. Changing my Discourse email address allowed me to start using the OAuth link to authenticate. I do not get the Phabricator profile link in my summary information. This is probably something that Discourse only sets up with the initial account creation.

Qgil added a comment.May 4 2018, 7:41 AM

Can we assume that this task is resolved (main use case is provided), and if someone has bugs or ideas for improvement, they can be filed separately?

Yes, I think so.

Tgr moved this task from Backlog to Needed for production on the Discourse board.May 4 2018, 2:13 PM
Tgr moved this task from Needed for production to Backlog on the Discourse board.
Tgr closed this task as Resolved.May 24 2018, 11:38 AM
Sau226 added a subscriber: Sau226.Jun 17 2018, 1:40 PM

@yana_agun If you want to transfer it I think you should give it to @Tgr. He will probably find a way to move it into Wikimedia's GitHub