(I've originally posted this on the discussion page of the PluggableAuth extension: https://www.mediawiki.org/wiki/Topic:U63590t4cy1djubd)
I'm using the OpenID Connect extension with a setup like this:
- anonymous users are allowed to read, but they're not allowed to edit or to register
- $wgPluggableAuth_EnableAutoLogin is disabled so that anonymous users that cannot authenticate can read the wiki
- the users that can log in usually access the wiki while it is iframed in the site that serves as the OP
- I'm using /index.php?title=Special:Login&returnto=Main_Page as the iframe src to ensure that these users are automatically logged in
Unfortuately, visiting /index.php?title=Special:Login&returnto=Main_Page causes the OpenID Connect extension to re-authenticate against the IdP, even if the user was already logged in. This causes an annoying delay of several seconds each time the user clicks on the navigation link that opens the wiki in the iframe.
Is there any way to prevent re-authentication when the user is already logged in, e.g. with another Special site, or a parameter for Special:Login? As far as I can tell from includes/specialpage/LoginSignupSpecialPage.php, the core code does have the behaviour I want:
/* * In the case where the user is already logged in, and was redirected to * the login form from a page that requires login, do not show the login * page. The use case scenario for this is when a user opens a large number * of tabs, is redirected to the login page on all of them, and then logs * in on one, expecting all the others to work properly. * * However, do show the form if it was visited intentionally (no 'returnto' * is present). People who often switch between several accounts have grown * accustomed to this behavior. * * Also make an exception when force=<level> is set in the URL, which means the user must * reauthenticate for security reasons. */ if ( !$this->isSignup() && !$this->mPosted && !$this->securityLevel && ( $this->mReturnTo !== '' || $this->mReturnToQuery !== '' ) && $this->getUser()->isLoggedIn() ) { $this->successfulAction(); }
Is it possible that PluggableAuth accidentally breaks this behaviour?