The future of Fedora Magazine auth

Hi,

@arrfab mentionned to me that the plugin used for the authentication of our respective project blog is now EOL, as it can be seen on GitHub - diso/wordpress-openid: Allows WordPress to provide and consumer OpenIDs for authentication of users and comments. (since June 2024). He also noticed that a upgrade to 6.6.1 break the plugin (while it worked before). Fedora magazine is still on 6.5.5, but sooner or later, we will have to upgrade.

We need to find another solution.

From here, there is multiple choices:

  • someone fork wp-openid and maintain it (or take a existing openid plugin). I have not looked yet at what exist.
  • move to another protocol (SAML, IndieAuth, etc). I already done that for another blog, and it was a bit painful due to the current hosting platform blocking the exact URL used by the plugin (so I have a gory workaround)

So if someone has a creative solution or a preference, please do not hesitate to share it.

I’m not really all that familiar with the inner workings of the FAS authentication stack. I don’t have any ideas or preferences. Thanks for the heads up that things might be breaking in the near future. My only request would be that you try to avoid breaking things around release time. :slightly_smiling_face:

Hi,

@arrfab mentionned to me that the plugin used for the authentication of our respective project blog is now EOL, as it can be seen on GitHub - diso/wordpress-openid: Allows WordPress to provide and consumer OpenIDs for authentication of users and comments. (since June 2024). He also noticed that a upgrade to 6.6.1 break the plugin (while it worked before). Fedora magazine is still on 6.5.5, but sooner or later, we will have to upgrade.

We need to find another solution.

From here, there is multiple choices:

  • someone fork wp-openid and maintain it (or take a existing openid plugin). I have not looked yet at what exist.

We want to move away from openid. keycloak doesn’t support it, and we
want to move to that from ipsilon)

  • move to another protocol (SAML, IndieAuth, etc). I already done that for another blog, and it was a bit painful due to the current hosting platform blocking the exact URL used by the plugin (so I have a gory workaround)

So if someone has a creative solution or a preference, please do not hesitate to share it.

OIDC would be best, but failing that SAML should work…

There are two widely used OIDC/OAuth2 plugins for wordpress. One is opensource, another one is partially opensource. I think the opensource one should be fine for our purposes. I think it is now moved to OpenID Connect Generic WordPress · GitHub organization.

1 Like

Yeah, @arrfab is also looking at OIDC, so that’s likely the best choice if it work.

In order to test, I need to upgrade the stg instance. However, it seems to be stuck on a older version despites auto upgrade (and now show a error). I will try to fix it, but in the mean time, the stg blog is not functional (not sure if that’s due to some upgrade or if I broke it)

1 Like

I moved prod to stg (made a copy), but like last time, Jetpack complained. I think I didn’t break it , but if Jetpack is broken on the blog, please tell me so I can take a look.

I added the plugin suggested by @abbra and opened a ticket for the secret. For now, I am testing on the community blog stating, but once that’s done, I will move the others blogs one by one and warn in advance.

2 Likes

Fedora Commblog was upgraded to 6.6.2 and login is now broken with the following traceback:

PHP Fatal error: Uncaught Error: Call to undefined function wpe\plugin\get_current_screen() in /nas/content/live/fedoracom/wp-content/mu-plugins/wpengine-common/class-wpe-admin-ux.php:34
Stack trace:
#0 /nas/content/live/fedoracom/wp-includes/class-wp-hook.php(324): wpe\plugin\Wpe_Admin_Ux->plugin_install_admin('')
#1 /nas/content/live/fedoracom/wp-includes/class-wp-hook.php(348): WP_Hook->apply_filters(NULL, Array)
#2 /nas/content/live/fedoracom/wp-includes/plugin.php(517): WP_Hook->do_action(Array)
#3 /nas/content/live/fedoracom/wp-content/plugins/openid/common.php(764): do_action('admin_head')
#4 /nas/content/live/fedoracom/wp-content/plugins/openid/common.php(746): openid_page('\n\t<noscript><p>...', 'OpenID Authenti...')
#5 /nas/content/live/fedoracom/wp-content/plugins/openid/consumer.php(59): openid_repost('https://id.fedo...', Array) 
#6 /nas/content/live/fedoracom/wp-content/plugins/openid/consumer.php(179): openid_redirect(Object(Auth_OpenID_AuthRequest), 'https://communi...', 'https://communi...')
#7 /nas/content/live/fedoracom/wp-content/plugins/openid/login.php(27): openid_start_login('https://id.fedo...', 'login', 'https://communi...')
#8 /nas/content/live/fedoracom/wp-includes/class-wp-hook.php(326): openid_authenticate(NULL)
#9 /nas/content/live/fedoracom/wp-includes/plugin.php(205): WP_Hook->apply_filters(NULL, Array)
#10 /nas/content/live/fedoracom/wp-includes/pluggable.php(618): apply_filters('authenticate', NULL, '', '')
#11 /nas/content/live/fedoracom/wp-includes/user.php(109): wp_authenticate('', '')
#12 /nas/content/live/fedoracom/wp-login.php(1315): wp_signon(Array, true)
#13 {main}
 thrown in /nas/content/live/fedoracom/wp-content/mu-plugins/wpengine-common/class-wpe-admin-ux.php on line 34

Fedora Magazine is still on 6.6.1 and I disabled the automated update on that site (I can’t easily revert on Fedora Comblog for now), so that should be fine for now.

@arrfab and I were able to get the OIDC plugin working when we tested last week, so fixing is just a question of managing to move the less than 1 Kb of random data used as secret from one server to my computer so I can paste it in the right place. I will open a new ticket tomorrow for the prod instance.

1 Like

Thanks for experimenting on Fedora Community Blog first! :stuck_out_tongue:

It was a automated update, so I can’t really take credit for the experiment, I can just add my name as advisor. The automated verification check if the website work and revert if it fail but this doesn’t prevent error on login, I guess that’s what happened.

1 Like

The ticket is here. I will try to fix this weekend if I find the time, but most likely on Monday.

2 Likes

Thanks to @zlopez prompt key sending, I was able to fix it and it should now be working.

Currently, prod is fixed, stg will be deal later, and then fedora magazine.

The new system automatically redirect you to FAS, with the annoying side effect that if you log out, it will redirect you to FAS and log you again. That’s just a setting (“add a button for login” vs “redirect to SSO automatically”), not sure which one is better. I prefer the redirect and auto-login, this seems more intuitive, but I am not the one using the blog.

1 Like

The redirect and auto-login works for me. Thanks!

1 Like

I second that choice!

So time do fedora magazine: Issue #12245: Need OIDC credentials for fedora magazine in staging - fedora-infrastructure - Pagure.io I will start by staging, but I assume this will go smoothly, we would all know by now if computers were unreliable piles of complexity prone to break when the wind blow in a slightly different direction.

1 Like